This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Transcription

1

2 This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license.

3 As a provider of distributed denial of service (DDoS) mitigation services, Black Lotus is in a unique position to observe and collect real time data on the threats facing service providers, enterprises, and government agencies. Many zero day threats are first seen on the Black Lotus network. These threats are summarized in our monthly report. The data contained in this report covers DDoS attack data for the period December 1, 2013 to December 31, 2013, and other insights observed during the reporting period through the time of release.

4 The largest attack mitigated on the Black Lotus network during the reporting period, in terms of gigabits per second (bit volume) and millions of packets per second (packet volume). The average attack mitigated on the Black Lotus network during the reporting period. The number of confirmed DDoS attacks mitigated on the Black Lotus network during the reporting period. We observed the largest DDoS attacks on this date. The largest volume of DDoS traffic from a single network originated from this source.

5 During the December 2013 reporting period, Black Lotus observed an average distributed denial of service (DDoS) attack size of 3.1 gigabits per second (Gbps) and 1.5 millions of packets per second (Mpps). While this figure is relatively low compared to the bandwidth available to many service providers and enterprises, there are many companies which do not have the available bandwidth either due to the size of the network or prohibitively expense telecommunications services which remains the situation in regions such as South America, Africa, and even Asia and Australia. For those which do have the available bandwidth, these attacks remain problematic as many networks do not have the infrastructure to process large bit or packet volumes and even the most secure frequently do not have sufficient DDoS attack detection and mitigation capabilities. Exhibit 1 details the maximum attack size in terms of bit volume observed by Black Lotus during the reporting period. 79,538 attacks were observed, 3584 (4.5%) of which were observed on December 12, 2013 with the largest single attack of 137 Gbps and 37 Mpps occurring on December 27, Attacks which are particularly large in bit volume continue to pose a problem for even the best equipped networks. While many service providers and enterprises are beginning to invest in robust DDoS mitigation infrastructure, this equipment is inherently limited to the capabilities of the equipment and the bandwidth available to the company which in many cases is 10 Gbps or less. During 12 of the 30 days during the reporting period, attacks were observed reaching over 20 Gbps.

6 Gigabits per second Attack Bit Volume by Date Exhibit 1. Maximum bit volume per attack incident during December 2013 While DDoS attacks are frequently cited in terms of their bit volume, the packet volume of an attack can be particularly devastating. Even if an attack does not exceed the bit capacity of a network or DDoS mitigation system, it can often exceed the packet volume capabilities the targeted network. For instance one popular DDoS mitigation hardware provider frequently sells 10 Gbps DDoS mitigation systems which are only capable of mitigating 4 Mpps where the line rate capability of a 10 Gbps interface is actually 15 Mpps. This can cause the mitigation equipment to saturate at 27% of the circuit capacity. Exhibit 2 allows one to compare the maximum packet volume to the maximum bit volume observed on any given day.

7 Millions of packets per second Attack Packet Volume by Date Exhibit 2. Maximum packet volume per attack incident during December 2013 Application layer attacks can also pose a problem even for those protected by network based DDoS mitigation systems. Also known as layer 7 attacks, these exploit weaknesses in an individual server s applications in order to cause resource depletion, resulting in an outage to the server. During the reporting period, 5723 (7.2%) of 79,538 attacks observed targeted individual applications, most commonly HTTP servers which host websites and domain name services (DNS) which are required to provide address resolution to customers. Attacks on either application can result in an outage to the site and are extremely difficult to mitigate without professional assistance. The vast majority of DDoS attacks are multi-vector meaning that an attacker is most likely to strike a target with multiple types of traffic in order to find weaknesses in the target s defenses and to confuse security engineers who may be trying to mitigate the attack. Exhibit 3 shows the maximum bit volume reached by the top three single attack vectors.

8 Gigabits per second Highest Volume Attack Vectors TCP/80 (HTTP) TCP/443 (HTTPS) UDP/53 (DNS) Exhibit 3. The highest volume attack vectors during the reporting period were HTTP (max. 51 Gbps) and DNS (max. 18 Gbps) During the month of December 2013, three major attack types remained dominant: HTTP and HTTPS attacks which represent attacks against web sites, and DNS query attacks which are the result of malicious traffic amplification caused by open resolvers. While HTTP attacks such as SYN floods, ACK floods, and application layer attacks such as HTTP GET resulted in the highest burst volume of traffic from a single vector, distributed reflection denial of service (DrDoS) attacks began to gain ground moving into In a DrDoS an attacker is able to send relatively small quantities of spoofed UDP traffic to unsecured servers resulting in amplification of malicious traffic to the spoofed target. This concept is illustrated in Exhibit 4. DrDoS attacks require the use of UDP as the protocol is not stateful, meaning that an attacker can trick a server into amplifying traffic to the wrong target as UDP does not require an established session in order to communicate. Common vectors used in DrDoS attacks have historically included DNS and to a lesser extent the simple network management protocol (SNMP). While an SNMP reflection attack can be devastatingly large in bit volume, these attacks are not very

9 common as it is not very common to find an open SNMP community due partially to the generally superior security acumen of those who manufacture and operate devices which use SNMP. Exhibit 4. Explanation of Distributed Reflection Denial of Service (DrDoS) attacks At the beginning of January 2014 Black Lotus observed a massive shift in the tactics used by attackers which began conducting DrDoS attacks using the network time protocol (NTP). On January 2, 2014 the U.S. National Institute of Standards and Technology (NIST) released vulnerability advisory CVE detailing a condition in the network time protocol daemon (ntpd) which can be used to allow attackers to launch DrDoS attacks. Specifically, an attacker can send a spoofed monlist command to a vulnerable ntpd which will respond to the victim at an amplification factor of 58.5.

10 While the majority of DDoS attacks are substantially distributed, making it extremely difficult to pin them down to a source it is sometimes observed that a few autonomous systems (AS), or networks, disproportionately contribute to the attacks observed by Black Lotus. In historical data, it is generally observed that China Telecom and China Unicom are the source networks for many of the largest DDoS attacks. Although much of this can be attributed to abuse handling, or lack thereof, it is also worth noting that these companies hold a monopoly on Chinese traffic which by some estimates accounts for more than 40% of all international traffic. Contrary to expectations, two AT&T networks (AS7018 and AS7132) accounted for the largest bit volume of traffic sourced from individual AS numbers, most notably contributing 7.3% of the traffic observed during the December 27, 2013 attack (peak 137 Gbps.) This anomaly can be observed in Exhibit 5. Another noteworthy anomaly is the presence of LG Dacom which also contributed to the aforementioned December 27, 2013 attack. LG Dacom, better known as LG U+ in South Korea, offers telecommunications services to include 4G LTE mobile service which can easily achieve speed of 40 Mbps on a single handset. This represents the first date which Black Lotus has observed traffic from a mobile carrier substantially contributing to a large DDoS attack.

11 Gigabits per second Attack Volume by Top 10 Source Networks AS AT&T AS MOJOHOST AS Croatian Academic and Research Network AS Svenska Stadsnatsforeningen AS Allstream AS AT&T AS University of Hawaii AS Hetzner AS LG Dacom AS China Unicom Exhibit 5. Largest contributors of DDoS traffic during December 2013

12 Attackers will continue to exploit weaknesses in the UDP protocol to launch DrDoS attacks. While the number of open DNS resolvers and NTP daemons will begin to decline, DrDoS attacks will remain an issue as attackers find new systems to use in their attacks and discover new vulnerabilities in services which use the UDP protocol. Attackers will continue to prefer volumetric attacks in order to saturate transit circuits and cause disruptions at IP carriers. This tactic will become more common as service providers and enterprises move to fortify their own on premise defenses. Volumetric attacks will be especially popular with hacktivists who wish to dominate the news media, realizing that attacks which are particularly large in bit volume are more likely attract attention. The DDoS attacks which sourced from mobile carrier LG U+ serve as an early warning for the potential of mobile networks to be used in DDoS attacks. It is particularly important to note that the 4G LTE system in South Korea is substantially faster and offers better coverage than those in other developed countries. As mobile technology and availability of 4G LTE coverage continues to mature, mobile DDoS attacks (mddos) will take main stage. Similarly, Korea leads the world in fiber to the home (FTTH) penetration which provides a 100 Mbps (up and down) connection to 58% of Korean homes for approximately $23 U.S. dollars per month. It is expected that more DDoS attacks will source from Korea along with other countries that enjoy high FTTH penetration rates, such as the United Arab Emirates.