CDNetworks DDoS Attack Trends and Outlook for February 2015 CDNetworks Security Service Team. Copyright 2015 CDNetworks

Transcription

1 CDNetworks 2014 DDoS Attack Trends and Outlook for 2015 February 2015 CDNetworks Security Service Team Copyright 2015 CDNetworks

2 1. Introduction CDNetworks, a global CDN service provider, provides content delivery network (CDN) service, as well as DDoS defense services based on its large capacity international network lines and security technology capabilities, such as Secured Hosting and Cloud Security. This report analyzes information on a variety of DDoS attack types and trends collected in the course of providing Secured Hosting and Cloud Security, its DDoS defense service suite based on traffic bypass technology, to customers. Furthermore, this report uses the results of this analysis to share the information required to minimize damage from DDoS attacks by predicting and preparing for DDoS attack trends for This report contains DDoS attack trends for 2014, as well as the outlook and recommended countermeasures for While it primarily addresses the needs of CDNetworks security service customers, this report draws on CDNetworks experience in providing services to global customers, including from the U.S., Europe and Japan. As such, it is expected to provide useful resources for the general reader in understanding past trends and forecasting the future of DDoS attacks. 2. Summary DDoS attacks were more powerful and detailed in 2014 than the preceding year. The DDoS attacks of amplification type that appeared in the second half of 2013 became more powerful and diverse in type, while the slow L7-type attacks became slower and more detailed. Significantly, network time protocol (NTP) amplification attack replaced the existing maximum traffic of 300Gbps with 400Gbps in Increase in the number of DDoS attack cases The number of DDoS attacks in 2014 was 208, up 29% from the 161 posted in the preceding year. This is primarily due to the increase in the frequency of NTP amplification attacks and simple service discovery protocol (SSDP) amplification attacks, which had shown a very low occurrence frequency in the past. This rise has meant that, as a consequence, there has been a rise in the overall number and total traffic of DDoS attacks. A sharp rise in amplification attacks The number of amplification attacks was 64 in 2014, compared to just one in 2013, showing a 64-fold increase. By attack type, there were 21 simple service discovery protocol (SSDP) amplification attacks, 20 domain name system (DNS) amplification attacks, 22 NTP amplification attacks and 1 CharGen amplification attack, indicating that not only the number of occurrences is increasing, but that the type of amplification attacks is also diversifying. Increase in large-scale attacks 2

3 As for the number of DDoS attacks in 2014 by size, attacks between 10G and 20G increased by 33.3%, while larger attacks of 20G or above increased by 100%. The rising frequency of larger attacks is complicating efforts to defend attacks using the conventional network infrastructure possessed by the individual businesses Major DDoS Issues Date Feb Feb Mar Apr May 2014 May 2014 Jun Jul Jun Aug Sep Oct Nov Description 400Gbps DDoS, the largest scale ever (France) Bitcoin failure due to DDoS attacks 160,000 vulnerable WordPress-based sites are exploited as DDoS zombies NTP amplification attacks exploiting set-top boxes Chinese hackers target 220 Vietnamese sites with DDoS attacks, causing the network to be down for 3 days DDoS attacks through the infection of Linux servers (Elasticsearch vulnerability, iptables) A site relating to the opening of Brazil World Cup brought down by a DDoS attack A popular Korean online soccer game brought down by a DDoS attack Attack launched on Amazon servers exploiting the Elasticsearch vulnerability The servers of Sony PlayStation Network (PSN) brought down by a DDoS attack The closed social media site Ello brought down by a DDoS attack A large Korean domain registration agency s service suffers a failure by a DDoS attack Korean ISP DNS server suffers a failure due to a DDoS attack This year we saw that the defense for DNS servers is as important as that for high-traffic lines. As DNS uses user datagram protocol (UDP), it is not easy for DNS servers to defend against DDoS attacks. This is why we have provided safer services by increasing servers through ANYCAST methodology. Nevertheless, the need for protecting DNS servers has emerged as a critical issue following two high-profile service failures in Korea. In addition, we also saw several new types of attack, in addition to existing attacks that exploit zombie systems or vulnerabilities. We provide more details on these new types of attack in DDoS Outlook for 2015, below. The section below explores the trends of DDoS attacks based on our experience of defending systems against DDoS attacks through our Secured Hosting and Cloud Security Service in 2013 and

4 4. DDoS Attack Trend 2013 vs The frequency of DDoS attacks by year There were 208 cases of DDoS attacks in 2014, up 29% from This is primarily because there was an increase in the frequency of NTP amplification attacks and simple service discovery protocol (SSDP) amplification attacks, which had shown a very low occurrence frequency in the past, consequently increasing the overall number and traffic of DDoS attacks. 4.2 Analysis of DDoS attacks by month The graph shows DDoS attacks peaking in June. The period saw the highest frequency of both DNS amplification and NTP amplification attacks. The first SSDP amplification attack was detected on November 11. Following that, a total of 21 SSDP amplification attacks 4

5 occurred, with the maximum traffic of the attack being 14Gbps. In addition, a combined attack of DNS, NTP and SSDP generated a maximum traffic of 32Gbps. 4.3 Analysis of DDoS traffic size As shown by the analysis of DDoS traffic size, small attacks of less than 1G occurred the most frequently. Attacks of 10G or above also saw an increase in frequency, while the frequency of larger attacks of 20G or above doubled from the previous year. This trend is attributable to the increase in average traffic and maximum traffic by amplification attacks. 4.4 Analysis by type 5

6 According to the result of analysis by type, UDP flooding showed the highest frequency, continuing the trend seen in What is notable is the increase in amplification attacks. While 2013 saw only one DNS amplification attack occur, in 2014 there was a total of 64 DNS, NTP, and SSDP attacks. Furthermore, there were frequent attacks combining the three types. 4.5 Frequency of amplification attacks by type From November 2013, there were 21 SSDP amplification attacks, 22 NTP attacks, 20 DNS attacks and 1 CharGen attack. The traffic of DNS amplification was able to be slightly reduced with the use of extensive 6

7 patching, while NTP amplification remained as powerful as before. As to SSDP, the packet per second (PPS) for an IP was very low, as it occurs across a very large number of devices. This shows that it is impossible to defend the attack with the threshold for UDP. As shown below, amplification attacks occur frequently around the world. <Worldwide amplification attacks. Source: Digital Attack Map> 4.6. Analysis of the origin of DDoS attacks According to the result of querying 20,000 IPs, China and the U.S. were the two most frequently used sites for zombie systems. South Korea saw a slight decline from 12% in 2013 to 10% in Given that our services are provided to the global market, however, this figure is still high. 7

8 4.7. Analysis by type of business The types of business that received the most DDoS attacks were, in descending order: games (39%), education (26%) and community (13%). DDoS attacks on game companies in the global market remain very active, with Korean game companies becoming the main target of DDoS attacks as well. It is also understood that the range of the targets for DDoS attack is gradually expanding to include education, community, social commerce and public agencies. 8

9 DDoS Outlook 5.1 Outlook for amplification attacks Amplification attacks are also known as 'distributed reflector denial of service (DRDOS). This attack method involves attacking targets by utilizing vulnerable systems as 'zombies' by exploiting the vulnerabilities of specific protocols (DNS, NTP, SSDP, CharGen, SNMP). This type of attack can easily generate traffic of over 50G. In 2014, it generated traffic of up to 400G. The section below explores the types of DDoS attacks that are expected to increase or decrease in <Amplification attacks structure> Decline in the traffic of NTP and DNS amplification attacks The traffic generated by NTP on a single server is very high, with over 1G. For this reason, NTP operating companies have applied many patches, which has acted to significantly reduce the number of vulnerable systems (reflection list) 9

10 Globally, however, NTP amplification attacks are still taking place at the threatening traffic level of 50G-100G. At present, there are around 4,100 NTP reflectors in South Korea Increase in SSDP amplification attacks There are numerous devices that can be exploited for SSDP amplification. <Source: ShadowServer. Open SSDP in the world> According to the information from ShadowServer Foundation, China is the country with the most open SSDPs, followed by the U.S. and South Korea. OPEN SSDP TOP 10 Country Count China 4,800,000 USA 1,500,000 South Korea 1,100,000 Argentina 758,000 Russia 507,000 Japan 425,000 Brazil 399,000 Taiwan 346,000 India 305,000 Ukraine 298,000 The larger reflector list leads to a lower packet per second (PPS) for each device, which doesn t need to be increased. As a consequence, it is very difficult to defend against attacks by using the UDP threshold. 10

11 In addition, the traffic from a single IP is low and there are unmanaged devices using SSDP. It is therefore anticipated that SSDP amplification attacks will generate large traffic for the foreseeable future, continuing the trend seen in Increase in CharGen amplification attacks CharGen is an abbreviation of Character Generator and uses TCP/UDP Port 19. Attackers use UDP to change IP. According to the US-CERT (United States Computer Emergency Readiness Team), CharGen can amplify fold, and there are around 60,000 vulnerable servers in the world, including around 2,100 in South Korea. In addition, with global amplification traffic of up to around 58G occurring, companies are at risk of having their reputation and sales damaged unless they prepare thoroughly for the attacks. <State of CharGen amplification attacks. Source: Digital Attack Map> 5.2 Slow attacks that are even slower and attacks using the cloud A slow attack is a method of depleting system resources by requesting GET or POST attacks more slowly. Rather than requesting 100 times per minute, such attacks have recently become slower at 10 times per minute or even 3 times per minute, which makes it more difficult to differentiate abnormal from normal access. In addition, recent slow attacks use more IPs than in the past. Indeed, according to analysis of IPs, hackers tend to exploit the cloud in their attack, particularly as the cloud service market grows. Advantages of attacks using the cloud 1 Easy to generate zombies In a cloud service, it is easy to generate many VMs within seconds solely by using a credit card or deferred payment, with the generated VMs then used as zombie systems. This means attackers can skip the procedure for infecting the client by using malicious code to create zombie systems. 11

12 2 Zombie systems secured around the world at minimal cost Attackers can significantly reduce their costs by creating low-spec VMs with low memory and low disk capacity, which are optimized for attacks. They can also secure VMs to match the location of their target by using cloud providers distributed around the world. Attackers use many IPs to avoid the way that most security systems block attacks using the threshold based on a single IP. Many continuous IP addresses of cloud service providers can be found through the extraction of the attacking IPs. <Figure. GET/POST attacks using cloud service> 5.3 Script-based L7 attacks In April 2014, Incapsula, a cloud-based security service provider, announced that there was a large L7 DDoS attack exploiting the XSS vulnerability of Chinese video streaming web pages. When a user watches a video, one GET request is made to an arbitrarily defined target per second. If 10,000 users watch the video, 10,000 GET requests will take place per second. <POC TOOL> A customer (in the games industry) of CDNetworks Secured Hosting service also experienced a similar attack. In this attack, around 160,000 IPs from overseas were used to 12

13 make GET requests. The attack was easily defended as it used the same UserAgent, but this could have led to bigger trouble if we did not conduct analysis on L7 attacks with experience of it. 5.4 Increase in zombie PCs and mobile traffic with the advent of Giga Wi-Fi band Giga Wi-Fi is around three times faster than existing Wi-Fi. If a line is supported, PCs and mobile devices that are released these days can generate traffic of 500M. It is an immutable law that the more developed lines and hardware become, the greater the DDoS traffic. 6. Things You Need to Mitigate a DDoS Attack 6.1 Network and cloud infrastructure Recent DDoS attacks can easily generate traffic of 50G, and there are also many larger attacks that have generated 100G. To respond to DDoS attacks, you need to secure the capacity of over 100G, as well as cloudbased infrastructure that enables you to accommodate users from various regions in the global market. You also need multiple high-performance servers to withstand incoming attacks. 6.2 Anti-DDoS (L3, L4, L7) Devices As the types of attacks diversify, you need to get prepared for L3, L4 and L7 attacks in order to respond to any attack without a problem. You need to prepare for Get, POST, and slow attacks by implementing an L7 switch or other defense systems, in addition to anti-ddos devices. 13

14 6.3 Operators The most important factor in every security organization is labor. It is important to maintain the system 24x7x365 as DDoS attacks can take place any time and in any form. However, it is not easy for individual businesses to have their own stationed DDoS experts and, where such resources do exist, many lack sufficient technical capabilities to analyze the latest DDoS trends and generate actionable signatures from the result of their analysis. If businesses cannot afford to have their own personnel with expertise in the latest attack technologies, they need to consider outsourcing security to external experts. 6.4 Conclusion It is estimated to take about USD 3 million to meet all the above-mentioned requirements, and this is too much for individual businesses to meet. However, the possible damages from an attack in a defenseless state would be significantly greater than the costs, and thus businesses need to find alternative ways to finance their defense. CDNetworks provides DDoS defense service based on cloud, with other suppliers in the industry also providing similar services. If businesses utilize these outsource services efficiently according to their situation and need, they will be able to protect their infrastructure and secure business continuity as they can benefit from security experts and large-scale infrastructure at a reasonable price. 14

15 2014 DDoS Attack Trend and Outlook for 2015 Copyright Statement Copyright CDNetworks. All Rights Reserved. Copyright in this document is owned by CDNetworks, and you may not reproduce or distribute this document without the prior permission of CDNetworks. Information in this document is subject to change without notice. Inquiry on report and service: Business & Marketing Team, CDNetworks CDNetworks Global Offices Korea Handong Bldg. 2F, 37, Teheran-ro 8-gil, Gangnam-gu, Seoul Japan Nittochi Nishi-Shinjuku Building, 8th Floor, , Nishishinjuku, Shinjuku-ku, Tokyo China Room No.A-1502, Keijidalou, 900 Yi Shan Road, Shanghai

16 Singapore 10 Hoe Chiang Road #16-03 Keppel Towers, Singapore (Ext) 899 US 441 W. Trimble Road San Jose, CA EMEA Juxon House, 100 St Paul s Churchyard, London, EC4M 8BU Tel: