NSFOCUS Mid-Year DDoS Threat Report 2013

NSFOCUS Mid-Year DDoS Threat Report 2013

Abstract
For years, NSFOCUS has dedicated itself to assuring secure and smooth operation of its customers businesses. Every day, NSFOCUS prevention products and monitoring systems detect and mitigate thousands of distributed denial-of-service (DDoS) attacks that could potentially harm customers security. This report has been compiled by the NSFOCUS Cloud Response Center to inform the broader IT industry about observations and trends regarding DDoS attacks. DDoS attacks were frequently in the spotlight during the first half of 2013. The hacker collective Izz ad-Din al-Qassam Cyber Fighters continued to challenge the U.S. by disrupting the online services of some top American banks. The anti-spam organization Spamhaus suffered an astonishing DDoS attack of 300 Gbps that was described as the biggest cyber attack in history. Faced with such a massive flood, it is easy to understand that no defense system is absolutely impregnable. Though it is often large enterprises and organizations in the headlines, small to medium enterprises and businesses (SMEs and SMBs) were plagued by DDoS threats as well. In the first half of 2013, more than 90 percent of DDoS attacks lasted less than half an hour, more than 80 percent of the traffic recorded was less than 50Mbps, and about two-thirds of the victims suffered more than one attack. The repeated launching of low-and-slow DDoS attacks may be driven by the growth of low-cost DDoS-for-hire services. This report depicts the overview, targets and methods of DDoS threats during the first half of 2013. The statistics in this report are sourced from 90 major news reports and 168,459 attacks monitored by NSFOCUS. All of the data collected through our active monitoring efforts has been anonymized to protect our customers information.

-1-

NSFOCUS Mid-Year DDoS Threat Report 2013

Contents
OVERVIEW OF DDOS ATTACKS ................................................................................................. 4 FINDING 1: DDOS ATTACK FREQUENCY ONE MAJOR DDOS NEWS EVENT HAPPENED EVERY TWO DAYS AND ONE COMMON DDOS ATTACK HAPPENED EVERY TWO MINUTES. ...................... 4 FINDING 2: DDOS MOTIVES - HACKTIVISM TOPS THE LIST. ...................................................... 5 TARGETS OF DDOS ATTACKS ................................................................................................... 6 EVENT 1: OPERATION ABABIL.............................................................................................. 6 FINDING 3: DDOS VICTIMS MOST LIKELY TARGETS WERE BANKS, GOVERNMENTS AND ENTERPRISES ....................................................................................................................... 9 FINDING 4: MORE THAN 68 PERCENT OF VICTIMS SUFFERED MULTIPLE ATTACKS ..................... 9 DDOS ATTACK METHODS ....................................................................................................... 10 EVENT 2: THE BIGGEST DDOS ATTACK IN HISTORY ............................................................ 11 FINDING 5: TCP FLOOD AND HTTP FLOOD REMAIN THE MOST POPULAR ATTACK METHODS. . 13 FINDING 6: MOST DDOS ATTACKS ARE SHORT. .................................................................... 14 FINDING 7: MOST ATTACKS ARE NOT VERY BIG. .................................................................... 14 FINDING 8: HYBRID ATTACKS BECAME PREVALENT. .............................................................. 16 CONCLUSIONS ........................................................................................................................ 17 CONTACTS ............................................................................................................................. 18

-2-

NSFOCUS Mid-Year DDoS Threat Report 2013

Figures
FIGURE 1 MAJOR DDOS NEWS EVENTS ........................................................................ 5 FIGURE 2 DDOS ATTACKS MONITORED BY NSFOCUS ............................................... 5 FIGURE 3 CAUSES FOR MAJOR DDOS ATTACKS ......................................................... 6 FIGURE 4 TIMELINE OF 2013 OPERATION ABABIL ....................................................... 8 FIGURE 5 TARGETS OF MAJOR DDOS ATTACKS ......................................................... 9 FIGURE 6 FREQUENCY OF DDOS ATTACKS ............................................................... 10 FIGURE 7 DNS REFLECTION ATTACK .......................................................................... 12 FIGURE 8 DDOS ATTACK METHODS ............................................................................ 13 FIGURE 9 DURATIONS OF DDOS ATTACKS................................................................. 14 FIGURE 10 DISTRIBUTION OF DDOS ATTACK TRAFFICBPS .............................. 15 FIGURE 11 DISTRIBUTION OF THE DDOS PACKET RATEPPS ........................... 15 FIGURE 12 HYBRID DDOS ATTACKS ............................................................................ 16

-3-

NSFOCUS Mid-Year DDoS Threat Report 2013

Overview of DDoS attacks

The first half of 2013 witnessed frequent DDoS events and attacks. A major DDoS event broke out every two days on average, and NSFOCUS detected one DDoS attack every two minutes from NSFOCUS monitoring networks. The frequency of DDoS attacks monitored by NSFOCUS and major DDoS events reported by media peaked during April and May, respectively. Hacktivism was the primary motive for major DDoS events, followed by business crimes and cyber war between competing countries. Based on the 168,459 attacks that NSFOCUS monitored, 91.3 percent of the attack targets were located in China, followed by the U.S. at 5.8 percent, Hong Kong at 1 percent, Korea at 0.5 percent, Philippines at 0.2 percent and Germany at 0.1 percent.

Finding 1: DDoS attack frequency One major DDoS news event happened every two days, and one common DDoS attack happened every two minutes.
NSFOCUS traced 90 major DDoS events reported by the news media, with an average of one major event every two days. Meanwhile, NSFOCUS monitored a total of 168,459 DDoS attacks with 1.29 occurring every two minutes, on average. Major DDoS events reported by media (Figure 1) and detected by NSFOCUS (Figure 2) peaked in May and April, respectively.

-4-

NSFOCUS Mid-Year DDoS Threat Report 2013

DDoS Attack Frequency

30 25 20 15 10 5 0 Jan Feb Mar Apr May Jun
3 11 7 19 20 30

Figure 1

Major DDoS News Events

DDoS Attack Frequency

40000 35000 30000 25000 20000 15000 10000 5000 0 Jan Feb Mar Apr May Jun
19812 29962 25016 23596 33807 36266

Figure 2

DDoS Attacks Monitored by NSFOCUS

Finding 2: DDoS motives - Hacktivism tops the list.

Among the 90 major DDoS events reported by the media and traced by NSFOCUS, hacktivism was the primary motivator, followed by business crime,

-5-

NSFOCUS Mid-Year DDoS Threat Report 2013

which mostly got involved in profit-driven competition or extortion, such as competition in the online gaming industry and cyber war between countries.

91.1%

Hacktivism Business Crime Cyber War Other

2.2%
2.2% 4.4%

Figure 3

Causes for Major DDoS Attacks

Targets of DDoS Attacks

DDoS attacks became a hot topic in the security sector during the first half of 2013, due mainly to Izz ad-din Al-Qassam Cyber Fighters Operation Ababil activity, in which the U.S. banking industry became a major target, along with some government departments and enterprises. Among the common DDoS attacks monitored by NSFOCUS, two-thirds of the victims were attacked more than once.

Event 1: Operation Ababil

The Operation Ababil campaign, launched by Izz ad-din Al-Qassam Cyber Fighters (Cyber Fighters), has gone through three phrases between September 2012 and June 2013, with a fourth phase initiated in July 2013. In July 2012, a trailer for a movie about the Islam prophet Mohammed, produced and directed
-6-

NSFOCUS Mid-Year DDoS Threat Report 2013

by American Sam Bacile, was posted on YouTube, sparking strong objections and protests in the Muslim world. On September 18, 2012 Cyber Fighters announced on Pastebin that it would attack U.S. banks and the New York Stock Exchange with a series of DDoS attacks in retaliation for the video, declaring the attacks would persist until the movie was removed from the website. Operation Ababil was named after a story in the Koran, in which Allah dispatches a group of swallows to knock out a group of elephants sent by the king of Yemen to attack Mecca. The first phase started on September 18, 2012 and lasted for five weeks, with the second starting on December 10, 2012 and lasting for seven weeks. The third phase continued for nine weeks from March 5, 2013 to May 6, 2013. The fourth phase began July 23, 2013. This campaign has affected the online banking services of massive American financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, Capital One, Fifth Third Bank, BB&T, and HSBC. These DDoS attacks had severe impacts on business continuity and the availability of banks websites, and they have brought incalculable losses to these banks reputations. The U.S. government had several departments working on the investigation of this event, including the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and financial regulators.

-7-

NSFOCUS Mid-Year DDoS Threat Report 2013

Figure 4

Timeline of 2013 Operation Ababil

-8-

NSFOCUS Mid-Year DDoS Threat Report 2013

Finding 3: DDoS victims Most likely targets were banks, governments and enterprises.
Of the 90 major DDoS attacks that occurred worldwide in the first half of 2013, 39 (43 percent) targeted banks, mainly resulting from the Operation Ababil campaign. Government and enterprises were assaulted in 26 (29 percent) and 19 (21 percent) major DDoS events, respectively. Non-profit organizations (NPOs) and Internet service providers (ISPs) also fell victim to these attacks.
1%

5%

1%

21%

43%

Bank Government Enterprise NPO

29%

ISP Other

Figure 5 Targets of Major DDoS Attacks

Finding 4: More than 68 percent of victims suffered multiple attacks.

The first half of 2013 saw a rise in multiple attacks targeting the same target, with more than two-thirds of victims being attacked more than once. Our findings show that, so far, 31.3 percent of victims suffered a single DDoS attack in the first half of this year, a decrease from 50.7 percent observed in 2012, while 6.2 percent suffered attacks more than 10 times in the first half of 2013, an increase from 5.2 percent the year prior. The percentage of victims suffering multiple attacks rose from nearly half (49.3 percent) in 2012 to more than two-thirds (68.7
-9-

NSFOCUS Mid-Year DDoS Threat Report 2013

percent) in the first half of 2013. NSFOCUS expects the trend of cyber criminals attacking the same target multiple times will continue to grow over the second half of 2013. We postulate there are two factors contributing to this trend : A: Cost DDoS-for-hire (botnet rental) has been growing over the past couple of years, making repetitive attacks over short periods more effective and less expensive. B: Willingness to pay ransom After the media reported that some affected websites lacking defense capabilities had reluctantly paid ransoms, such sites became priority targets of other cyber criminals.

70% 60% 50% 40% 30% 20% 10% 0% 1 31.3%

62.5%

4.4%

1.8%

2 - 10

11 - 20

20+

DDoS Attack Times

Figure 6

Frequency of DDoS Attacks

DDoS Attack Methods

In the first half of the year, the methods adopted by DDoS attackers have become very diverse. On one hand, attackers continued to pursue larger attack traffic, such as the 300Gbps Spamhaus attack in March, considered by experts to be the biggest cyber attack in history. But events such as these are rare, as attackers have widely adopted the application-consumption-based DDoS attack method (e.g., HTTP Flood). Although the latter produces only minor flow and
- 10 -

NSFOCUS Mid-Year DDoS Threat Report 2013

packet rates, it can be just as destructive as a massive flood. This dichotomy shows a level of sophistication; the attackers are scouting their targets and applying the methods best suited to cause disruption. NSFOCUS has also noted hybrid attacks become more prevalent, with ICMP+TCP+UDP Flood being the most common combination.

Event 2: The biggest DDoS attack in history

Spamhaus is an anti-spam NGO based in London and Geneva, and it maintains a colossal spam blacklist that is widely used by numerous universities, research institutions, ISPs, militaries and commercial enterprises. Beginning on March 18, 2013, Spamhaus suffered a DDoS attack in which hackers exploited botnet and DNS reflection technologies. The attack traffic continuously rose from 10Gbps to an astonishing 300Gbps on March 27, recording it as the largest scale (traffic-wise) DDoS attack aimed at a single target in history. The attack utilized a DDoS reflection (DNS amplification) method. Even though this style of attack has been around for quite some time, the technology has become more popular, with the major component of large-scale DDoS attacks aimed at Layer-3. This basic procedure sends DNS name lookup requests containing the extension field OPT RR (pseudo resource record) to massive open DNS resolvers with the source address spoofed to be the targets address. After receiving the request, the open DNS servers will resolve and query the request and return the response data to the attack target. Since the requested data is much smaller than the response data, the attackers are able to employ this technology to effectively amplify their bandwidth and attack traffic.

- 11 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Figure 7

DNS Reflection Attack

In this event, the attacker sent resolving requests of the domain name ripe.net to more than 30,000 open DNS servers with the source IP address spoofed to be the IP address of Spamhaus. The response traffic from those DNS servers generated about 300Gbps in attack traffic. As a DNS request data with the size of 36byte leads to a response data with the size of 3,000byte, DNS reflection amplified the data about 100 times. Therefore, the attacker just needs to control a botnet that can produce around 3Gbps request attack traffic to launch a larger scale of (about 300Gbps) response attack traffic. In addition to DNS reflection technology, the attacker also exploited ACK reflection and other technologies in the attack. On July 25, 2013, the Internet Systems Consortium (ISC) declared that the response rate limiting (RRL) module was added to the latest version of BIND software to defend against DNS reflection DDoS attacks, claiming it to be the most efficient method to mitigate DNS reflection attacks. NSFOCUS believes that all network administrators should deploy RRL and should closely follow ISC's efforts to continue the enhancement of RRL.

- 12 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Finding 5: TCP Flood and HTTP Flood remain the most popular attack methods.
NSFOCUS detected a total of 168,459 attacks in the first half of 2013. Among them, TCP Flood accounted for 38.7 percent, reoccupying the top of the rank. HTTP Flood was second at 37.2 percent of the total, a 5.5 percent decrease from the previous year. DNS Flood remained a vital attack vector with 13.1 percent. In addition, hybrid attacks were identified as a new common vector, making up 4.1 percent of DDoS attacks.

TCP_FLOOD HTTP_FLOOD DNS_FLOOD HYBRID_FLOOD UDP_FLOOD OTHER ICMP_FLOOD 0.0% 4.1% 3.5% 3.0% 0.3% 5.0% 13.1%

38.7% 37.2%

10.0% 15.0% 20.0% 25.0% 30.0% 35.0% 40.0%

Figure 8

DDOS Attack Methods

- 13 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Finding 6: Most DDoS attacks are short.

The duration of most DDoS attacks is not very long. The vast majority of DDoS attacks, 93.2 percent, were less than 30 minutes in duration, about the same as what we observed in 2012.

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%

93.2%

4.3% 0 - 30min 30min - 12h

0.9% 12h - 24h

0.3% 24h - 48h

1.1% 48h+

Figure 9

Durations of DDoS Attacks

Finding 7: Most attacks are not very big.

Among the DDoS attacks monitored by NSFOCUS, 80.1 percent of the attacks saw the traffic rate reach no higher than 50 Mbps, with only 0.9 percent of attacks recorded above 2 Gbps. Layer 7 attacks, such as HTTP Flood attacks, have become more prevalent in recent years because of their effectiveness with just a small amount of traffic. Thus, we are seeing the trend shift from volumetric attacks during years past to more cost-effective application layer attacks.

- 14 -

NSFOCUS Mid-Year DDoS Threat Report 2013

80.1%
90.0% 80.0% 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% 1-50M

13.0% 0.9%
50M-2G (bps) 2G+

Figure 10

Distribution of DDoS Attack Trafficbps

According to our data, 69.1 percent of attacks were less than 0.2 million packets per second (Mpps). This data correlates to the smaller attack volume illustrated in the previous chart, and further confirms application layer attacks are widely adopted.

69.1%
70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% 0-0.2M 0.2M-3.2M 3.2M+

30.7%

0.2%

pps
Distribution of the DDoS Packet Ratepps

Figure 11

- 15 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Finding 8: Hybrid attacks became prevalent.

NSFOCUS monitored a total of 6,956 hybrid DDoS attacks, which accounted for 4.1 percent of total attacks. Most of them were analyzed and categorized according to the protocol types they used. Among these hybrid attacks, ICMP+TCP+UDP was identified as the most common combination (50.6 percent). ICMP+TCP+UDP+DNS and ICMP+TCP ranked in second and third place with 18.5 percent and 10.2 percent, respectively.

The combination of Hybrid DDoS Attacks

10.8% 9.8%

10.2% 18.5%

50.6%

ICMP+TCP+UDP ICMP+TCP+UDP+DNS ICMP+TCP TCP HYBRID Other

Figure 12

Hybrid DDoS Attacks

- 16 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Conclusions
According to our statistics, while the amount of DDoS attacks may fluctuate on a monthly basis, the overall trend of attack incidents is on the rise year after year. Although cyber war and hacktivism incidents are eye-catching and more widely reported by the media, attacks driven by commercial competition and malicious ransom are actually the majority. Profit-driven cybercriminals pay much closer attention to hackernomics, using the least amount of resources to cause the maximum damage or disruption to victims. This is why we should expect application layer attacks to become the most prevalent attacks now and in the future. A typical application layer attack like HTTP Flood is popular among hackers because it specifically targets consumption of CPU/storage/database resources, which can shut down a victims website without generating a large amount of network traffic. That being said, the traditional TCP Flood and UDP Flood will not disappear either, since they are still the most effective attacks against victims that are not protected by dedicated anti-DDoS mitigation equipment or service.

- 17 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Contacts
If you have feedbacks or comments, please contact us: Email : info-us@nsfocus.com Tel : +1 408-907-6638 Address: 1793 Lafayette Street, Suite120, Santa Clara, CA95050

About NSFOCUS
Founded in 2000, NSFOCUS, Inc. (NSFOCUS) provides enterprise-level, carrier-grade solutions and services for distributed denial of service (DDoS) mitigation, Web security and enterprise-level network security. With more than 10 years of experience in DDoS research and development and mitigation, NSFOCUS has helped customers around the world maintain high levels of Internet security, website uptime and business operations to ensure that their online systems remain available. The NSFOCUS Anti-DDoS System (ADS) empowers customers to find and fend off a variety of incidents, from simple network layer attacks to more sophisticated and potentially damaging application-layer attacks, all while guaranteeing legitimate traffic gets through to networks and corporate-critical systems. For more information, visit www.nsfocus.com.

- 18 -

NSFOCUS Mid-Year DDoS Threat Report 2013

-1-