Beruflich Dokumente
Kultur Dokumente
Abstract
For years, NSFOCUS has dedicated itself to assuring secure and smooth operation of its customers businesses. Every day, NSFOCUS prevention products and monitoring systems detect and mitigate thousands of distributed denial-of-service (DDoS) attacks that could potentially harm customers security. This report has been compiled by the NSFOCUS Cloud Response Center to inform the broader IT industry about observations and trends regarding DDoS attacks. DDoS attacks were frequently in the spotlight during the first half of 2013. The hacker collective Izz ad-Din al-Qassam Cyber Fighters continued to challenge the U.S. by disrupting the online services of some top American banks. The anti-spam organization Spamhaus suffered an astonishing DDoS attack of 300 Gbps that was described as the biggest cyber attack in history. Faced with such a massive flood, it is easy to understand that no defense system is absolutely impregnable. Though it is often large enterprises and organizations in the headlines, small to medium enterprises and businesses (SMEs and SMBs) were plagued by DDoS threats as well. In the first half of 2013, more than 90 percent of DDoS attacks lasted less than half an hour, more than 80 percent of the traffic recorded was less than 50Mbps, and about two-thirds of the victims suffered more than one attack. The repeated launching of low-and-slow DDoS attacks may be driven by the growth of low-cost DDoS-for-hire services. This report depicts the overview, targets and methods of DDoS threats during the first half of 2013. The statistics in this report are sourced from 90 major news reports and 168,459 attacks monitored by NSFOCUS. All of the data collected through our active monitoring efforts has been anonymized to protect our customers information.
-1-
Contents
OVERVIEW OF DDOS ATTACKS ................................................................................................. 4 FINDING 1: DDOS ATTACK FREQUENCY ONE MAJOR DDOS NEWS EVENT HAPPENED EVERY TWO DAYS AND ONE COMMON DDOS ATTACK HAPPENED EVERY TWO MINUTES. ...................... 4 FINDING 2: DDOS MOTIVES - HACKTIVISM TOPS THE LIST. ...................................................... 5 TARGETS OF DDOS ATTACKS ................................................................................................... 6 EVENT 1: OPERATION ABABIL.............................................................................................. 6 FINDING 3: DDOS VICTIMS MOST LIKELY TARGETS WERE BANKS, GOVERNMENTS AND ENTERPRISES ....................................................................................................................... 9 FINDING 4: MORE THAN 68 PERCENT OF VICTIMS SUFFERED MULTIPLE ATTACKS ..................... 9 DDOS ATTACK METHODS ....................................................................................................... 10 EVENT 2: THE BIGGEST DDOS ATTACK IN HISTORY ............................................................ 11 FINDING 5: TCP FLOOD AND HTTP FLOOD REMAIN THE MOST POPULAR ATTACK METHODS. . 13 FINDING 6: MOST DDOS ATTACKS ARE SHORT. .................................................................... 14 FINDING 7: MOST ATTACKS ARE NOT VERY BIG. .................................................................... 14 FINDING 8: HYBRID ATTACKS BECAME PREVALENT. .............................................................. 16 CONCLUSIONS ........................................................................................................................ 17 CONTACTS ............................................................................................................................. 18
-2-
Figures
FIGURE 1 MAJOR DDOS NEWS EVENTS ........................................................................ 5 FIGURE 2 DDOS ATTACKS MONITORED BY NSFOCUS ............................................... 5 FIGURE 3 CAUSES FOR MAJOR DDOS ATTACKS ......................................................... 6 FIGURE 4 TIMELINE OF 2013 OPERATION ABABIL ....................................................... 8 FIGURE 5 TARGETS OF MAJOR DDOS ATTACKS ......................................................... 9 FIGURE 6 FREQUENCY OF DDOS ATTACKS ............................................................... 10 FIGURE 7 DNS REFLECTION ATTACK .......................................................................... 12 FIGURE 8 DDOS ATTACK METHODS ............................................................................ 13 FIGURE 9 DURATIONS OF DDOS ATTACKS................................................................. 14 FIGURE 10 DISTRIBUTION OF DDOS ATTACK TRAFFICBPS .............................. 15 FIGURE 11 DISTRIBUTION OF THE DDOS PACKET RATEPPS ........................... 15 FIGURE 12 HYBRID DDOS ATTACKS ............................................................................ 16
-3-
Finding 1: DDoS attack frequency One major DDoS news event happened every two days, and one common DDoS attack happened every two minutes.
NSFOCUS traced 90 major DDoS events reported by the news media, with an average of one major event every two days. Meanwhile, NSFOCUS monitored a total of 168,459 DDoS attacks with 1.29 occurring every two minutes, on average. Major DDoS events reported by media (Figure 1) and detected by NSFOCUS (Figure 2) peaked in May and April, respectively.
-4-
Figure 1
Figure 2
-5-
which mostly got involved in profit-driven competition or extortion, such as competition in the online gaming industry and cyber war between countries.
91.1%
2.2%
2.2% 4.4%
Figure 3
by American Sam Bacile, was posted on YouTube, sparking strong objections and protests in the Muslim world. On September 18, 2012 Cyber Fighters announced on Pastebin that it would attack U.S. banks and the New York Stock Exchange with a series of DDoS attacks in retaliation for the video, declaring the attacks would persist until the movie was removed from the website. Operation Ababil was named after a story in the Koran, in which Allah dispatches a group of swallows to knock out a group of elephants sent by the king of Yemen to attack Mecca. The first phase started on September 18, 2012 and lasted for five weeks, with the second starting on December 10, 2012 and lasting for seven weeks. The third phase continued for nine weeks from March 5, 2013 to May 6, 2013. The fourth phase began July 23, 2013. This campaign has affected the online banking services of massive American financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, Capital One, Fifth Third Bank, BB&T, and HSBC. These DDoS attacks had severe impacts on business continuity and the availability of banks websites, and they have brought incalculable losses to these banks reputations. The U.S. government had several departments working on the investigation of this event, including the Department of Homeland Security (DHS), the Federal Bureau of Investigation (FBI) and financial regulators.
-7-
Figure 4
Finding 3: DDoS victims Most likely targets were banks, governments and enterprises.
Of the 90 major DDoS attacks that occurred worldwide in the first half of 2013, 39 (43 percent) targeted banks, mainly resulting from the Operation Ababil campaign. Government and enterprises were assaulted in 26 (29 percent) and 19 (21 percent) major DDoS events, respectively. Non-profit organizations (NPOs) and Internet service providers (ISPs) also fell victim to these attacks.
1%
5%
1%
21%
43%
29%
ISP Other
percent) in the first half of 2013. NSFOCUS expects the trend of cyber criminals attacking the same target multiple times will continue to grow over the second half of 2013. We postulate there are two factors contributing to this trend : A: Cost DDoS-for-hire (botnet rental) has been growing over the past couple of years, making repetitive attacks over short periods more effective and less expensive. B: Willingness to pay ransom After the media reported that some affected websites lacking defense capabilities had reluctantly paid ransoms, such sites became priority targets of other cyber criminals.
62.5%
4.4%
1.8%
2 - 10
11 - 20
20+
Figure 6
packet rates, it can be just as destructive as a massive flood. This dichotomy shows a level of sophistication; the attackers are scouting their targets and applying the methods best suited to cause disruption. NSFOCUS has also noted hybrid attacks become more prevalent, with ICMP+TCP+UDP Flood being the most common combination.
- 11 -
Figure 7
In this event, the attacker sent resolving requests of the domain name ripe.net to more than 30,000 open DNS servers with the source IP address spoofed to be the IP address of Spamhaus. The response traffic from those DNS servers generated about 300Gbps in attack traffic. As a DNS request data with the size of 36byte leads to a response data with the size of 3,000byte, DNS reflection amplified the data about 100 times. Therefore, the attacker just needs to control a botnet that can produce around 3Gbps request attack traffic to launch a larger scale of (about 300Gbps) response attack traffic. In addition to DNS reflection technology, the attacker also exploited ACK reflection and other technologies in the attack. On July 25, 2013, the Internet Systems Consortium (ISC) declared that the response rate limiting (RRL) module was added to the latest version of BIND software to defend against DNS reflection DDoS attacks, claiming it to be the most efficient method to mitigate DNS reflection attacks. NSFOCUS believes that all network administrators should deploy RRL and should closely follow ISC's efforts to continue the enhancement of RRL.
- 12 -
Finding 5: TCP Flood and HTTP Flood remain the most popular attack methods.
NSFOCUS detected a total of 168,459 attacks in the first half of 2013. Among them, TCP Flood accounted for 38.7 percent, reoccupying the top of the rank. HTTP Flood was second at 37.2 percent of the total, a 5.5 percent decrease from the previous year. DNS Flood remained a vital attack vector with 13.1 percent. In addition, hybrid attacks were identified as a new common vector, making up 4.1 percent of DDoS attacks.
TCP_FLOOD HTTP_FLOOD DNS_FLOOD HYBRID_FLOOD UDP_FLOOD OTHER ICMP_FLOOD 0.0% 4.1% 3.5% 3.0% 0.3% 5.0% 13.1%
38.7% 37.2%
Figure 8
- 13 -
100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
93.2%
1.1% 48h+
Figure 9
- 14 -
80.1%
90.0% 80.0% 70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% 1-50M
13.0% 0.9%
50M-2G (bps) 2G+
Figure 10
According to our data, 69.1 percent of attacks were less than 0.2 million packets per second (Mpps). This data correlates to the smaller attack volume illustrated in the previous chart, and further confirms application layer attacks are widely adopted.
69.1%
70.0% 60.0% 50.0% 40.0% 30.0% 20.0% 10.0% 0.0% 0-0.2M 0.2M-3.2M 3.2M+
30.7%
0.2%
pps
Distribution of the DDoS Packet Ratepps
Figure 11
- 15 -
10.2% 18.5%
50.6%
Figure 12
- 16 -
Conclusions
According to our statistics, while the amount of DDoS attacks may fluctuate on a monthly basis, the overall trend of attack incidents is on the rise year after year. Although cyber war and hacktivism incidents are eye-catching and more widely reported by the media, attacks driven by commercial competition and malicious ransom are actually the majority. Profit-driven cybercriminals pay much closer attention to hackernomics, using the least amount of resources to cause the maximum damage or disruption to victims. This is why we should expect application layer attacks to become the most prevalent attacks now and in the future. A typical application layer attack like HTTP Flood is popular among hackers because it specifically targets consumption of CPU/storage/database resources, which can shut down a victims website without generating a large amount of network traffic. That being said, the traditional TCP Flood and UDP Flood will not disappear either, since they are still the most effective attacks against victims that are not protected by dedicated anti-DDoS mitigation equipment or service.
- 17 -
Contacts
If you have feedbacks or comments, please contact us: Email : info-us@nsfocus.com Tel : +1 408-907-6638 Address: 1793 Lafayette Street, Suite120, Santa Clara, CA95050
About NSFOCUS
Founded in 2000, NSFOCUS, Inc. (NSFOCUS) provides enterprise-level, carrier-grade solutions and services for distributed denial of service (DDoS) mitigation, Web security and enterprise-level network security. With more than 10 years of experience in DDoS research and development and mitigation, NSFOCUS has helped customers around the world maintain high levels of Internet security, website uptime and business operations to ensure that their online systems remain available. The NSFOCUS Anti-DDoS System (ADS) empowers customers to find and fend off a variety of incidents, from simple network layer attacks to more sophisticated and potentially damaging application-layer attacks, all while guaranteeing legitimate traffic gets through to networks and corporate-critical systems. For more information, visit www.nsfocus.com.
- 18 -
-1-