VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 3 3RD QUARTER 2017 Complimentary report supplied by
CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017 4 DDoS Attacks Decrease in Volume But Remain Unpredictable 4 Multi-Vector DDoS Attacks Remain the Norm 6 Largest Volumetric Attack and Highest Intensity Flood Attack 8 FEATURE ARTICLE Comprehensive Network Protection Inbound and Outbound 10 VERISIGN DDoS TRENDS REPORT Q3 2017 2
EXECUTIVE SUMMARY This report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during the third quarter of 2017 from July 1, 2017 through September 30, 2017 ( Q3 2017 ). This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends during Q3 2017.* Verisign observed the following key trends in Q3 2017: Number of Attacks 17% decrease compared to the second quarter of 2017 from April 1, 2017 through June 30, 2017 ( Q2 2017 ) Attack Peak Size Volume 2.5 Gigabits per second (Gbps) Speed 2.3 Million packets per second (Mpps) Average Attack Peak Size <1 Gbps 70% decrease compared to Q2 2017 30% of attacks over 1 Gbps Most Common Attack Type Mitigated 56% of attacks were User Datagram Protocol (UDP) floods 88% of attacks employed multiple attack types 29% of attacks employed five or more attack types VERISIGN DDoS TRENDS REPORT Q3 2017 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017 DDoS Attacks Decrease in Volume But Remain Unpredictable When comparing Q3 2017 to Q2 2017, Verisign saw a 17 percent decrease in the number of attacks, and a 70 percent decrease in the peak size of the average attack. Attackers continue to launch repeated attacks against their targets. In fact, Verisign observed that 45 percent of customers who experienced DDoS attacks in Q3 2017 were targeted multiple times during the quarter. DDoS attacks remain unpredictable and vary widely in terms of speed and complexity. Attack Size 30% peaked over 1 Gbps >10 Gbps >5<10 Gbps >1<5 Gbps <1 Gbps 2015-Q4 2016-Q1 2016-Q2 2016-Q3 2016-Q4 2017-Q1 2017-Q2 2017-Q3 100 80 60 40 20 0 Percent of Attacks Figure 1: Mitigation Peaks by Quarter from Q4 2015 to Q3 2017 VERISIGN DDoS TRENDS REPORT Q3 2017 4
Average Attack Peak Size 0.8 Gbps 19.4 6.9 2015-Q4 2016-Q1 17.4 2016-Q2 70% 70% decrease in average peak attack size compared to Q2 2017 decrease in average peak attack size compared to Q2 2017 20 12.8 2016-Q3 11.2 2016-Q4 14.1 2017-Q1 2.7 2017-Q2 0.8 2017-Q3 18 16 14 12 10 8 6 4 2 0 Gbps Figure 2: Average Peak Attack Size by Quarter from Q4 2015 to Q3 2017 VERISIGN DDoS TRENDS REPORT Q3 2017 5
Multi-Vector DDoS Attacks Remain the Norm Eighty-eight percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multipleattack types. Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Today s DDoS attacks require continuous monitoring to more efficiently tailor mitigation strategies. 12% 88% of DDoS attacks in Q3 2017 utilized at least two different attack types. 29% 18% 6% 35% 1 Attack Type 2 Attack Types 3 Attack Types 4 Attack Types 5+ Attack Types Figure 3: Number of Attack Types per DDoS Event in Q3 2017 VERISIGN DDoS TRENDS REPORT Q3 2017 6
Types of DDoS Attacks UDP flood attacks dominated in Q3 2017, accounting for 56 percent of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), Character Generator Protocol (CHARGEN) and Simple Network Management Protocol (SNMP) reflective amplification attacks. 56% of attacks were UDP FLOODS 17% 56% 27% UDP Based IP Fragment Attacks TCP Based Figure 4: Types of DDoS Attacks in Q3 2017 VERISIGN DDoS TRENDS REPORT Q3 2017 7
Largest Volumetric Attack and Highest Intensity Flood Attack The largest volumetric DDoS attack observed by Verisign in Q3 2017 was a multi-vector attack that peaked at approximately 2.5 Gbps and around 1 Mpps for one hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods; DNS, ICMP and Chargen Amplification attacks, and invalid packets. The different attack vectors required continuous monitoring and changing of countermeasures to effectively mitigate. The highest intensity packet flood in the quarter, consisting of a TCP SYN and UDP floods mixed with invalid packets, peaked at approximately 2.3 Mpps and around 1 Gbps. That attack lasted approximately two and a half hours. VERISIGN DDoS TRENDS REPORT Q3 2017 8
Mitigations on Behalf of Verisign Customers by Industry for Q3 2017** IT Services/ Cloud/SaaS 45% of mitigations Financial 20% of mitigations Media and Entertainment/ Content 15% of mitigations Energy 15% of mitigations E-Commerce and Online Advertising 5% of mitigations Average attack size: Average attack size: Average attack size: Average attack size: Average attack size:.76 Gbps.63 Gbps 1.38 Gbps.52 Gbps.61 Gbps Peak DDoS Attack Size by Industry (Q3 2017) 150 100 50 Gbps IT Services/ Cloud/SaaS Financial Public Sector Media & Entertainment Telecommunications & Other E-Commerce/ Online 0 Q4 2016 Q1 2017 Q2 2017 Q3 2017 Figure 5: Peak DDoS Attack Size by Industry from Q4 2016 to Q3 2017 VERISIGN DDoS TRENDS REPORT Q3 2017 9
FEATURE ARTICLE COMPREHENSIVE NETWORK PROTECTION INBOUND AND OUTBOUND Verisign DDoS Trends Reports throughout 2017 have reported a decline in the size and number of DDoS attacks. This trend does not necessarily mean, however, that DDoS attacks are going away or that companies should be complacent. Now is a good time for organizations to review all aspects of their network and application security solutions to protect themselves against DDoS attacks or future security threats. According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average consolidated cost of a data breach is $4 million. 1 Organizations usually have a strategy in place to deal with DDoS attacks hitting their network and applications, but what happens if an internal user on their own network pulls in malware via an inadvertent outbound request? Today s One-Way View Inbound Only Cloud-based DDoS protection services focus on monitoring inbound internet traffic to a customer s critical IP network. The technology typically uses signature analysis, misuse detection and dynamic profiling. Signature analysis and misuse detection look for deviations that may indicate a DDoS attack. Dynamic profiling establishes normal traffic patterns and identifies deviations, which then trigger alerts for further investigation. For example, traffic levels reaching or exceeding predefined thresholds could indicate a DDoS attack. So, when a wave of volumetric or malformed traffic hits the customer s network, an alert is raised for investigation. DDoS monitoring solutions only provide visibility into the inbound traffic. What about outbound traffic sent from your network? While variations in outbound traffic patterns can happen for many reasons, they can also indicate that compromised endpoints are participating in a botnet, exfiltrating data or being used for other malicious purpose. How do organizations know if an internal user is participating in a botnet or communicating with a command-and-control server or other malware? How do they know if data is being exfiltrated? Monitoring outbound DNS traffic can help. 1 2016 Ponemon Institute Cost of a Data Breach Study, https://securityintelligence.com/media/2016-cost-data-breach-study/, retrieved Oct. 2, 2017 VERISIGN DDoS TRENDS REPORT Q3 2017 10
How to Monitor Outbound Traffic Gaining visibility into outbound DNS requests can be challenging. Firewall administrators tend to not look at DNS request logs due to the volume, but knowing what is sent out on your network is the first step to preventing communication with malicious end points. Deploying security technology such as DNS firewall, email filtering and other security solutions, and keeping them up to date, is a good place to start. No technology offers 100 percent network protection; organizations need to implement a layered approach to security that includes both technology and user education. As attackers grow increasingly adept at creating smarter malware to circumvent individual protections, it becomes more important to layer these and other security controls, including measures at the DNS level. For more information, read our white paper, Framework for Resilient DNS Security. Verisign s Security Services offer cloud-based DDoS protection and DNS solutions to protect your organization s online services from today s security threats. To learn more about Verisign Security Services, visit https://www.verisign.com/ en_us/security-services/index.xhtml. TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS. About Verisign Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the.com and.net top-level domains and two of the internet s root servers, as well as performs the root zone maintainer function for the core of the internet s Domain Name System (DNS). Verisign s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com. *The information in this Verisign Distributed Denial of Service Trends Report (this Report ) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in AS IS condition. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose. ** The attaks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Service customer base. VERISIGN DDoS TRENDS REPORT Q3 2017 11
Verisign.com 2017 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public VRSN_DDoS_TR_Q3-17_Axians_201712