Table of contents Contacts 18

Transcription

1 ASSESSMENT OF CYBER SECURITY IN 2016 AND PROSPECTS FOR 2017

2 Table of contents 1. Introduction 3 2. Overall estimate of DDoS attacks size 3. The true face of the bot: then and now 4. Analysis of the victims 5. DDoS in How our protection works 7. Conclusion 8. Appendix Contacts 18 2

3 ASSESSMENT OF CYBER SECURITY IN 2016 AND PROSPECTS FOR 2017 This analytical report is based on the data collected by the company's automatic statistics system and global trends. Since 2011, DDoS-GUARD has been developing and implementing DDoS protection solutiuons and services. Of course, this would not be possible without the analysis of attack patterns and tools that the cyber criminals use for conducting attacks. Having analyzed tremendous amounts of malicious traffic that targets our customers, we have prepared 2016 annual report and expressed our vision for future DDoS attacks to happen throughout Introduction The IT field is changing more rapidly than any other, and it changes the reality around us. Literally, at the beginning of the 21st century cyber attacks were a "horror story" from the TV screens, but today it is quite easy to find and hire hackers through a Google search and use their services. Some craftsmen are so generous that they give away malicious source codes for public absolutely for free, e.g. the creators of Mirai. And in Europe occasionally you may hear of DDoS legalization initiatives as "a means of expression of public opinion" ( Search bar kindly gives tips on request "ddos attack order" and gives links to specific services. But despite this, many owners of websites and other online systems do not really believe that DDoS some day can hit their projects, and consider the warning news from DDoS mitigation providers no more than marketing ploys. However, 2016 can be considered a turning point for cybersecurity. The attacks against the website of a journalist Brian Krebs, Amazon, Twitter, a number of major Russian banks, multiple hacked Chinese DVRs and routers now are not only news articles, but also these incidents opened the eyes of ordinary people to many vulnerabilities of the Internet. ( ). The reality is that today any device that has Internet connectivity can be hacked and used as a bot. Cheap DVRs and unprotected smartphones may be a source of a danger as well, however, let's talk about everything in order. 3

4 2. Overall estimate of DDoS attacks size Throughout 2016, the DDoS-GUARD experts observed DDoS power surges in general and its certain types in particular. This growth is represented in the graphs below 1. Maximum attack size per month January February March April May Gbps June July Mpps August September October November December Average attack size per month January February March April May June Gbps July Mpps August September October November December 4

5 2. The size growth of attacks per quarter, grouped by protocols Q1 Q2 Q3 Q4 UDP TCP Others By months January March May July September November UDP TCP Others As can be seen in the graphs, a significant peak of attacks occurred in the 3rd quarter of 2016, when a botnet Mirai came into play. However, the size of attacks (bps) steadily grew from the beginning to the end of the year, while packet rate increased and then decreased sharply throughout the year. 5

6 Let's look at the graph where attacks are grouped by protocols. UDP flood kept the lead throughout 2016, but starting from the 3rd quarter and until the end of the year, it sharply decreased in size, while the size of TCP attacks (TCP ACK, TCP ACK+PSH, TCP SYN) and other types of attacks jumped up dramatically. Thus, a trivial UDP flood, as predicted by the DDoS-GUARD experts, began to give way to more complex TCP attacks and GRE flood. This fact is also associated with the features of the Mirai botnet, which exploits the vulnerability of these protocols simultaneously. Generally, nowadays hackers are firmly equipped with multi-vector attack techniques starting from spring In the spring-summer 2016, most of attacks were aimed at the DDoS-GUARD infrastructure, which can reasonably be considered as sort of exploring: hackers were looking for possible weak points of the protection system. In the same period of time, another well-known DDoS protection provider - Staminus - was hacked and had its personal data stolen, including private data of the company customers. It is worth noting that in 2016, an increase in attack frequency and size against hosting service providers and telecommunication services providers was observed. Such an assault allows for disabling maximum of various online systems, in contrast to pinpoint attacks that target single sites. Last year, such well-known providers as French OVH, American Dyn were targeted with DDoS. OVH is commonly known due to its reliable protection against DDoS, which attackers decided to test for strength. Thus, hackers have spared no effort to test for strength large providers of different countries. And it turned out that a volumetric 620Gbps DDoS attack is enough for such an industry giant of cyber security like Akamai to give up the problem customer (KrebsOnSecurity.com) when it was attacked. The rapid growth in size of DDoS attacks for the last 6 years is astounding - from 100 Gbps in 2010 to 1.2 Tbps in 2016, i.e. 12 times. Attacks that some time ago were considered to be phenomenal, began to occur more and more often. In 2016 there were observed the following attacks: 17 attacks over 200 Mpps 34 attacks over 100 Mpps 29 attacks over 200 Gbps 35 attacks over 100 Gbps Having looked at the increase in the number of extra massive attacks out of the total number (percentage ratio), it may seem insignificant, but the increase is well-marked if attacks over 200 Gbps are considered: attacks attacks attacks 6

7 Gbps Hence, we can safely predict that in 2017, complex and large attacks will occur more often and surpass 1 Tbps, which is the amount of traffic, enough to overwhelm the network capacity of most telecommunication services providers. 3. The true face of the bot: then and now The main tool of DDoS makers is a botnet, which is a network of compromized devices; each device is infected with malware that injects a bot program into the device, causing it to perform certain actions without the knowledge of its legal owner. Let's look at the largest botnets existing in the world. The leader is the Zeus banking Trojan that has infected more than 13 million devices since As for the DDoS-producing botnets, there are more modest figures. For example, one of the most famous botnets - Mirai - has only 400 to 500 thousand devices. However, one should keep in mind that in the case of DDoS attacks, not quantity of bots, but the power of produced amounts of traffic and its attack patterns are important. And if botnets that distribute trojans and spam are mostly personal computers, or less often - servers, a DDoS bot can be any device that has an IP address and Internet connectivity. Home routers are becoming the most common source of spurious traffic, but in 2016, DVRs took the lead by conducting the most powerful attacks. 7

8 Botnets can be debated a lot of time, and their assessment criteria are different as well: some people say that the power of a botnet is measured in amounts of produced traffic, others say that the quantity of bots the botnet consists of is crucial. The opinion of the DDoS-GUARD experts is that the attack complexity and attack patterns are the most important factors. In this regard, the IoT botnets challenge the cyber security experts by producing malicious TCP traffic, which is almost indistinguishable from legitimate one. TCP is one of core protocols of the Internet, used to control data transmission. The TCP segment is a grouped set of data used to transmit data via TCP Protocol. The segment header has 12 fields for performing a reliable data transfer, including: source port, destination port, flags, urgent pointer field, data field, etc. Botnet Mirai produced TCP ACK+PUSH and TCP SYN flood. Let's describe how it works. 1. SYN Flood The client generates a SYN packet requesting a new session from the server. Since the TCP session is open ( TCP 3-way handshake is complete), the host will trace and process each client session till it gets closed. During SYN flood, the server under attack is bombarded with fabricated SYN requests containing fake source IP addresses. A SYN Flood attack affects the server by occupying the entire memory of the Transmission Control Block (TCB) table, which is usually used to store and process the incoming packets. This considerably undermines productivity, which entails server failure. 2. ACK & PUSH ACK Flood When the connection between the host and the ACK or the PUSH ACK client is established, packets are used to transfer information both ways till the session gets closed. The victim server attacked by an ACK flood receives fake ACK packets that do not belong to any of the sessions on the server s list of transmissions. The server under attack then wastes all its system resources (RAM, processor, etc.) trying to define where the fabricated packets belong. This results in productivity loss and partial server unavailability. The analytics from Gartner estimated that by the end of 2017 there will total 8.4 billion network-connected devices worldwide. Compared to the last year this number will grow by 31%. It is expected that by 2020 the number of IoT devices will reach 20.4 billion pieces. On October 25, 2016, SAS Institute Inc. shared the results of European studies, according to which experts identify two main problems of IoT implementation: - the need to analyze data in real time - 22%, - security issues - 22% 8

9 According to various sources, today the number of devices connected to the Internet is about 10 billion. And all of these devices are at risk, because many manufacturers prefer to integrate free and open source Linux into their products. The IoT devices employ a number of specialized Linux distributions such as Linux Lite, LXLE, OpenWrt, Ostro Linux, uclinux, and so on. According to VDC Research, the next year over 64% of IoT devices will operate on open source Llinux distributions. 100% Распространение Linux на рынке ОС 80% 60% 40% Linux 20% 0% Unlike PCs and mobile devices, not all "smart" things have a familiar interface (a display and a keyboard), so not every person will be able to diagnose the infection (verify network connectivity, check monitor activity, etc.). Very few people ever get the idea that their DVR or smart watches might ever be a target for cracking. In addition, there are no firewalls or antivirus software for the IoT. But the main problem lies in the users who use weak/standard passwords, and do not follow safety rules. Recall that all passwords are considered weak if consist of 8 or less characters. But the proper length of the password does not guarantee 100% protection, since any password involves a finite combination of numbers, letters, and symbols. According to IT experts, the more often a person changes the password, the less complex it becomes, especially if there is no strict requirements on its length. However, updating the IoT devices is perhaps the only way to protect them against hacking and intrusion. 9

10 Therefore, the user is advised to constantly check which ports of their IoT devices are busy, if there is any suspicious processes running, etc. Unfortunately, not all users know how to do it and why. Therefore, it is not surprising that hackers paid attention to such convenient tool for conducting DDoS attacks, with the widest geographical distribution, which, moreover, does not require financial costs, unlike renting dedicated servers to produce attack traffic. Unfortunately, the widespread use of IP spoofing by attackers does not allow to precisely define what initial devices were used and where the devices were located. But it is already clear that the army of bots has grown several times due to the "smart things", which may include such devices like fitness clocks, educational pens, children toys with integrated Wi-Fi-module, and there are billions of them worldwide. 4. Analysis of the victims Victims ranking over the past year and a percent ratio of each targeted type out of the total number of assaults Online stores - 36% Game servers - 29% Hosting services - 19% Banks - 7% Mass Media - 4.5% Governmental segment - 4% Others - 0.5% In particular risk are still resources associated with sales, online games and other web service. During the US the pre-election period, the attacks on media and governmental websites were intensified due to the desire of cyber criminals to manipulate public opinion and paint an image of "Russian hackers", while most of the DDoS attacks were coming from China. Indeed, the "Russian hackers" have become a kind of brand. It is very convenient for security professionals who have not coped with their tasks to blame unknown attackers over the ocean, without mentioning any particular names. Of course, this does not mean that in Russia there are no hackers who could conduct those attacks, however due to modern technologies it is quite difficult to track the exact person responsible for the attacks. 10

11 Top-targeted countries China - 39% Russia - 25% USA - 19% Other countries - 17% Like a year ago, China took the lead again due to an opportunity to rent cheap dedicated servers there by any person from any part of the world. The percentage of the US (which is obvious during the pre-election period) and Russia victims increased. The increase in DDoS attacks on Russian resources, especially in the state sector, can be regarded as a kind of retaliatory blow from foreign detractors. Also it is worth noting a series of DDoS attacks on large providers, including those attacks that targeted DDoS mitigation providers aiming to check the level protection level. Our company was targeted too, and as a tool for conducting a DDoS API of Facebook was used. By having a large number of compromised PCs, i.e., bots, cyber criminals were posting to the Facebook profiles status bar a link to a victim website. Thus, that made Facebook scripts request content from the specified links, and having lots of this requests in a unit of time was supposed to consume all the available bandwidth of the victim. As bots, the hackers used the Facebook profiles, which they gained access to illegally, taking advantage of phishing techniques, typosquatting, social engineering and other ways. 5. DDoS in 2017 This year, according to independent research, it is reasonably expected that businesses will pay more attention to the Internet of things security issues. Below are the key areas for investment in cybersecurity in 2017 (according to PwC) 30% 37% 25% 39% 53% 30% 37% 25% 39% 53% Biometric systems and methods of enhanced authentication The security of the corporate digital architecture The IoT security Cybersecurity of new business models Enhanced cooperation between business units, digitalization and IT teams Worldwide Russia 11

12 However, when focusing on new threats, we should not forget about the old ones like the Necurs botnet. This is one of the largest botnets in the world, which can significantly affect the level of spam in the world's mail traffic. According to Cisco, many of the IP addresses that produce Necurs-based spam, are infected for more than two years. Last year, the botnet was enhanced with a new proxy module and gained the functionality needed to conduct DDoS attacks. The module was classified as an available on-demand proxy that is able to route traffic through the infected hosts, utilizing HTTP, SOCKSv4, and SOCKSv5 (a network protocol that can forward packets from the client to the server through a proxy server transparently (unbeknownst to them) and thus to use the services behind firewalls). Just recently, researchers were able to understand that new functionality is associated with DDoS attacks: the bots have been sending requests to the destination port 5222 using a different protocol. It turned out that the proxy module could receive the commands that would cause the controlled machine to generate an HTTP or UDP flood towards the victim. Meanwhile, the Necurs botnet consists of more than 6 million bots. Although in 2016, it was reported that the botnet virtually disappeared from sight since it stopped distributing malware, the recently received data is a cause for concern: perhaps, the botnet owners just decided to upgrade it. One should not ignore the emergence of GRE flood. Our company monitored the maximum size of GRE flood targeted our network exactly at the same time when the attack Mirai activity was on the rise, and reached 273 Gbps. Thus, today there are more than 37 types of DDoS attacks that exploit vulnerabilities of existing protocols at 3 through 7 OSI layers (for more information proceed to the Appendix page), and to create these attacks you can use any device connected to the Internet, including hacked accounts in social networks, home routers, digital equipment for cars, etc. In this case there are two ways for solving the problem: development of advanced filtering algorithms for standing against such attacks, and expanding of existing network capacity, what our company has been doing since the moment of its foundation. 12

13 6. How our protection works At present, our company has a geographically distributed filtering network, which also has direct physical connections to the Tier-1 networks, and thus can reliably and quickly filter incoming traffic. The scrubbing centers are situated in: Amsterdam, The Netherlands Frankfurt, Germany Moscow, Russia Tokyo, Japan Washington DC, USA Following the concept of constant growth, we have already projected additional points of presence and scrubbing centers in Europe, North America and APAC region. The network architecture is designed to meet probable threats and risks associated with DDoS attacks and provides three independently redundant layers. 1. Routing layer The main purpose is fault-tolerant and flexible routing of large amounts of traffic, providing connectivity with the maximum number of external networks. An additional objective is the aggregation and reservation of client connections that use physical (fiber optic) and logical (L2/L3 VPN, GRE, IPIP etc.) channels. For this purpose, at this level we use reliable and highly efficient Juniper routers and switches. 2. Reserved cluster for packet processing (packet processing layer) The main goal for this layer is distributed traffic check at 3-4 OSI layers under ultra-large network flow that reaches Gbps at each point of presence. This layer consists of several (25, may vary depending on particular point of presence) mutually reserved devices, which check incoming packets of traffic by applying deep packet inspection (DPI). The applied algorithms are developed by engineers of our company. There is also an opportunity for immediate network capacity expansion up to Gbps in each point of presence. 3. Reserved cluster for processing of application level requests (application layer) The main task of this cluster is validation of 5-7 OSI layers requests, which are HTTP, HTTPS, DNS, SMTP, etc. Here the processes of decryption, validation, and encryption of HTTPs traffic take place. The layer is reserved regardless of the packet processing and routing. It is worth noting that for traffic filtering purposes we use our own-designed solutions. This allows us to guarantee and provide the claimed uptime level, as well as offer quick and efficient technical solutions to any unusual situations. 13

14 7. Conclusion Generally, we can conclude that due to the rapid development of Internet of Things, a potential army of bots has grown by several billion devices. And if the existing botnets that produce phishing, spam, etc. are used to conduct DDoS, this army will outnumber the world's human population and will generate terabytes of various garbage traffic. The most important aspect in the fight against DDoS attacks is a constant reminder to the public that the cyber threat is real and serious, and becoming more formidable day by day. Indeed, as shown in 2016, DDoS may affect not only private single resources, but whole segments of the Internet, used by millions of people around the world. For this reason, DDoS-GUARD is engaged in continuous monitoring and study of DDoS attacks that target not only our customers, but also explore attacks that occur worldwide, and we share achieved research results in the media. 14

15 8. Appendix DDoS attack types Volumetric attacks DNS Amplification Attacks that exploit vulnerabilities in network protocol stack IP null Attack Application level attacks HTTP Flood, Excessive VERB DNS Flood ICMP Flood NTP amplification TCP null Attack Type of Service (TOS) flood ACK & PUSH ACK Flood Single Request HTTP Flood, Multiple VERB Single Request Single Session HTTP Flood, Excessive VERB Single Session Faulty Application Attack NTP Flood RST/FIN Flood Fragmented HTTP Flood, HTTP Fragmentation Ping Flood SYN-ACK Flood Session Attack, SlowLoris UDP Flood Non-Spoofed UDP Flood UDP Fragmentation Flood, UDP Framentation SYN Flood TCP null Multiple ACK Fake Session Attack Zero Day DDoS attack VoIP Flood Multiple SYN-ACK Fake Session Attack Media Data Flood Synonymous IP атака; Same Source/Dest Flood; LAND Attack Smurf Attack Misused Application Attack Fraggle Attack Fragmented ACK Flood Fake Session Attack Ping Of Death ICMP Fragmentation Flood Zero Day DDoS attack Another amplification attacks Zero Day DDoS attack 15

16 Attack impact according to OSI model 1. Second-layer attack Data link layer Network equipment congestion caused by malicious frames, which leads to loss of legitimate traffic 2.Third-layer attack Network layer Congestion of network links of a data center and a customer, which leads to loss of legitimate traffic and unavailability of a network-enabled service 16

17 3. Fourth-layer attack Transport layer A DDoS attack that exploits vulnerabilities in transport layer protocols, causing overflow of the connection table and unavailability of a server 4. Seventh-layer attack Application layer An application-layer DDoS attack, that causes server overload 17

18