How To Mitigate A Ddos Attack



Similar documents
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 2 2ND QUARTER 2014

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

CloudFlare advanced DDoS protection

2014 Foley & Lardner LLP Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative

VALIDATING DDoS THREAT PROTECTION

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Acquia Cloud Edge Protect Powered by CloudFlare

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

Cloud Security In Your Contingency Plans

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Automated Mitigation of the Largest and Smartest DDoS Attacks

/ Staminus Communications

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

SSDP REFLECTION DDOS ATTACKS

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

[state of the internet] / DDoS Reflection Vectors. Threat Advisory: NetBIOS name server, RPC portmap and Sentinel reflection DDoS

Radware Security Research. Reverse Engineering a Sophisticated DDoS Attack Bot. Author: Zeev Ravid

How To Block A Ddos Attack On A Network With A Firewall

DRDoS Attacks: Latest Threats and Countermeasures. Larry J. Blunk Spring 2014 MJTS 4/1/2014

Don t get DDoSed and Confused. Patrick Sullivan, CISSP, GSLC, GWAPT, GCIH Managed, Security Services

Threat Advisory: Trivial File Transfer Protocol (TFTP) Reflection DDoS

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

DDoS Mitigation Solutions

Prolexic Quarterly Global DDoS Attack Report Q4 2012

(U) Financial Sector Cyber Security

Shellshock. Oz Elisyan & Maxim Zavodchik

Securing data centres: How we are positioned as your ISP provider to prevent online attacks.

NTP-AMP: AMPLIFICATION TACTICS AND ANALYSIS

Stop DDoS Attacks in Minutes

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

Distributed Denial of Service (DDoS) attacks. Imminent danger for financial systems. Tata Communications Arbor Networks.

2010 Carnegie Mellon University. Malware and Malicious Traffic

Why Is DDoS Prevention a Challenge?

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Securing Your Business with DNS Servers That Protect Themselves

Firewalls and Intrusion Detection

SECURING APACHE : DOS & DDOS ATTACKS - II

Securing Your Business with DNS Servers That Protect Themselves

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

How To Protect Yourself From A Dos/Ddos Attack

Analysis of a DDoS Attack

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Four Considerations for Addressing the DDoS Risk for Carrier and Cloud Hosting Providers

Networking for Caribbean Development

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Automated Mitigation of the Largest and Smartest DDoS Attacks

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

First Line of Defense

How to launch and defend against a DDoS

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

CS 356 Lecture 16 Denial of Service. Spring 2013

SECURITY TERMS: Advisory Backdoor - Blended Threat Blind Worm Bootstrapped Worm Bot Coordinated Scanning

[Restricted] ONLY for designated groups and individuals Check Point Software Technologies Ltd.

What to Look for When Choosing a CDN for DDoS Protection Written by Bizety

How To Stop A Ddos Attack On A Website From Being Successful

STATE OF DNS AVAILABILITY REPORT

Securing Your Business with DNS Servers That Protect Themselves

FortiDDos Size isn t everything

DNS FLOODER V1.1. akamai s [state of the internet] / Threat Advisory

ERT Attack Report. Attacks on Large US Bank During Operation Ababil. March 2013

Securing Your Business with DNS Servers That Protect Themselves

Kaspersky Lab. Contents

Revealing Botnets Using Network Traffic Statistics

First Line of Defense

Stop DDoS Attacks in Minutes

24/7 Visibility into Advanced Malware on Networks and Endpoints

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

Six Days in the Network Security Trenches at SC14. A Cray Graph Analytics Case Study

DDoS Basics. internet: unique numbers that identify areas and unique machines on the network.

Vulnerability-Focused Threat Detection: Protect Against the Unknown

Reducing the Impact of Amplification DDoS Attack

Complete Protection against Evolving DDoS Threats

A Critical Investigation of Botnet

WHITE PAPER ENSURING APPLICATION AVAILABILITY AND SECURITY IN THE CLOUD

Comparing Two Models of Distributed Denial of Service (DDoS) Defences

Strategies to Protect Against Distributed Denial of Service (DD

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

The Expanding Role of Service Providers in DDoS Mitigation

Gaurav Gupta CMSC 681

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

2015 GLOBAL THREAT INTELLIGENCE REPORT EXECUTIVE SUMMARY

Concierge SIEM Reporting Overview

Security Solutions for the New Threads

DDoS Attacks Can Take Down Your Online Services

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

Transcription:

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 3 3RD QUARTER 2014

CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS 4 Mitigations by Attack Size 4 Mitigations by Industry 5 Mitigations by Attack Frequency 6 FEATURE: NEW PROTOCOL USED FOR REFLECTION ATTACKS 7 The Simple Service Discovery Protocol (SSDP) 7 GLOBAL OBSERVATIONS 8 Verisign Observes DBOT Linux DDoS Malware 8 SHELLSHOCK Leveraged to Deploy Linux DDoS Malware 9 2 2

VERISIGN DISTRIBUTED DENIAL OF > EXECUTIVE SUMMARY 20 This report contains the observations and insights derived from mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services and the security research of Verisign idefense Security Intelligence Services. It represents a unique view into the attack trends unfolding online for the previous quarter, including attack statistics, DDoS malicious code analysis and behavioral trends. SUMMARY OF FINDINGS: Vulnerabilities and Attack Trends in PERCENT For the period starting July 1, 2014 and ending Sept. 30, 2014, Verisign observed the following key trends: of attacks were greater than 10 Gbps The number of attacks in the 10 Gbps and above category grew by 38 percent from Q2 to represent more than 20 percent of all attacks in Q3. Attackers were persistent in launching attacks against targeted customers, averaging more than three separate attempts per target. The most frequently targeted industry this quarter was Media and Entertainment, representing more than 50 percent of all mitigation activity. Attackers attempted an average of 3.3 > separate attacks per customer in Q3 Due to the high frequency of massive attacks experienced in Q2, Verisign observed a decrease in average attack size by 48 percent quarter over quarter, but average attack size increased by 65 percent between Q1 and. Removing the very large attacks from the Q2 data set shows average attack size was 4.6 Gbps, which if compared to the Q3 average attack size, represents an increase of more than 40 percent. The largest attacks observed this quarter targeted the E-Commerce industry peaking at more than 90 Gbps. Verisign directly mitigated new types of UDP reflection attacks utilizing the Simple Service Discovery Protocol (SSDP / UDP port 1900). Network Time Protocol (NTP) continues to make up the majority of UDP-based reflective amplification attacks, with an observed shift to SSDP over the course of Q3. Verisign idefense analysts reported that the Shellshock Bash vulnerability was leveraged globally to efficiently spawn DDoS botnets. An increase in the deployment of Linux DDoS malware shows an increased use of high-bandwidth servers in DDoS botnets. 3 3

VERISIGN-OBSERVED DDoS ATTACK TRENDS Mitigations by Attack Size Large-scale DDoS attack frequency has continued to trend upward as the number of attacks in the 10 Gbps and above category grew by 38 percent from Q2 to represent more than 20 percent of all attacks in Q3 (figure 1). On-premise mitigation defenses and devices are rendered ineffective the moment a DDoS attack exceeds an organization s upstream capacity. If they haven t already, organizations that focus on resiliency should consider deploying cloud-based or hybrid premise/cloud DDoS protection solutions to mitigate application-layer, multi-vector and volumetric attacks that exceed their available bandwidth with minimal increases in operational overhead. >10 Gbps >5<10 Gbps >1<5 Gbps >1 Gbps 2014-Q1 Figure 1: Increase in Attacks Greater Than 10 Gbps 2014-Q2 2014-Q3 120 100 80 60 40 20 0 Percent 12.42 3.70 3.17 4.60 3.92 2.14 1.51 2013-Q1 2013-Q2 2013-Q3 2013-Q4 2014-Q1 2014-Q2 Figure 2: Average Attack Size by Quarter (in Gbps) 6.46 2014-Q3 14 12 10 8 6 4 2 0 Gbps 4 4

VERISIGN DISTRIBUTED DENIAL OF Attacks mitigated by Verisign in the third quarter averaged 6.46 Gbps (Figure 2), which represented a 48 percent drop in average attack size quarter over quarter, but a 65 percent increase in average attack size from Q1 2014. The exceptional increase in average attack size in Q2 (12.42 Gbps) was driven by multiple sustained volumetric attacks in the 200-300 Gbps range. Removing the very large attacks from the Q2 data set shows average attack size was 4.6 Gbps, which, if compared to the Q3 average attack size, represents an increase of more than 40 percent. The largest volumetric UDP-based DDoS attack mitigated by Verisign in Q3 was 90 Gbps; the largest TCP-based attack was more than 30 Gbps. Mitigations by Industry DDoS attacks are a global threat and not limited to any specific industry, as illustrated in Figure 3. This comparative data can be helpful in prioritizing security expenditures based upon the observed exposure of your industry to this threat. Industries with the highest risk are generally those who are either active politically, or will suffer significant financial loss from downtime. That said, as Verisign has observed over the past decade, a target can become a target for an ever-expanding array of reasons, and every organization should consider its risk and potential exposure in this context. Media and Entertainment customers continue to experience the largest volume of attacks, peaking in size at just over 20 Gbps in Q3, (Figure 4) which is more than enough to overwhelm most on-premise mitigation capabilities. The E-Commerce industry, while attacked less frequently, was targeted with the largest attack of the quarter, reaching over 90 Gbps (Figure 4). This attack was a pulsing UDP flood employed in short bursts of 30 minutes or less. It consisted primarily of NTP reflective amplification attack traffic. This activity was aimed at disrupting the critical online commerce capability of the customer and was successfully mitigated by Verisign. With the 2014 holiday season in full swing, the E-Commerce and Financial industries must be particularly vigilant and prepared for increasing DDoS attacks during their peak revenue and customer interaction season. Historically, Verisign has seen an increase in DDoS activity against these verticals during the holiday season and anticipates that this trend will continue. Media & Entertainment 55% 0 IT Services/Cloud/Saas 28% E Commerce Financial 10% 7% 100 Figure 3: Percentage of Attacks by Industry 5 5

27.0 64.0 2014-Q1 36.8 Figure 4: Peak Attack Size by Top Industries Mitigations by Attack Frequency 300.0 22.3 20.9 11.8 Over the course of 2014, Verisign has observed a consistent increase in the number of attacks per customer, including attacks that changed tactics mid-stream. Q3 saw the largest increase in attack frequency, rising to an average of more than three attacks per targeted customer, a figure that rose 60 percent higher than Q2 (Figure 5). The increase in attack frequency, like the increase in attack size, may be attributed to maturation of attackers, easier access to ready-made DDoS botnets and toolkits, and adversary observation of attack impact on their targets. As attackers continue to evolve and become more sophisticated, Verisign expects to see this trend continue into the foreseeable future. 90.0 2014-Q2 2014-Q3 E commerce IT Services/Cloud/SaaS Media & Entertainment 350 300 250 200 150 100 50 0 Gbps 3.5 3.17 1.51 2.14 2.00 2.06 2014-Q1 2014-Q2 3.33 2014-Q3 3.0 2.5 2.0 1.5 1.0 0.5 0.0 Average Attacks Per Customer Figure 5: Average Number of Attacks per Targeted Customer (by quarter) 6 6

VERISIGN DISTRIBUTED DENIAL OF Feature: NEW PROTOCOL USED FOR REFLECTION ATTACKS The Simple Service Discovery Protocol (SSDP) Largest SSDP attacks in Q3 15 GBPS and 4.58 MPPS During this quarter, in addition to NTP-based attacks, we observed SSDP being exploited in UDP-based DDoS amplification attacks. The largest SSDP-based attacks mitigated by Verisign in Q3 targeted the IT Services industry and peaked at just under 15 Gbps and 4.58 million packets per second (Mpps). Verisign was able to quickly detect and mitigate the SSDP attacks encountered this quarter using its monitoring service and globally connected DDoS mitigation platform. Christian Rossow published a paper on Feb. 22, 2014, Amplification Hell: Revisiting Network Protocols for DDoS Abuse,1 that identified the bandwidth amplification factor. He identified SSDP as having a bandwidth application factor of as much as 30.8, meaning that a search command on this protocol will return a response 30.8 times the size of the request. The US CERT2 team issued an alert based on the initial research on Jan. 17, 2014. Though the amplification it generates is smaller than that possible with DNS or NTP reflection attacks, SSDP attacks still have the capability to overwhelm organizations that are using traditional security appliances to protect their assets. Consistent with other reflective amplification attacks, malicious actors will spoof the source IP when making an SSDP request to target a victim. For most organizations, SSDP implementations should not need to be open to the Internet. In this case, ingress queries from the Internet targeting this protocol can be blocked at the network edge to protect from this particular vector. Verisign recommends an audit of internal assets, including outbound network flows to ensure that your organization is not being unknowingly leveraged in SSDP-based DDoS attacks. WHAT IS SSDP? SSDP is a network protocol used for the advertisement and discovery of network services and presence information, and is most commonly used as the basis of the discovery protocol for Universal Plug-and-Play. Implementations send and receive information using the UDP on port number 1900. SSDP is abused like many other UDP-based protocols, mainly due to its connectionless state, which allows source IP address spoofing, and due to the amplification factor in the response. According to ShadowServer data3, there are over 15 million devices on the Internet that have SSDP enabled and may be vulnerable to being used in a DDoS attack. Similar to any reflective attack, an attacker must spoof the source IP address of the request to match that of the intended target to cause all vulnerable devices to flood the target with SSDP responses. 1 Christian Rossow. Amplification Hell: Revisiting Network Protocols for DDoS abuse 2 www.us-cert.gov/ncas/alerts/ta14-017a 3 https://ssdpscan.shadowserver.org/ 7

GLOBAL OBSERVATIONS Verisign Observes DBOT Linux DDoS Malware Verisign idefense analysts discovered a variant of the DBOT backdoor which runs on Unix-like systems and is primarily used for DDoS attacks. This malware is controlled through an Internet Relay Chat (IRC) command-and-control (C&C) channel, and will set its process name to look like common system processes (such as syslogd or crond). It is used not only to perform DDoS attacks, but includes full reverse-shell access and mail-sending capabilities (e.g., for spam) on compromised systems. Attackers use the IRC protocol to take control of the DBOT backdoor, and then use the established IRC C&C server s channel to issue commands that will instruct the compromised server to execute tasks. Verisign idefense analysts observed the following DDoS commands: Command udp1 udp2 udp3 tcp http Description UDP flood against a user: Defined IP address and port with a payload consisting of the string Tr0x repeated a random number of times Simultaneous flood against a user: Defined IP address on incrementing ports for UDP, TCP, ICMP and IGMP with a payload consisting of repeated A character UDP flood against a user: Defined IP address and random port with a payload of all zeroes; this function has some flaws that may cause it not to work reliably. TCP SYN flood against a user: Defined IP address and port consisting of 1,000 simultaneous connections that are closed immediately after the connection is established Connect to TCP port 80 on a user: Defined IP address and repeatedly perform HTTP GET / requests Verisign idefense has established that no IP address spoofing currently occurs during the execution of any of the aforementioned built-in DDoS attack commands; as such, most observed attacker IPs will be legitimate, increasing mitigation speed. However, the DBOT malware allows, via its reverse shell function, for arbitrary command execution on a compromised system, giving an attacker the unlimited ability to manually modify attack patterns or install additional DDoS tools as needed. The malware sample analyzed by idefense had an MD5 hash of 579190b74b86f591097b9b6773c1176b. 8

SHELLSHOCK Leveraged to Deploy Linux DDoS Malware Verisign idefense researchers analyzed ELF malware, which was observed to be delivered via the Shellshock Bash vulnerability. Shellshock is the common name for a series of critical vulnerabilities (CVE-2014-6271 and later, CVE- 2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187) in the Bash shell application, which is used pervasively in a wide array of operating systems (including OSX, RedHat, Debian and many embedded devices). The vulnerability is caused by a flaw in the command and argument parser of GNU Bash versions 1.14 through 4.3. The flaw results in incorrect processing of commands placed after function definitions in the added environment variable. The issue allows malicious actors to execute arbitrary and malicious binary code via a crafted environment that enables network-based exploitation. The malware that leverages this vulnerability communicates with specific hard-coded C&C servers. Connections through these C&C servers result in back-and-forth communication, the receipt of commands and links to additional malicious contents or payloads in the form of raw Pastebin links. The malware existed in the wild prior to being deployed in the latest campaign leveraging Shellshock. Verisign idefense has records of the exact strings distributed by the malware as posted on Pastebin as early as Aug. 20, 2014. The malware checks the infected system for the commonly used set of usernames and weak passwords; (i.e., root, admin, user, login, etc.) to launch DDoS attacks and carry out massive scans for vulnerable systems on the Internet. During the course of analysis, Verisign idefense researchers discovered several samples that leveraged the recently found vulnerability. The malware sample analyzed by idefense had an MD5 hash of 5B345869F7785F980E8FF7EBC001E0C7. 9

NOTES VerisignInc.com 2014 VeriSign, Inc. All rights reserved. VERISIGN, the VERISIGN logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public 201411

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information