VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 5, ISSUE 2 2ND QUARTER 2018 Complimentary report supplied by
CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2018 4 DDoS Attacks Increase in Size and Number 4 Multi-Vector DDoS Attacks Remain Constant 6 Types of DDoS Attacks 7 Largest Volumetric Attack and Highest Intensity Flood Attack 8 Mitigations on Behalf of Verisign Customers by Industry for Q2 2018 8 VERISIGN DDoS TRENDS REPORT Q2 2018 2
EXECUTIVE SUMMARY This report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during Q2 2018. This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q2 2018.* 52% of attacks employed multiple attack types Verisign observed the following key trends in Q2 2018: Number of Attacks Largest Attack Peak Size Average of Attack Peak Sizes Most Common Attack Type Mitigated in Q2 2018 35% increase compared to Q1 2018 Volume 42 Gbps Speed 4.7 Mpps 5.7Gbps 111% increase compared to Q2 2017 26% of attacks over 5 Gbps 56% of attacks were User Datagram Protocol (UDP) floods 20% of attacks employed three or more attack types VERISIGN DDoS TRENDS REPORT Q2 2018 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2018 DDoS Attacks Increase in Size and Number Verisign observed that 58 percent of DDoS attacks were over 1 Gbps (Figure 1). When comparing Q2 2018 to Q1 2018, Verisign saw a 35 percent increase in the number of attacks, and a 49 percent decrease in the average of attack peak sizes (Figure 2). Year-over-year the average of attack peak sizes increased 111 percent. Verisign additionally observed that 62 percent of its customers who experienced DDoS attacks in Q2 2018 were targeted multiple times during the quarter. Overall, DDoS attacks remain unpredictable and vary widely in terms of speed and complexity. Attack Size 58% peaked over 1 Gbps >10 Gbps >5<10 Gbps >1<5 Gbps <1 Gbps Q3 2016 Q4 2016 Q1 2017 Q2 2017 Q3 2017 Q4 2017 Q1 2018 Q2 2018 100 80 60 40 20 0 Percent of Attacks Figure 1: Mitigation Peaks by Quarter from Q3 2016 to Q2 2018 VERISIGN DDoS TRENDS REPORT Q2 2018 4
Average of Attack Peak Size 5.7 Gbps 111% increase in average of attack peak size compared to Q2 2017 20 18 16 12.8 11.2 14.1 11.2 14 12 10 Gbps 7.6 5.7 8 6 4 Q3 2016 Q4 2016 Q1 2017 2.7 Q2 2017 0.8 Q3 2017 Q4 2017 Q1 2018 Q2 2018 2 0 Figure 2: Average of Attack Peak Size by Quarter from Q3 2016 to Q2 2018 VERISIGN DDoS TRENDS REPORT Q2 2018 5
Multi-Vector DDoS Attacks Remain Constant Fifty-two percent of DDoS attacks mitigated by Verisign in Q2 2018 employed multiple attack types (Figure 3). Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Verisign continues to observe attacks utilizing a diverse and evolving arsenal of attack vectors across diverse ports and protocols. In Q2 2018, Verisign observed attackers targeting corporate network services including email and IPSec leveraging SNMP and GRE attack vectors. Today s DDoS attacks require continuous monitoring to optimize mitigation strategies. 52% of DDoS attacks in Q2 2018 utilized at least two different attack types 10% 32% 10% 48% 1 Attack Type 2 Attack Types 3 Attack Types >4 Attack Types Figure 3: Number of Attack Types per DDoS Event in Q2 2018 VERISIGN DDoS TRENDS REPORT Q2 2018 6
Types of DDoS Attacks UDP flood attacks were the most common attack vector in Q2 2018, accounting for 56 percent of total attacks in the quarter (Figure 4). The most common UDP floods included Domain Name System (DNS), Lightweight Directory Access Protocol (LDAP), Network Time Protocol (NTP) and Simple Network Management Protocol (SNMP) amplification attacks. 56% of DDoS attacks were 5% 3% 10% UDP FLOODS 56% 26% IP Fragment Attacks TCP Based UDP Based Layer 7 Other Figure 4: Types of DDoS Attacks in Q2 2018 VERISIGN DDoS TRENDS REPORT Q2 2018 7
Largest Volumetric Attack and Highest Intensity Flood Attack The largest volumetric DDoS attack observed by Verisign in Q2 2018 was a UDP fragment flood that peaked at approximately 42 Gbps and 3.5 Mpps and lasted approximately 3 hours. The highest intensity DDoS attack observed by Verisign in Q2 2018 was a multi-vector attack that peaked at approximately 38 Gbps and 4.7 Mpps and lasted for approximately 2 hours. The attack consisted of a wide range of attack vectors including DNS, NTP and SNMP Amplification attacks and TCP SYN and TCP RST floods. Mitigations on Behalf of Verisign Customers by Industry for Q2 2018 1 Financial 43% of mitigations Average attack size: 5 Gbps IT Services/ Cloud/SaaS 37% of mitigations Average attack size: 5.7 Gbps Media and Entertainment 20% of mitigations Average attack size: 7.5 Gbps 1 The attacks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Service customer base. VERISIGN DDoS TRENDS REPORT Q2 2018 8
To learn more about different mitigation options, download our e-book: A Guide to Selecting the Best Mitigation Option for Your Organization. TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS. About Verisign Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the.com and.net top-level domains and two of the internet s root servers, as well as performs the root zone maintainer function for the core of the internet s Domain Name System (DNS). Verisign s Security Services include Distributed Denial of Service Protection and Managed DNS. Definitions Q1 First quarter of the year - January 1 to March 31 Q2 Second quarter of the year - April 1 to June 30 Q3 Third quarter of the year - July 1 to September 30 Q4 Fourth quarter of the year - October 1 to December 31 Q2 2017 Second quarter of 2017 from April 1, 2017 to June 30, 2017 Q1 2018 First quarter of 2018 from January 1, 2018 to March 31, 2018 Q2 2018 Second quarter of 2018 from April 1, 2018 to June 30, 2018 Gbps Gigabits per second Mpps Million packets per second *The information in this Verisign Distributed Denial of Service Trends Report (this Report ) is believed by Verisign to be accurate at the time of publishing based on currently available information. All information in this Report is solely a reflection of the observations and insights derived from the DDoS attack mitigations enacted on behalf of, and in cooperation with, the customers of Verisign DDoS Protection Services. Verisign provides this Report for your use in AS IS condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose. VERISIGN DDoS TRENDS REPORT Q2 2018 9
Verisign.com 2018 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public VRSN_DDoS_TR_Q2-18_A10-Networks_201809