CDNetworks Q2 2017 DDoS Attack Trends Report Attack... · CDNetworks Q2 2017 DDoS Attack Trends Report ... hacking group “Armada Collective ... attacks were included in addition
Post on 06-Mar-2018
219 Views
Preview:
Transcript
<Public> 2 CopyrightⓒCDNetworks. All rights reserved.
Table of Contents
I. Introduction ....................................................................................................................... 3
II. Major DDoS attack issues in 2017 .................................................................................. 3
1. Issue of DDoS attack threats demanding Bitcoin from the financial sector ........ 4
III. DDoS attack trends in Q2 2017........................................................................................ 5
1. Number of DDoS response times in Q2 of each year ................................................. 5
2. Number of DDoS response times by area ..................................................................... 6
3. Number of attacks by industry ......................................................................................... 7
4. Number of attacks by protocol ......................................................................................... 8
5. Analysis by attack type....................................................................................................... 8
6. Analysis of amplification attacks ..................................................................................... 9
7. Analysis by attacker source IP ....................................................................................... 10
8. Analysis by scale of attacks ............................................................................................ 10
IV.GRE (Generic Routing Encapsulation) packet flooding analysis ............................. 11
1. GRE Tunneling .................................................................................................................... 11
2. Mirai Botnet .......................................................................................................................... 12
V. GRE Packet Flooding analysis #1 ................................................................................. 12
1. GRE Flooding Attack ......................................................................................................... 12
VI.GRE Packet Flooding analysis #2 ................................................................................. 14
VII. Closing remarks ............................................................................................................ 16
<Public> 3 CopyrightⓒCDNetworks. All rights reserved.
I. Introduction
This report is designed to understand the latest DDoS attack trends and derive the most
effective countermeasures against incoming DDoS attack threats. Details of DDoS
attacks against CDNetworks CDN and security service customers that have occurred in
the second quarter of 2017 were collected and analyzed to inform this report.
Data on past DDoS attacks against foreign customers as well as domestic ones can act
as a solid guideline to prepare for new types of DDoS attacks in the future.
II. Major DDoS attack issues in 2017
Period Description
January 2017 “Mirai”, the malicious code inducing DDoS attacks, found in Korea.
IoT security measures are deemed urgent
February 2017 Why has Asiana Airlines become the focus of hackers?
“2017 is expected to be the worst year in the history of security.”
March 2017
DDoS attacks from China paralyzed Lotte Duty Free Shop’s
website... “Damages amounted to hundreds of millions of won”
Cyber attacks are proliferating in retaliation against THAAD
April 2017 New botnet Amnesia attacked more than 220,000 DVRs
“Hajime” conquers the IoT world using 300,000 infected devices
May 2017
“DDoS attacks are coming for you!” 82,000 infected devices
attacked gambling sites
Small and medium-sized businesses are becoming regular targets
of cyber attacks. Why?
June 2017
7 banks received DDoS attack threats...”Send Bitcoin by the 26th”
Only 40GB Cyber Shelter is ready for 1TB DDoS attacks in the
financial sector
<Table 1> Major DDoS attack issues in 2017
<Public> 4 CopyrightⓒCDNetworks. All rights reserved.
1. Issue of DDoS attack threats demanding Bitcoin from the financial
sector
The DDoS attack threat against the Korean finance industry by the international
hacking group “Armada Collective” seems to have ended on July 3. It is likely that
global hackers will continue to blackmail Korean enterprises after attacking the
Korean hosting company “Nayana” with ransomware. It is known that “Nayana”
negotiated with hackers after being infected by ransomware and agreed to pay 1.5
million USD in ransom, kicking off a bad precedent of responding to hackers’ threats.
Since then, “Armada Collective” has sent blackmail emails and threats to leading
Korean financial businesses and securities companies. Several financial and
security companies experienced temporary system failures (e.g., connection failures)
due to the attack but did not give in to their demands.
Similar DDoS attack threat and Bitcoin demands on financial businesses were also
committed by a different hacking group called “DD4BC (DDoS for Bit Coin)” in 2015
and several security companies suffered from extended periods of connection errors.
Armada Collective, which threatened domestic companies on this occasion, is also
known to be associated with DD4BC. There are always risks of DDoS attacks, so
business’ response to incoming attacks should be developed even though all attacks
and threats against the service open to the public may not be blocked in advance.
There are many ways to address this problem, but applying cloud-based DDoS defense services is an effective solution.
<Public> 5 CopyrightⓒCDNetworks. All rights reserved.
III. DDoS attack trends in Q2 2017
1. Number of DDoS response times for CDNetworks Global Customers in
Q2 of each year
<Figure 1> Number of DDoS response times in Q2 of each year
The number of DDoS attack times in Q2 2017 increased significantly compared with
the same quarters in 2015 and 2016. The number of DDoS attacks increased by
44.3% from 2015 (106) and 96.2% from 2016 (78). It seems that the DDoS attacks
increased due to accurate monitoring of the CDNetworks network using the
upgraded DDoS monitoring system, which was adopted in the second half of 2016,
and also the increase of overseas customers. The drastic increase in number of
attacks every month over 3 years can be found in the monthly graph below.
<Figure 2> Number of DDoS response times by month in the Q2 of each year
153
78
106
0 20 40 60 80 100 120 140 160 180
2017
2016
2015
16
45 43
2419
3536
5661
0
10
20
30
40
50
60
70
April May June
2015 2016 2017
<Public> 6 CopyrightⓒCDNetworks. All rights reserved.
2. Number of DDoS response times by area
<Figure 3> Number of DDoS response times by area
In the second quarter of 2017, regional DDoS attacks accounted for 60.4% of total
attacks, with a large increase in attacks against Asia, including Hong Kong. The
percentage increased by 32.3% from the previous year (28.2%). In contrast, the
United States accounted for 14.6% of all attacks, down from 43.6% of the previous
year 's total attacks. Overall, attacks occurred in more diverse areas than before,
because of DDoS monitoring capabilities on CDNetworks infrastructure since 2H’16.
50.9%43.6%
14.6%
32.1%
25.6%
13.2%
7.6%
9.0%
4.2%
3.8%
2.6%
11.8%
3.8%
29.9%
5.6%2.8%2.8%2.8%
5.7%
15.4% 12.5%
0.0%
20.0%
40.0%
60.0%
80.0%
100.0%
2015 2016 2017
U.S. Japan Germany Korea U.K. Hong Kong
Thailand Mexico Brazil India Complex
<Public> 7 CopyrightⓒCDNetworks. All rights reserved.
3. Number of attacks by industry
<Figure 4> Number of attacks experienced by industry
The gambling industry experienced 2.7 times more attacks than in Q2’16. It occupies
the largest share of attacks in Q2’17 (92 attacks, 60.1%), followed by gaming and e-
commerce industries. In the e-commerce industry, a total of 24 attacks occurred in
2017 (15.7%), which is 2.4 times more than the same quarter of both 2015 and 2016.
On the contrary, <Figure 4> shows that the attack frequency is still high in the game
industry, but the number of attacks has dropped by 12.6% from the same quarter of
2016.
24
92
31
6
2
34
35
4
3
1
1
1
3
48
3
22
27
0 20 40 60 80 100
Community
e-Learning
eCommerce
Gambling
Game
GovernmentAgency
Hosting
Media
Public
2015 2016 2017
<Public> 8 CopyrightⓒCDNetworks. All rights reserved.
4. Number of attacks by protocol
<Figure 5> Comparison by attack in the Q2 of each year
The attack type by protocol in Q2 2017 shows that attacks using UDP and TCP
protocols have increased, but attacks using HTTP protocol have decreased by 13x,
compared with the same quarter of 2016. The increasing trend of UDP attacks seem
to be related to the Mirai botnet (IoT-based attack tool) as well as the increase of
attacks using the UDP-based Internet service such as amplification attacks.
5. Analysis by attack type
<Figure 6> Comparison by attack type in Q2 of each year
73
118
14
35
20 19
4
99
43
63 2
0
20
40
60
80
100
UDP TCP HTTP ICMP Complex
2015 2016 2017
2
3
6
25
43
74
4
2
17
11
20
24
14
1
7
44
12
28
0 10 20 30 40 50 60 70 80
Complex
ICMP Flooding
HTTP POST Flooding
HTTP GET Flooding
UDP Flooding
TCP SYN Flooding
Amplification
2015 2016 2017
<Public> 9 CopyrightⓒCDNetworks. All rights reserved.
When attacks were analyzed by type, amplification, TCP SYN flooding, and UDP
flooding, it was noted that attacks have increased by a large extent, but HTTP GET
Flooding and complex attacks have decreased. Amongst them, the increase in the
number of amplification attacks is noticeable; more than three times that of the same
quarter of 2016. A detailed analysis of the attacks can be found in Figure (7).
6. Analysis of amplification attacks
<Figure 7> Comparison of amplification attacks in Q2 by year
Amplification attacks in Q2 2017 amounted to 78, which is about 2.5x increase from
the same quarter of last year (31 attacks). In addition, DNS and NTP attacks have
increased significantly. The attack using the NTP recorded 53 cases (7.6xincrease
from the previous year), of which occupied 67.9% of the entire amplification attack
in Q2 2017. This trend is similar to Q1 and leads to a conclusion that attackers prefer
attacks using the NTP in the first half of 2017.
5
5
19
53
7
8
17
13
4
3
5
1
1
0 20 40 60 80
2017
2016
2015
SSDP NTP DNS CharGen SNMP
<Public> 10 CopyrightⓒCDNetworks. All rights reserved.
7. Analysis of attacker source IP
<Figure 8> Comparison of top 5 attack IP countries in the Q2 of each year
The analysis of the attacker source IP in Q2 2017 indicates that the proportion of
attacks from China has moderately declined from both Q1 and Q2, whereas attacks
from other countries increased evenly. Amongst those countries, Korea accounted for
8.1% of all source IPs and became one of top 5 countries to issue attacks as compared
Q2’FY16. It seems that those IPs were detected while defending duty-free shop sites
against the THAAD retaliation attack from China. The accuracy of statistics on source
IP calculation in Q2’17 has improved greatly as the details of actual blocked L3/L4
attacks were included in addition to the previous L7 attack IP extraction method.
8. Analysis by scale of attacks
<Figure 9> Trends of attack scale in the Q2 of each year
97
38
39
49
20
52
6
16
15
1
4
0 20 40 60 80 100 120 140 160
2017
2016
2015
Under 1G Under 10G Under 50G Over 50G
<Public> 11 CopyrightⓒCDNetworks. All rights reserved.
Average attack traffic in Q2’17 was 2.1 Gbps, a 75.6% and 47.5% decrease from the
same quarter for 2016 (8.6 Gbps) and 2015 (4 Gbps) respectively. It seems that the
smallest average attack traffic has occurred among the same quarter of the last 3
years, because small-scale attacks (under 1 Gbps) have increased by 2.6x and large-
scale attacks (over 10 Gbps) have decreased by 65%.
IV. GRE (Generic Routing Encapsulation) packet flooding analysis
1. GRE Tunneling
GRE (Generic Routing Encapsulation) is a protocol used between network equipment,
and to create a virtual dedicated line by connecting routers. It can be easily
understood that GRE is a VPN (Virtual Private Network) among routers. Recently,
GRE is widely used to defend against DDoS attacks that declare the defending IP by
linking with the BGP (Border Gateway Protocol) and connects the actual network with
GRE Tunneling.
<Figure 10> Overview of GRE (Generic Routing Encapsulation) Tunneling
<Public> 12 CopyrightⓒCDNetworks. All rights reserved.
2. Mirai Botnet
Mira Botnet is an attack tool that first appeared in September 2016, which exploits
IoT devices as a bot and is an advanced attack method that uses an existing PC or
server as a bot. Mirai Botnet received wide media coverage due to the attack that
infected devices on a record-breaking scale as soon as it appears, and its source
was opened at the end of October 2016. Since then, the frequency and scale of DDoS
attacks has significantly increased. Various types of attacks can be made and
thousands/tens of thousands of IoT devices such as CCTV can be exploited as a
botnet if the basic connection information is not changed.
<Figure 11> Articles related to Mirai Botnet
V. GRE Packet Flooding analysis #1
1. GRE Flooding Attack
Following the previously published DDoS trends report for Q1’17, this report analyzes
DDoS attacks using the GRE packet among the attacks specified in the Mirai Botnet
source code. A description on GRE Tunneling can be found in the previous section
4.1.
<Public> 13 CopyrightⓒCDNetworks. All rights reserved.
<Figure 12> Mirai Botnet source code
Attack naming called “GRE IP / Ethernet Flooding” can be found in <Figure 12>.
<Figure 13> GRE Flooding Packet
In fact, if you check the packets used in the attack, you can see Random Source IP, Destination
IP, Source Port and Destination Port. Packet size is consistently 578 bytes.
<Public> 14 CopyrightⓒCDNetworks. All rights reserved.
<Figure 14> GRE Flooding Packet details #1
However, if you examine the packet in detail, you can see two IP headers as shown in
<Figure 14>. You can see the actual attacker and the IP address of the attacker in
header 1. Header 2, is an unknown IP that is representative of a packet dump file.
VI. GRE Packet Flooding analysis #2
The (1) header in <Figure 14> shows that the protocol is Generic Routing Encapsulation
(47), as shown in <Figure 15>. If it were an actual GRE packet, it should have finished at
the router end. However, this packet is an attack packet masquerading as GRE and the
destination IP is a victim of the attack. The source IP and destination IP can be identified
as in <Figure 15> if it is found as a packet dump. However, some network defense
equipment classifies the pertinent details as GRE, and recognizes as the spoofing IP in
the header (2) of <Figure 14>, which makes prevention difficult.
<Figure 15> GRE Flooding Packet details #2
<Public> 15 CopyrightⓒCDNetworks. All rights reserved.
Normal IP headers can be found in <Figure 15> as in <Figure 16>. However, all of the
header contents are forged and altered and doesn’t affect the actual packet path at all.
Rather, <Figure 14> is recognized as a GRE header by some network defense equipment
and not detected by monitoring. Only the spoofed contents shown in <Figure 15> are
displayed and make defense impossible.
<Figure 16> GRE Flooding Packet details #3
In fact, when an attack occurs, the trusted DDOS defense device recognizes only the
spoofed IP because it does not recognize the GRE IP header. To prevent those attacks,
network equipment can block the protocol number 47 using the ACL (Access Control List).
If we dump and check the attack packet, we can easily confirm that it is an attack
exploiting the GRE packet. Otherwise, it becomes muddled due to the destination IP,
which is irrelevant to the service that is checked if we solely depend on network
equipment. This is a case in which securing the process of checking the packet during a
detected attack is quite helpful in defending against DDoS.
<Public> 16 CopyrightⓒCDNetworks. All rights reserved.
VII. Closing remarks
DDoS attacks were exploited as a tool to demand money from the financial sector in the
Q2’2017. DDoS attacks have become a means of such crimes because they can be easily
accessed by criminals and there are limits in responding to such attacks individually even
though victims may be well prepared. In the end, the defender is in a disadvantaged
position for this fight. The attacker briefly consumes resources for an attack, whereas the
defender should have enough infrastructures to cope with sporadic and instantaneous
attacks. The defense side should be overly concerned with the way of winning this fight
due to being in a vulnerable position.
The solution is not that far from reach. Introducing a Cloud DDoS defense service using
will help immensely. The user will save costs because the they don’t have to
independently maintain a large-scale infrastructure, and head of enterprise IT can be
relieved from the burden of operations because defense experts provide 24x7 support. In
addition, the user can obtain know-how about defending against attacks, which is
accumulated by other companies. Cloud infrastructure is an absolute must for the DDoS
defense system of each individual enterprise.
CDNetworks provides a cloud security service, which can block DDoS and automated bot
access, and web vulnerability attacks using the multi-stage protection functions with a
CDN-based cloud type web firewall optimized for DDoS prevention. CDNetworks
provides a DDoS defense service to various enterprises with experience in handling more
than 500 malicious instances a year by its differentiated experts.
<Public> 17 CopyrightⓒCDNetworks. All rights reserved.
About CDNetworks
CDNetworks is a global content delivery network (CDN) with a fully integrated cloud solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content. Optimised for any device, browser and network, we ensure all users have a fast and safe web experience - whether you’re serving B2B or B2C customers, mobile employees or remote offices.
CDNetworks accelerates and secures websites and web applications over our strategically built network of global PoPs in both established and emerging markets. We specialise in those parts of the world where keeping a website accessible is most difficult: Mainland China, Russia, South East Asia and the Middle East.
No matter where you are and which device is being used, our in-country experts can advise you on licensing requirements and regulations to deliver the best web experience to your users.
Since 2000, we have been providing our customers with exceptional customer services and support, thanks to our team of dedicated tech engineers located across the globe. Businesses with an international web presence trust CDNetworks to protect their websites, web applications and cloud services.
CDNetworks has offices located in the UK, France, Germany, US, South Korea, China, Japan, and Singapore.
https://www.cdnetworks.com
Copyright notice
CopyrightⓒCDNetworks. All rights reserved.
CDNetworks retains the copyright of this document, and no portion of this document may be quoted or
distributed without prior consent. All information contained in this document is subject to change without
notice.
<Public> 18 CopyrightⓒCDNetworks. All rights reserved.
Global Offices
US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA 95008-2220 +1 408 228 3700
EMEA 85 Gresham Street, London EC2V 7NQ, UK +44 203 657 2727
Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul (06239) +82 2 3441 0400
Japan Nittochi Nishi-shinjuku Building, 8th Floor, 6-10-1Nishishinjuku, Shinjuku-ku, Tokyo 160-0023 +81 3 5909 3373
China 1502 Tower A, High-Tech Bldg. 900 Yishan Rd, Xuhui District, Shanghai +86 21 5423 4802-102
Singapore Winsland House I, 3 Killiney Rd, #04-05, Singapore 239519 +65 6908 1198
top related