VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT ISSUE 4 4TH QUARTER 2014

CONTENTS EXECUTIVE SUMMARY 3 VERISIGN-OBSERVED DDoS ATTACK TRENDS: 4 Mitigations by Attack Size 4 MITIGATIONS BY INDUSTRY VERTICAL 5 FEATURE: DDoS-FOR-HIRE SERVICES MEAN GREATER THREAT FOR BUSINESSES 7 CONCLUSION 8 2 2

Average attack size: 7.39 G bps 14% Q/Q 245% Y/Y Most frequently targeted industry: IT SERVICES/ CLOUD/SAAS EXECUTIVE SUMMARY This report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services and the security research of Verisign idefense Security Intelligence Services. It represents a unique view into the attack trends unfolding online for the previous quarter, including attack statistics and behavioral trends. For the period starting Oct. 1, 2014, and ending Dec. 31, 2014, Verisign observed the following key trends: Sustained volumetric DDoS activity, with attacks reaching 60 Gbps/16 Millions of packets per second (Mpps) for User Datagram Protocol (UDP) floods and 55 Gbps/60 Mpps for Transmission Control Protocol (TCP)-based attacks. Average attack size increased to 7.39 gigabits per second (Gbps), rising 14 percent higher than in Q3 2014 and 245 percent higher than Q4 2013. The most frequently targeted industry in Q4 was IT Services/Cloud/SaaS, representing one third of all mitigation activity and peaking at just over 60 Gbps. A significant increase in the number of attacks against Public Sector organizations, which represented 15 percent of all Verisign mitigations in Q4. Attacks against the Financial Services industry doubled from last quarter as a percentage of total attacks in the quarter, accounting for 15 percent of all mitigations. 42 percent of attacks peaked at more than 1 Gbps, with 17 percent leveraging more than 10 Gbps of DDoS traffic. The Network Time Protocol (NTP) continues to make up the majority of reflected UDP attack traffic, with a continued increase in the use of the Simple Service Discovery Protocol (SSDP) attack vector originally observed in Q3. Q4 Feature: DDoS-for-Hire Services Mean Greater Threat for Businesses The increasing availability of DDoS-for-hire services also known as booters presents a huge risk for security professionals, as they enable virtually anyone to hire skilled cyber criminals to launch a targeted DDoS attack for as little as $2 USD per hour. This quarter s feature outlines how this malicious marketplace works, and presents some sobering details on just how affordable hiring a DDoS attack has become. 3 3

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Mitigations by Attack Size The size of attacks mitigated by Verisign in the fourth quarter of 2014 stood at an average peak size of 7.39 Gbps (see Figure 1). This represents a 14 percent increase in average attack size from Q3 2014 (6.46 Gbps) and a 245 percent increase over Q4 2013 (2.14 Gbps). 6.46 3.92 4.60 2.14 2013--Q1 2014-Q2 2014-Q3 Figure 1: Average Peak Attack Size by Quarter 7.39 2014-Q4 14 12 10 8 6 4 2 0 Gbps DDoS attack activity in the 10 Gbps and above category remained high at 17 percent of all attacks, although this number was slightly down from 23 percent in Q3 (see figure 2). In all, 42 percent of attacks leveraged more than 1 Gbps of attack traffic, which even today remains a significant amount of bandwidth for any network-dependent organization to over-provision for DDoS attacks. >10 Gbps >5<10 Gbps >1<5 Gbps >1 Gbps 2014-Q1 2014-Q2 2014-Q3 2014-Q4 100 80 60 40 20 0 Percent Figure 2: 2014 Mitigation Peaks by Category 4 4

The largest volumetric UDP-based DDoS attack mitigated by Verisign in Q4 targeted an IT Services/Cloud/ SaaS customer. This was primarily an NTP reflection attack targeting port 443 and peaking at 60 Gbps and 16 Mpps. The attack persisted at the 60 Gbps rate for more than 24 hours, and serves as another example of how botnet capacity and attack sustainability can be more than some organizations can manage themselves. The largest TCP-based attack was a SYN flood against a Media and Entertainment industry customer. The attack targeted a custom gaming port and peaked at 55 Gbps and 60 Mpps. MITIGATIONS BY INDUSTRY VERTICAL DDoS attacks are a global threat and not limited to any specific industry vertical, as illustrated in Figure 3. Further, Verisign acknowledges that the attacks by vertical reported in this document are solely a reflection of Verisign s protected customer base; however, this data may be helpful in prioritizing security expenditures based upon the observed exposure of your industry to DDoS attacks. In Q4, IT Services/Cloud/SaaS customers experienced the largest volume of attacks (see Figure 3), representing one third of all attacks and peaking in size at just over 60 Gbps. Verisign expects the trend in attacks against the IT Services/Cloud/SaaS industry to continue as these organizations migrate IP assets to cloud-based services and infrastructure, effectively expanding their attack surface across onpremise devices, and public and private clouds. IT Services/Cloud/SaaS Media & Entertainment/ Content Financial Public Sector E-Commerce/ Online Advertising Telecommunications 33% 23% 15% 15% 8% 6% 0 100 Figure 3: Mitigations by Vertical 5 5

Public Sector attacks constituted 15 PERCENT of attacks in Public-sector customers experienced the largest increase in attacks, constituting 15 percent of total mitigations in Q4. Verisign believes the steep increase in the number of DDoS attacks levied at the public sector may be attributed to attackers increased use of DDoS attacks as tactics for politically motivated activism, or hacktivism, against various international governing organizations, and in reaction to various well-publicized events throughout the quarter, including protests in Hong Kong and Ferguson, MO. As outlined in idefense s 2015 Cyber Threats and Trends, the convergence of online and physical protest movements contributed to the increased use of DDoS as a tactic against organizations, including the public sector, throughout 2014. Verisign also believes that the ready and growing availability of DDoS toolkits and DDoS-as-a-service offerings in the cyber underground may have also contributed to the increase in public-sector attacks and predicts that this trend will continue into 2015. The next-largest increase in number of attacks was against the financial industry, which doubled to account for 15 percent of total mitigations. As described in the Q3 2014 Verisign DDoS Trends Report, the 2014 holiday season was in full swing in Q4, and Verisign has historically seen an increase in DDoS activity against customer organizations during this period each year. Verisign mitigated more DDoS attacks in December than in any other month of 2014. DDoS ATTACK VECTORS AND MITIGATION NTP Amplification In, the most common attack vector Verisign observed continued to be UDP amplification attacks leveraging the Network Time Protocol (NTP). As covered in previous reports, many organizations do not use or trust external systems for their NTP, so in this case the solution can be as easy as restricting or rate-limiting NTP ports inbound/outbound to only the authenticated/known hosts. SSDP Amplification Additionally, Verisign continued to observe the Simple Service Discovery Protocol (SSDP) being exploited in DDoS amplification attacks in Q4. Verisign advises readers to audit internal assets to ensure that they are not unknowingly being leveraged in SSDP-based DDoS attacks. For most organizations, SSDP implementations do not need to be open to the Internet. In this case, the protocol should be blocked at the network edge to protect from this particular vector up to an organization s network capacity. 6 6

Feature: DDoS-FOR-HIRE SERVICES MEAN GREATER THREAT FOR BUSINESSES One of the common themes for DDoS attacks throughout 2014 is that the actors, strategies and tools involved continually evolved and improved in effectiveness and intensity. In fact, as you may have seen in recent news, some cyber criminals have become so adept at launching successful DDoS attacks that they ve gone professional. The increasing availability of DDoS-forhire services also known as booters presents a huge risk for security professionals, as they enable virtually anyone to hire skilled cyber criminals to launch a targeted DDoS attack. Since their inception in 2010, DDoS-forhire capabilities have advanced in both success and popularity, and surprisingly, can be employed today for a staggeringly marginal fee; many can be hired for just $5 USD an hour and some as low as $2 USD an hour (see Figure 4 1 ), according to Verisign idefense Security Intelligence Services research. Additionally, massive and longstanding attacks can be deployed for as little as $800 USD for an entire month. Perhaps even more unnerving is that during the last several years, DDoSfor-hire services have become remarkably skilled at working under the radar and avoiding detection by authorities. Service Name Xakepy.cc World DDoS Service King s DDoS Service MAD DDoS Service Gwapo s Professional DDoS Service PsyCho DDoS Service Service Pricing (USD) 1 hour starts at $5 24 hours starts at $30 1 week starts at $200 1 month starts at $800 1 day starts at $50 1 week starts at $300 1 month starts at $1,200 1 hour starts at $5 12 hours starts at $25 24 hours starts at $50 1 week starts at $500 1 month starts at $1,500 1 night starts at $35 1 week starts at $180 1 month starts at $500 1-4 hours at $2 per hour 5-24 hours at $4 per hour 24-72 hours at $5 per hour 1 month at $1,000 fixed 1 hour for $6 1 night for $60 1 week for $380 1 month for $900 DDoS Service 911 1 night for $50 Blaiz DDoS Service Critical DDoS Service No. 1* DDoS_SERVICE 1 day for $70 1 week starts at $450 1 day starts at $50 1 week starts at $300 1 month starts at $900 1 day starts at $50 1 week starts at $300 1 month starts at $1,000 Figure 4: Price List for Select DDoS-for-Hire Services 1 Verisign idefense Security Intelligence Services, 2014 7 7

Given their illegal nature, DDoS-for-hire services are usually shrouded in secrecy. As you would expect, openly advertised DDoS services are rare and often subject to takedown. To get around this, botnet operators commonly advertise DDoS services in underground forums often detailing their specific services, prices and guarantees on performance. Of course, hiring booters is risky business. In essence, the hiring party is looking for a partner to commit crime with them; deciding which parties are trustworthy and capable is certainly not easy. To that end, within these forums, a service s reputation has an enormous impact on its overall success. That being said, some more brazen actors occasionally take more creative approaches to advertising: The operators of the Gwapo DDoS service, for example, utilized YouTube to post videos, which featured unsuspecting actors reading a script to explain the DDoS service, and asking potential buyers to contact the operators via email. One of the more high-profile advertising efforts for a DDoS service in 2014 came from the DDoS group Lizard Squad. Since August 2014, the group has claimed responsibility for attacks against multiple online gaming services, including those for Sony Corp. s PlayStation Network (PSN) and Microsoft Inc. s Xbox Live. PSN and Xbox Live were both taken offline for significant amounts of time by DDoS attacks on Dec. 25, 2014. Following the successful Christmas attacks, Lizard Squad began advertising the operation of its very own LizardStresser DDoS service, which costs from $5.99 to $119.99 USD per month to employ. In an interview, a purported member of the group told tech site DailyDot that these notable attacks were all meant to drive demand for the group s DDoS service. 2 The transfer of money presents additional obstacles and risks to DDoS-for-hire services and their customers, since most check and card payments tend to leave a record that could lead back to either party. Instead, most of these financial transactions use various online currencies, including Bitcoin, which allow the involved parties to do business while maintaining anonymity, and reduce the risk of an investigation. CONCLUSION Given the ready availability of DDoS-as-a-service offerings, and the increasing affordability of such services, organizations of all sizes and industries are at greater risk than ever of falling victim to a DDoS attack that can cripple network availability and productivity, and cost them dearly in not only online revenue, but invaluable reputation and customer trust. Awareness and understanding of the capabilities of these services, and the combined efforts of the actors selling and employing them, will most certainly be key to combating the DDoS threat now and into the future. 2 Turton, William. Lizard Squad s Xbox Live, PSN attacks were a marketing scheme for new DDoS service. DailyDot. Dec. 30, 2014. http://www.dailydot.com/crime/lizard-squad-lizard-stresser-ddos-service-psn-xbox-live-sony-microsoft/ VerisignInc.com 2015 VeriSign, Inc. All rights reserved. VERISIGN, the VERISIGN logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. Verisign Public 201502