VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT



Similar documents
How To Mitigate A Ddos Attack

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 2 2ND QUARTER 2014

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

VALIDATING DDoS THREAT PROTECTION

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

Automated Mitigation of the Largest and Smartest DDoS Attacks

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

WHITE PAPER ENSURING APPLICATION AVAILABILITY AND SECURITY IN THE CLOUD

How Cisco IT Protects Against Distributed Denial of Service Attacks

Cloud Security In Your Contingency Plans

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

TDC s perspective on DDoS threats

A Layperson s Guide To DoS Attacks

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

DDoS Protection Technology White Paper

Application DDoS Mitigation

IBM Advanced Threat Protection Solution

IDG Connect DDoS Survey

Automated Mitigation of the Largest and Smartest DDoS Attacks

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

Stop DDoS Attacks in Minutes

Analysis of a DDoS Attack

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

FortiDDos Size isn t everything

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Protection on the Security Gateway

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

First Line of Defense

DDoS Protecion Total AnnihilationD. DDoS Mitigation Lab

Solution for Virtualization to Ensure Optimal Network Security Environment

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

CS5008: Internet Computing

V-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Prolexic Quarterly Global DDoS Attack Report Q4 2012

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

Executive Suite Series A Prolexic White Paper

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Reference Architecture: Enterprise Security For The Cloud

Introducing IBM s Advanced Threat Protection Platform

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Complete Protection against Evolving DDoS Threats

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Denial of Service Attacks, What They are and How to Combat Them

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

Arbor s Solution for ISP

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

How To Block A Ddos Attack On A Network With A Firewall

DOMAIN NAME SECURITY EXTENSIONS

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Networking for Caribbean Development

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

DDoS Mitigation Techniques

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

How To Protect Yourself From A Dos/Ddos Attack

Check Point DDoS Protector

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

Protecting Websites from Attack with Secure Delivery Networks

Rise of the Machines: An Internet-Wide Analysis of Web Bots in 2014

Why Is DDoS Prevention a Challenge?

CS 356 Lecture 16 Denial of Service. Spring 2013

akamai s [state of the internet] Q executive review

First Line of Defense

How To Stop A Ddos Attack On A Website From Being Successful

Radware Emergency Response Team. SSDP DDoS Attack Mitigation

Four Steps to Defeat a DDoS Attack

SSDP REFLECTION DDOS ATTACKS

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Security Toolsets for ISP Defense

Linux MPS Firewall Supplement

The Practical Guide to Choosing a DDoS Mitigation Service

Practical Advice for Small and Medium Environment DDoS Survival

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

Linux Network Security

NIP6300/6600 Next-Generation Intrusion Prevention System

Firewalls and Intrusion Detection

AWS Best Practices for DDoS Resiliency. June 2016

Understanding & Preventing DDoS Attacks (Distributed Denial of Service) A Report For Small Business

Symantec Advanced Threat Protection: Network

How To Protect A Dns Authority Server From A Flood Attack

The Top 10 DDoS Attack Trends

JOOMLA REFLECTION DDOS-FOR-HIRE

Multi-Layer Security for Multi-Layer Attacks. Preston Hogue Dir, Cloud and Security Marketing Architectures

Transcription:

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 3, ISSUE 2 2ND QUARTER 2016

CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2016 4 DDoS Attacks Become More Sophisticated and Persistent 4 Multi-Vector DDoS Attacks Dominate 6 DDoS Attacks Remain Unpredictable 8 Every Organization Is at Risk 9 FEATURE: DEFENDING AGAINST LAYER 7 APPLICATION ATTACKS 11 VERISIGN DDoS TRENDS REPORT Q2 2016 2

EXECUTIVE SUMMARY This report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from April 1, 2016 through June 30, 2016 ( Q2 2016 ) and the security research of Verisign idefense Security Intelligence Services conducted during that time. It represents a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q2 2016.* Verisign observed the following key trends in Q2 2016: Number of Attacks Peak Attack Size Average Peak Attack Size Most Common Attack Mitigated 75% increase year over year Volume 256 Gigabits per second (Gbps) Speed 64 Million packets per second (Mpps) 17.37 Gbps Driven by multiple, persistent 100+ Gbps attacks 32% of attacks over 10 Gbps 56% of attacks were User Datagram Protocol (UDP) floods 64% of attacks employed multiple attack types 45% of mitigation activity IT Services/ Cloud/SaaS VERISIGN DDoS TRENDS REPORT Q2 2016 3

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2016 DDoS Attacks Become More Sophisticated and Persistent DDoS attacks are a reality for today s web-reliant organizations. In Q2 2016, DDoS attacks continued to become more frequent, persistent and complex. Attack Frequency 75% increase year over year Attackers in Q2 2016 launched sustained attacks against targets with a few customers attacked repeatedly throughout the quarter. Attack Size 75% peaked over 1 Gbps 32% peaked over 10 Gbps >10 Gbps >5<10 Gbps >1<5 Gbps <1 Gbps 2014-Q3 2014-Q4 2015-Q1 2015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 100 80 60 40 20 0 Percent of Attacks Figure 1: Mitigation Peaks by Quarter from Q3 2014 to Q2 2016 VERISIGN DDoS TRENDS REPORT Q2 2016 4

Average Peak Attack Size 17.37 Gbps The second highest average peak since Q2 2014 214% increase in average peak attack size compared to Q2 2015 19.37 17.37 20 18 16 14 12.42 12 10 Gbps 6.46 7.39 3.64 5.53 7.03 6.88 8 6 4 2 2014-Q2 2014-Q3 2014-Q4 2015-Q1 2015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 0 Figure 2: Average Peak Attack Size by Quarter from Q2 2014 to Q2 2016 VERISIGN DDoS TRENDS REPORT Q2 2016 5

Multi-Vector DDoS Attacks Dominate Sixty-four percent of the DDoS attacks mitigated by Verisign in Q2 2016 employed multiple attack types indicating that DDoS attacks continue to increase in complexity, and as a result, require more time and effort to mitigate. 9% 7% 19% 36% 29% 1 Attack Type 2 Attack Types 3 Attack Types 4 Attack Types 5 or More Attack Types 64% of the DDoS attacks in Q2 2016 employed multiple attack types Figure 3: Number of Attack Types Per DDoS Event in Q2 2016 VERISIGN DDoS TRENDS REPORT Q2 2016 6

Continuing the trend from Q1 2016, the most common DDoS attack types in Q2 2016 were UDP floods (including Domain Name System (DNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP) and Chargen) - making up 56 percent of the total attacks in the quarter. The most common UDP floods mitigated were DNS reflection attacks, followed by NTP reflection attacks. 56% of attacks were UDP FLOODS 3% 8% 15% 18% 56% IP Fragment Attacks Application Layer TCP Based UDP Based Other Figure 4: Types of DDoS Attacks in Q2 2016 VERISIGN DDoS TRENDS REPORT Q2 2016 7

DDoS ATTACKS REMAIN UNPREDICTABLE An Increase in Application Layer Attacks In Q2 2016, Verisign observed a growing trend of low-volume application layer, also known as Layer 7, attacks that probe for vulnerabilities in application code, employing various techniques to use HTTP/S field headers within request packets in order to disable the application. These attacks are frequently coupled with highvolume UDP flood attacks to distract the victim from the Layer 7 attack component. These types of sophisticated low-bandwidth DDoS attacks are a form of denial of service (DoS) attack that typically uses less traffic but increases its effectiveness by aiming at a weak point in the victim s system design. These attacks often utilize SQL injection, a code injection technique, to attack data-driven applications by inserting nefarious SQL statements into the request entry fields for execution. The malicious requests typically include long Host: values in the request. Layer 7 attacks often require multiple and advanced filtering techniques, including adaptive origin response code and regexbased filtering, along with network protection techniques like SYN authentication, invalid IP fragments and UDP flood filtering. The largest volumetric attack in Q2 2016 peaked at 250+ Gbps before settling in at 200+ Gbps for almost 2 hours. Large Volumetric Attack and Fastest Flood The largest and fastest DDoS attack in Q2 2016 peaked at 256 Gbps and exceeded 64 Mpps. The DNS reflection attack consisted of small packets, which helped to enable its growth and speed, and also included a flood of invalid packets peaking at over 16 Gbps. Initially, the attack quickly ramped up to over 250 Gbps over a period of about 15 minutes before settling in at a 200+ Gbps flood for almost two hours before the flood subsided. VERISIGN DDoS TRENDS REPORT Q2 2016 8

Every Organization is at Risk DDoS attacks are not limited to any specific industry or vertical. Mitigations on behalf of Verisign Customers by Industry for Q2 2016 1 IT Services/ Cloud/SaaS 45% of mitigations Financial 23% of mitigations Public Sector 14% of mitigations E-Commerce and Online Advertising 11% of mitigations (up from 4% of mitigations in Q1) Media and Entertainment/ Content 5% of mitigations Telecommunications and Other 2% of mitigations Average attack size: Average attack size: Average attack size: Average attack size: Average attack size: Average attack size: 17.2 Gbps 29.1 Gbps 3.54 Gbps 5.5 Gbps 67.8 Gbps (driven by several large events targeting this vertical) 9.7 Gbps The Media & Entertainment and Financial industries continue to experience some of the largest average attack sizes in Q2 2016. The average attack size for the Media & Entertainment industry was 67.8 Gbps and 29.1 Gbps for the Financial industry. 1 The attacks reported by industry in this document are solely a reflection of the Verisign-protected customer base; however, this data may be helpful in understanding the evolution of attacks by industry and the importance of prioritizing security expenditures to ensure protection mechanisms are in place. VERISIGN DDoS TRENDS REPORT Q2 2016 9

Peak Attack Size by Industry (Quarterly) 300 250 200 150 100 Gbps 50 E-Commerce/ Online Financial IT Services/ Cloud/SaaS Media & Entertainment Telecommunications & Other Public Sector 0 Q3 2015 Q4 2015 Q1 2016 Q2 2016 Figure 5: Peak Attack Size by Industry (Quarterly) VERISIGN DDoS TRENDS REPORT Q2 2016 10

FEATURE DEFENDING AGAINST LAYER 7 DDoS ATTACKS Layer 7 attacks are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. The application layer (per the Open Systems Interconnection model) consists of protocols that focus on process-to-process communication across an IP network and is the only layer that directly interacts with the end user. A sophisticated Layer 7 attack may target specific areas of a website, making it even more difficult to separate from normal traffic. For example, a Layer 7 DDoS attack might target a website element (e.g., company logo or page graphic) to consume resources every time it is downloaded with the intent to exhaust the server. Additionally, some attackers may use Layer 7 DDoS attacks as diversionary tactics to steal information. A Multi-Vector Approach Verisign s recent trends show that DDoS attacks are becoming more sophisticated and complex, including an increase in application layer attacks. Verisign has observed that Layer 7 attacks are regularly mixed in with Layer 3 and Layer 4 DDoS flooding attacks. In fact, 35 percent of DDoS attacks mitigated in Q2 2016 utilized three or more attack types. In a recent Layer 7 DDoS attack mitigated by Verisign, the attackers started out with NTP and SSDP reflection attacks that generated volumetric floods of UDP traffic peaking over 50 Gbps and over 5 Mpps designed to consume the target organization s bandwidth. Verisign s analysis shows that the attack was launched from a well-distributed botnet of more than 30,000 bots from across the globe with almost half of the attack traffic originating in the United States. VERISIGN DDoS TRENDS REPORT Q2 2016 11

Figure 6: Map of Botnets From Recent Layer 7 Attack Mitigated by Verisign (Note: The above geolocation is based on source IPs that may have been spoofed) Once the attackers realized that the volumetric attack was mitigated, they progressed to Layer 7 HTTP/HTTPS attacks. Hoping to exhaust the server, the attackers flooded the target organization with a large number of HTTPS GET/POST requests using the following methods, amongst others: Basic HTTP Floods: Requests for URLs with an old version of HTTP no longer used by the latest browsers or proxies WordPress Floods: WordPress pingback attacks where the requests bypassed all caching by including a random number in the URL to make each request appear unique Randomized HTTP Floods: Requests for random URLs that do not exist for example, if www.example.com is the valid URL, the attackers were abusing this by requesting pages like www.example.com/loc id=12345, etc. VERISIGN DDoS TRENDS REPORT Q2 2016 12

Lessons Learned The challenge with a Layer 7 DDoS attack lies in the ability to distinguish human traffic from bot traffic, which can make it harder to defend against the volumetric attacks. As Layer 7 attacks continue to grow in complexity with ever-changing attack signatures and patterns, organizations and DDoS mitigation providers will need to have a dynamic mitigation strategy in place. Layer 7 visibility along with proactive monitoring and advanced alerting are critical to effectively defend against increasing Layer 7 threats. As organizations develop their DDoS protection strategies, many may focus solely on solutions that can handle large network layer attacks. However, they should also consider whether the solution can detect and mitigate Layer 7 attacks, which require less bandwidth and fewer packets to achieve the same goal of bringing down a site. TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS. About Verisign Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the.com and.net domains and two of the internet s root servers, as well as performs the root-zone maintainer function for the core of the internet s Domain Name System (DNS). Verisign s Security Services include intelligence-driven Distributed Denial of Service Protection, idefense Security Intelligence and Managed DNS. To learn more about what it means to be Powered by Verisign, please visit Verisign.com. *The information in this Verisign Distributed Denial of Service Trends Report (this Report ) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in AS IS condition and at your own risk. Verisign does not make and disclaims all representations and warranties of any kind with regard to this Report including, but not limited to, any warranties of merchantability or fitness for a particular purpose. VERISIGN DDoS TRENDS REPORT Q2 2016 13

Verisign.com 2016 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public VRSN_DDoS_TR_Q2-16_201608

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information