VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 1 1ST QUARTER 2017 Complimentary report supplied by
CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2017 4 DDoS Attacks Remain Unpredictable and Persistent 4 Multi-Vector DDoS Attacks are the Norm 6 Largest Volumetric Attack and Highest Intensity Flood 8 Attacks Against Financial Sector Increase 9 FEATURE ARTICLE The Best of Both Worlds: Combining Technology and the Human Element to Mitigate DDoS Attacks 11 VERISIGN DDoS TRENDS REPORT Q1 2017 2
EXECUTIVE SUMMARY This report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from Jan. 1, 2017 through March 31, 2017 (Q1 2017). It represents a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q1 2017. Verisign observed the following key trends in Q1 2017: Number of Attacks 23% decrease compared to Q4 2016 Peak Attack Size Volume 121 Gigabits per second (Gbps) Speed 90 Million packets per second (Mpps) Most Common Attacks Mitigated 46% of attacks were User Datagram Protocol (UDP) floods 57% of attacks employed multiple attack types Average Peak Attack Size 14.1 Gbps 26% increase from Q4 2016 26% increase compared to Q4 2016 23% of attacks over 10 Gbps and 36% of attacks over 5 Gbps Q1 2017 had a 26% INCREASE in average peak attack size compared to Q4 2016 VERISIGN DDoS TRENDS REPORT Q1 2017 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2017 DDoS Attacks Remain Unpredictable and Persistent Verisign saw a 23 percent decrease in the number of attacks in Q1 2017; however, the average peak attack size increased 26 percent compared to the previous quarter. Attackers also launched sustained and repeated attacks against their targets. In fact, Verisign observed that almost 50 percent of customers who experienced DDoS attacks in Q1 2017 were targeted multiple times during the quarter. In Q1 2017, Verisign observed that DDoS attacks remain unpredictable and persistent, and vary widely in terms of volume, speed and complexity. To combat these attacks, it is becoming increasingly important to constantly monitor attacks for changes in order to optimize the mitigation strategy. Attack Size 59% peaked over 1 Gbps 36% peaked over 5 Gbps >10 Gbps >5<10 Gbps >1<5 Gbps <1 Gbps 2015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 2016-Q3 2016-Q4 2017-Q1 100 80 60 40 20 0 Percent of Attacks Figure 1: Mitigation Peaks by Quarter from Q2 2015 to Q1 2017 VERISIGN DDoS TRENDS REPORT Q1 2017 4
Average Attack Peak Size 14.1 Gbps 26% increase in average peak attack size compared to Q4 2016 Every quarter since the first quarter of 2016 has had average attack peak sizes of over Overall, average peak attack sizes have been noticeably larger since Q1 2016. 19.4 17.4 20 18 16 10 GBPS 12.8 11.2 14.1 14 12 10 Gbps 5.5 7.0 6.9 8 6 4 2 2015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 2016-Q3 2016-Q4 2017-Q1 0 Figure 2: Average Attack Peak Size by Quarter from Q2 2015 to Q1 2017 VERISIGN DDoS TRENDS REPORT Q1 2017 5
Multi-Vector DDoS Attacks are the Norm Fifty-seven percent of DDoS attacks mitigated by Verisign in Q1 2017 employed multiple attack types. Verisign observed DDoS attacks targeting victim networks at multiple network layers and attack types changing over the course of DDoS events, thus requiring continuous monitoring to optimize the mitigation strategy. 17% 8% 6% 43% 1 Attack Type 2 Attack Types 3 Attack Types 4 Attack Types 5+ Attack Types 57% of DDoS attacks in Q1 2017 utilized at least two different attack types. 26% Figure 3: Number of Attack Types per DDoS Event in Q1 2017 VERISIGN DDoS TRENDS REPORT Q1 2017 6
Types of DDoS Attacks UDP flood attacks continue to lead in Q1 2017, making up 46 percent of total attacks in the quarter. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) and Simple Service Discovery Protocol (SSDP) reflection attacks. While UDP-based attacks continued to dominate the types of attacks deployed, the number of TCP-based attacks increased. TCP floods, largely consisting of TCP SYN and TCP RST floods, were the second most common attack vector, making up 33 percent of attack types in the quarter. 46% of attacks were UDP FLOODS 13% 4% 4% 33% 46% UDP Based IP Fragment Attacks TCP Based Layer 7 Other Figure 4: Types of DDoS Attacks in Q1 2017 VERISIGN DDoS TRENDS REPORT Q1 2017 7
Largest Volumetric Attack and Highest Intensity Flood The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Mpps. This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the Mirai IoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack. At approximately 90 Mpps, the speed of the attack was the fastest pps rate observed in Q1 2017. SYN flood attacks at such high pps rates can be disruptive and require a highly scalable cloud-based service that can quickly and effectively defend against such attacks. VERISIGN DDoS TRENDS REPORT Q1 2017 8
Mitigations on behalf of Verisign Customers by Industry for Q1 2017 1 IT Services/ Cloud/SaaS 58% of mitigations Financial 28% of mitigations Media and Entertainment/ Content 6% of mitigations E-Commerce and Online Advertising 4% of mitigations Telecommunications and Other 2% of mitigations Public Sector 2% of mitigations Average attack size: Average attack size: Average attack size: Average attack size: Average attack size: Average attack size: 22.5 Gbps 1.7 Gbps.63 Gbps 32.6 Gbps.51 Gbps 31.9 Gbps Attacks Against Financial Sector Increase The financial sector continues to be a constant target for DDoS attacks. In Q1 2017, Verisign s financial sector customers experienced the second highest number of DDoS attacks (28 percent) of any industry sector within Verisign s customer base (a large increase from only 7 percent during the prior quarter). IT Services/Cloud remained the sector with the largest number of DDoS attacks in Q1 2017. 1 The attacks reported by industry in this document are solely a reflection of the Verisign DDoS Protection Services customer base. VERISIGN DDoS TRENDS REPORT Q1 2017 9
Peak Attack Size by Industry (Q1 2017) 300 250 200 150 100 Gbps 50 IT Services/ Cloud/SaaS Financial Public Sector Media & Entertainment Telecommunications & Other E-Commerce/ Online 0 Q2 2016 Q3 2016 Q4 2016 Q1 2017 Figure 5: Peak DDoS Attack Size by Industry from Q2 2016 to Q1 2017 VERISIGN DDoS TRENDS REPORT Q1 2017 10
FEATURE ARTICLE THE BEST OF BOTH WORLDS: COMBINING TECHNOLOGY AND THE HUMAN ELEMENT TO MITIGATE DDoS ATTACKS In Q1 2017, Verisign observed that 57 percent of DDoS attacks against its customer base utilized multiple attack vectors. As DDoS attacks increase in complexity and size, combating them becomes more challenging. In response, organizations not only need the right technology capable of meeting this growing threat, but also the right human element. Technical staff with DDoS expertise working in tandem with technology is highly beneficial in keeping networks and infrastructures available during an attack. The Technology Various on-premise firewalls and dedicated DDoS appliances are intended to preemptively stop malicious traffic before it reaches your network. The appliances can be configured with countermeasures or rules to block traffic to certain ports or traffic in a non-compliant format. When configured properly, the associated malicious traffic will be effectively blocked and dropped before it reaches the intended servers. These appliances are adept at handling simple attacks such as SYN floods and UDP floods, allowing some of the processes including detection to mitigation to be automated. However, in order to fine tune attack countermeasures and respond to changing attack tactics, it is important to have the right people working behind the scenes to most effectively combat a wide variety of attacks. The Human Element Attackers are using multiple tactics and adapting them midstream to impact their designated target. For example, Verisign observed that many Layer 7 attacks are regularly mixed in with Layer 3/Layer 4 DDoS flooding attacks. Volumetric flood attacks are easier to defend against than Layer 7 DDoS attacks, which pose a different challenge because it is difficult to distinguish legitimate human traffic from bot traffic. In such cases, a highly trained DDoS team with years of experience and expertise is needed to continuously monitor and adapt a mitigation approach to effectively differentiate bot versus human traffic. VERISIGN DDoS TRENDS REPORT Q1 2017 11
In the event of a zero-day attack, the skills and knowledge of an experienced DDoS mitigation team can really prove its value. For example, zero-day DDoS attacks can use techniques like DNS qnames, HTTP header order, and varying packet sizes in their requests. The technical team is able to work in conjunction with any implemented technology to analyze packet size, bandwidth utilization and headers to determine if additional countermeasures are necessary. The countermeasures include generating, in near real time, attack signatures to neutralize the bad traffic and minimize downtime. In comparison, on-premise appliances may need a patch or upgrade to respond to attacks that are too complex or new. The Best of Both Worlds Mitigating DDoS attacks is an art. There needs to be a balance between the technology and the expertise (skillset, experience and knowledge) of a technical team. Therefore, to effectively prepare for and combat DDoS threats, many organizations are selecting DDoS solutions that strike the right balance between cutting-edge technology and a proven, experienced technical team with a track record of DDoS mitigation expertise. By combining technology with the human element, organizations are getting the best of both worlds to defend against the ever-evolving DDoS threats. TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS. About Verisign Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the.com and.net top-level domains and two of the internet s root servers, as well as performs the root zone maintainer function for the core of the internet s Domain Name System (DNS). Verisign s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com. *The information in this Verisign Distributed Denial of Service Trends Report (this Report ) is believed by Verisign to be accurate at the time of publishing based on currently available information. All information in this Report is solely a reflection of the observations and insights derived from the DDoS attack mitigations enacted on behalf of, and in cooperation with, the customers of Verisign DDoS Protection Services.Verisign provides this Report for your use in AS IS condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose. VERISIGN DDoS TRENDS REPORT Q1 2017 12
Verisign.com 2017 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public VRSN_DDoS_CSC_TR_Q1-17_201706