DDoS Threat Report Reflection Attacks Q4 2015

Transcription

1 DDoS Threat Report Reflection Attacks Q4 2015

2 Methodology As the global leader in distributed denial of service (DDoS) mitigation, Nexusguard observes and collects real time data on threats facing enterprise and service provider networks worldwide. The data contained in this report is sourced from our external hybrid darknet, which Nexusguard and a community of organizations leading in DDoS and Internet cleanup efforts run and maintain. A network of vulnerable, Internet-connected devices, or honeypots, comprises Nexusguard s collaborative darknet, uniquely positioning it to measure global events that are unbiased by one set of customers or industries. Many zero day threats are first seen on the Nexusguard global research network. These threats are summarized in our quarterly report.

3 There have been many iterations of how Nexusguard has been reporting on our multi partnership honeynet project. Recently, Farsight Security has joined the multi-company group that supports the generation of this data. The primary sponsor is Nexusguard with A10 Networks, Farsight Security, and Cari.net participating as well. We have taken the approach of monitoring reflective DDoS attacks external to our networks, which gives us a completely neutral perspective of the scanning sources and attack destinations. This is very important to note that we have not seen any DDoS mitigation service provider in our top 10 list.

4 This last quarter has been an interesting one. It started out very typical with a few thousand events per day then skyrocketed to over thirty thousand events per day with attacks targeting Turkey with DNS attacks. This can be seen with Turkcell and Turkish Telecom both the number 1 and number 2 top targets of the quarter. In these attacks it appears that statements were being made. Not only were Turkish IPs being targeted with DDoS attacks, Turkish domains were used as the records begin reflected at the target. These domains had very low amplification factors. The top domain used was nic.tr, not an excellent choice with about a 2x amplification factor. The second highest count of domains used in these attacks was Turkey.com, which only has a 3.9x amplification factor. In theory, these attacks typically yield about 50x amplification factor. Rank AS Fullname TURKCELL-AS TURKCELL ILETISIM HIZMETLERI A.S.,TR TTNET Turk Telekomunikasyon Anonim Sirketi,TR CHINANET-BACKBONE No.31,Jin-rong Street,CN COGENT Cogent Communications,US CABLE-NET-1 - Cablevision Systems Corp.,US GARANTI-TECH Garanti Bilisim Teknolojisi ve Ticaret T.A.S.,TR CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN COMCAST Comcast Cable Communications, Inc.,US LORAL-SKYNET-ASN Loral Skynet Network Services (Europe) Ltd,DE OVH OVH SAS,FR Count

5 This quarter has seen a very large increase in DNS attacks. As seen above, these numbers have adjusted in this direction due to brutal attacks targeting Turkish IP addresses. Another interesting piece to note is the increase in diversity of attacks. This is due to new services being deployed to the projects honeypots. Interestingly enough, the majority is still held by the top three attack types: DNS, NTP and CHARGEN, respectively.

6 Rank Method Count 1 DNS NTP CHARGEN SSDP RIP 59 6 Sentinal SNMP 7 8 Echo 1 9 Portmapper 1

7 Durations are monitored by day and are visualized in seconds. This is done because the data is analyzed daily and the attack tools generally are executed with a second-based timer. This be seen in the medians around the durations. Looking at CHARGEN, we can estimate the majority of attacks were using a 600 second timer, NTP used 300 seconds, and DNS 36,000 seconds. This can give us some insight into the what types of instructions are being executed. This is only a hypothesis and needs to be monitored over time.

8 Observed attacks against Turkey started November 13 and peaked December 27. Not only was nic.tr the highest queried domain for DNS attacks this quarter, but ns3.nic.tr. was the recipient of the most packets observed from our honeypots for dns attacks. The peak of these attacks may be related to rising tensions between Russia and Turkey. Russia is not an amateur when it comes to executing denial of service attacks in a response to political events.

9 Rank Country Count 1 TR US CN FR GB BR DE RU CA AT 2644 Geopolitical events consistently change the landscape of attacks. These events can happen in a heartbeat and do not require government sponsorship. Whether countries officially support or turn a blind eye to the attacker these types of campaigns happen regularly. No country is innocent for these types of attacks. For example Iran targeting financial institutions, Russia attacking Estonia or Georgia, and the US turning a blind eye to political activist, the Jester.

10 All data used to generate this attack report as well as the project used to monitor the honeypots will be published to