This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons Attribution-ShareAlike 4.0 International license.
As a provider of distributed denial of service (DDoS) mitigation services, Black Lotus is in a unique position to observe and collect real time data on the threats facing service providers and enterprises. Many zero day threats are first seen on the Black Lotus network. These threats are summarized in our quarterly report. The data contained in this report covers DDoS attack data for the period January 1, 2014 to March 31, 2014. Effective this issue Black Lotus threat reports no longer include top source network statistics as DDoS attacks are becoming increasingly distributed, diminishing the value of this type of data. Black Lotus predicts that while the NTP DrDoS threat which became prevalent in January and February 2014 have been successfully contained through the combined efforts of the security community, that new DrDoS threats will emerge resulting in attacks in excess of 800 Gbps in the next 12 18 months.
The largest attack mitigated on the Black Lotus network during the Q1 2014 reporting period, in terms of gigabits per second (bit volume) and millions of packets per second (packet volume). The average attack mitigated on the Black Lotus network during the reporting period. The number of confirmed DDoS attacks mitigated on the Black Lotus network during the reporting period. We observed the largest DDoS attacks on this date.
During the Q1 2014 reporting period, Black Lotus observed an average distributed denial of service (DDoS) attack size of 2.7 gigabits per second (Gbps) and 1.8 millions of packets per second (Mpps). While this figure is relatively low compared to the bandwidth available to many service providers and enterprises, there are many companies which do not have the available bandwidth either due to the size of the network or prohibitively expense telecommunications services. Throughout the reporting period this average attack size has remained consistent with data from the prior quarter indicating that networks must maintain a DDoS mitigation defense capable of at least 5 Gbps to defend against the majority of attacks. Many DDoS mitigation services and DDoS protected hosting providers offer DDoS protection levels of 10 Gbps and up which is sufficient for many requirements, however there are much larger attacks which continue to proliferate. Figure 2 details the maximum attack size in terms of bit volume observed by Black Lotus during the reporting period. 462,621 attacks were observed with the largest single attack of 421 Gbps and 122 Mpps occurring on February 10, 2014, the largest DDoS attack ever recorded. This attack and a similar attack on February 9, 2014 took advantage of insecure network time protocol (NTP) daemons, a threat detailed in a Black Lotus Threat Advisory released on January 8, 2014. NTP attacks are a type of distributed reflection denial of service (DrDoS) where an attacker spoofs the target IP address and sends malicious requests for time synchronization to open NTP servers which in turn attack the spoofed target at an amplification factor of at least 58.5. In order to guarantee the defense of customers on the Black Lotus network which were being indiscriminately targeted by NTP DrDoS, the company opted to provide blanket NTP protection to all customers on the network regardless of subscription level. This means that a customer with a 10 Gbps defense service was afforded protection in excess of 400 Gbps against this particular attack vector.
Figure 1. Visualization of NTP DrDoS attack
NTP attacks are particularly dangerous as it is estimated that there have been as many as 400,000 NTP servers worldwide which have been vulnerable to an exploitation of the obsolete monlist command, causing an amplification factor of several hundred times the size of the original spoofed request. Any server running ntpd 4.2.7p26 or earlier which has not been patched is likely participating in these attacks. Network operators can find out if their network is participating in these attacks by checking with the OPEN NTP Project. There are numerous options for network operators who wish to clean up their network to prevent it from being used in these attacks. Doing so is likely to improve the performance of the network by reducing malicious traffic and should result in a cost savings by reducing the company s 95 th percentile bandwidth utilization. Black Lotus recommends: Using the OPEN NTP Project to determine if any vulnerable systems are operating on the company s network Immediately upgrading any NTP daemons to the most current version Implementing BCP38 to prevent the network from participating in DrDoS attacks Using access control lists or policies to block NTP traffic at the network edge and at other layer 3 aggregation points such as core routers, requiring customers to use a company provided NTP daemon for network time synchronization Attacks which are particularly large in bit volume continue to pose a problem for even the best equipped networks. While many service providers and enterprises are beginning to invest in robust DDoS mitigation infrastructure, this equipment is inherently limited to the capabilities of the equipment and the bandwidth available to the company which in many cases is 10 Gbps or less. During 49 of the 90 days during the reporting period attacks were observed reaching over 20 Gbps and on 7 of 90 days attacks were observed exceeding 100 Gbps. Network operators must increase investment in DDoS defense or enlist the assistance of purpose built DDoS mitigation services to be able to mitigate these larger attacks without service interruption. NTP DrDoS attacks peaked in early January and again in early February 2014 resulting in record breaking bit volumes, however traditional service and application layer attacks against servers and websites, such as TCP SYN and HTTP GET floods have once again become more prevalent. Black Lotus expects that attackers will use DrDoS attacks whenever possible, resorting to non-amplification attacks when there is not a sufficient quantity of vulnerable systems to use in amplification.
Gigabits per second Attack Bit Volume by Date 450 400 350 300 250 200 150 100 50 0 Figure 2. Maximum bit volume per attack incident during Q1 2014 While DDoS attacks are frequently cited in terms of their bit volume, the packet volume of an attack can be particularly devastating. Even if an attack does not exceed the bit capacity of a network or DDoS mitigation system, it can often exceed the packet volume capabilities the targeted network. For instance one popular DDoS mitigation hardware provider frequently sells 10 Gbps DDoS mitigation systems which are only capable of mitigating 4 Mpps where the line rate capability of a 10 Gbps interface is actually ~15 Mpps. This can cause the mitigation equipment to saturate at 27% of the circuit capacity.
Millions of packets per second Attack Packet Volume by Date 140 120 100 80 60 40 20 0 Figure 3. Maximum packet volume per attack incident during Q1 2014 During the Q1 2014 reporting period 90,313 (19.5%) of the 462,621 attacks observed were regarded as severe. Once awareness was spread concerning the NTP DrDoS vulnerability, service and application layer attacks once again became the vector of choice for DDoS attackers. Application layer attacks can pose a problem even for those protected by network based DDoS mitigation systems. Also known as layer 7 attacks, these exploit weaknesses in an individual server s applications in order to cause resource depletion, resulting in an outage to the server. During the reporting period, 45,440 (50.3%) of 90,313 severe attacks observed targeted individual applications, most commonly HTTP servers which host websites and domain name services (DNS) which are required to provide address resolution to customers. Attacks on either application can result in an outage to the site and are extremely difficult to mitigate without professional assistance.
Critical Alerts Thousands The previously rare NTP reflection attack took center stage for two periods at the beginning of January and February 2014 due to its incredibly high bit volume and damage potential, but did not yield nearly the same severe incident volume as SYN and HTTP GET floods. 50 Distribution of Severe DDoS Attacks 45 40 35 30 25 20 15 10 5 0 SYN FLOOD ACK FLOOD ICMP FLOOD NTP FLOOD DNS QUERY FLOOD HTTP GET FLOOD Figure 4. Application layer attacks against websites have surpassed NTP DrDoS attacks which twice peaked in early January and early February 2014.
At the beginning of January 2014, attackers began leveraging NTP DrDoS attacks to launch massive, debilitating attacks against targets of all sizes with attacks peaking at 421 Gbps in February 2014, the largest attack ever recorded. The OPEN NTP Project has successfully reduced the amount of hosts complicit in these attacks through awareness campaigns, which has resulted in service and application layer attacks against websites once again becoming the dominant DDoS threat. This data indicates that attackers prefer to use DrDoS attacks to take advantage of vulnerable services which use the UDP protocol, such as DNS and NTP, but are unable to launch these attacks consistently. While DrDoS attacks are the largest, most devastating attacks currently in existence an attacker must rely on thousands of vulnerable servers to amplifying and relay the attacks. When groups like The OPEN NTP Project create awareness campaigns it serves to reduce the amount of vulnerable servers and prevents attackers from consistently launching DrDoS attacks. As a result the attackers must resort to the tried and true method of attacking web servers directly using methods such as TCP SYN and HTTP GET attacks for which many companies do not have organic filtering capabilities and can be launched by attackers without relying on vulnerable UDP services. DrDoS attacks give novice attackers the ability to bypass the DDoS defense of well-prepared companies by targeting upstream carriers directly. While many companies have DDoS mitigation systems in place, these systems cannot function when the carrier itself is fully saturated. In January 2014, Black Lotus recorded several incidents where tier 1 carriers in multiple U.S. regions were saturated due to DrDoS attacks resulting in packet loss as high as 35% to customers of those carriers which were not even targeted by the attacks. By the time attacks began exceeding 400 Gbps in the following month Black Lotus observed that the same carriers were better prepared and were able to effectively stabilize their networks with minimal interruption to downstream customers. When combined with awareness campaigns by The OPEN NTP Project this dramatically decreased the effectiveness of NTP DrDoS as an attack vector. Despite this success, Black Lotus predicts that reflection attacks against UDP services such as DNS, NTP, SNMP, and other protocols will continue to pose a tremendous threat to service providers, enterprises, and their upstream carriers.
While NTP DrDoS has tapered it is expected that attackers are currently seeking other UDP services which can be used as a DrDoS vector. Black Lotus expects that new amplification conditions will be discovered resulting in a potential for DDoS attacks exceeding 800 Gbps in the next 12 18 months. Until attackers are able to achieve this level of volume they will continue to target servers and web applications using SYN and HTTP GET floods which remain devastating for those which do not employ effective on-site DDoS mitigation or employ the services of DDoS mitigation and web application security providers. The rapid proliferation of DrDoS attacks is one component of a more serious trend in information security which extensively impacts all networked entities but is of particular concern to service providers. Since Q3 2013 service providers have been heavily impacted by security threats to include SQL injection attacks, NTP DrDoS attacks, and most recently the TLS heartbeat vulnerability ( Heartbleed ) all of which have had profound effects on the ability of service providers to safely operate. While these threats are not exclusive to service providers it should be noted that service providers carry a substantial burden to protect customers and are often ill equipped to deal with serious threats to security, especially those which require preparation and swift and effective action to prevent damage to thousands of companies. The threats which service providers have faced over the past two quarters are what many would describe as outright frightening while the threats observed in prior months and years pale in comparison. Service providers are facing a very real paradigm shift in how their businesses must operate to remain viable. In enterprises and verticals such as banking and finance it is well understood that security must form the foundation of all information projects. While service providers are not ignorant to this fact, historically they have been able to operate without providing substantial security services to customers. As threats continue to proliferate service providers must also become security providers, offering services like hosting and security services like DDoS mitigation, intrusion defense, and incident response and remediation as a fully integrated concept. Service providers will need to operate bona fide security operations centers (SOCs) and have experienced information security engineers on staff, such as those who carry the ANSI accredited CISSP certification offered by (ISC) 2 in order to effectively deliver these services.
To learn more about Black Lotus, DDoS attacks, and DDoS mitigation solutions, please contact: Headquarters Black Lotus Communications 1 Sansome St., Suite 1500 San Francisco, CA 94104 Emergency Response Center Black Lotus Communications 900 N. Alameda St., Suite 220 Los Angeles, CA 90012 Sales sales@blacklotus.net (866) 477-5554 Support support@blacklotus.net (800) 789-1977