F5 Labs continually tracks DDoS trends based on data from various sources. Among the most important are the F5 Security Operations Center (SOC), the front line for mitigating DDoS attacks on behalf of F5 Silverline customers, and F5’s Security Incident Response Team (SIRT), which assists F5 customers who are under attack. This article is a continuation of our previous DDoS trend article and is based on attack data from April through June 2018 from both sources.
Here are the 2018 Q2 DDoS trends we are seeing:
- Asia-Pacific (APAC) was the most attacked region in Q2 for the first time ever surpassing North America, which has been the top attacked region since the inception of DDoS attacks.
- Q2 was absent any excessively high volumetric attacks, yet the primary business verticals attacked were hosting and co-location service providers (typically large volumetric attacks are needed to impact these providers).
- UDP fragment attacks were the number one attack type in Q2 (as they were in Q1).
- Application-targeted DDoS attacks that don’t require high rates to impact service are holding at around 2% of the total attacks received by the SOC. However, application-targeted DDoS attacks were 30% all of F5 SIRT cases requesting assistance with DDoS attacks. So, even though the percentages might seem small, customers are clearly challenged with mitigating application targeted DDoS attacks, and this problem will only increase as businesses make the move towards virtualized, application-centric services.
Introduction
Analysts estimate there are over 8 billion IoT devices currently deployed around the world and growing to 30 billion by 2020. These additional 22 billion devices will likely be vulnerable to the same kinds of attacks that are infecting IoT devices today. Most devices are attacked because they have weak access control measures, for example, they’re accessible from anywhere on the Internet, are “protected” by vendor default credentials, and allow for brute force attacks.
The global attack surface is rising exponentially with the growth in IoT, and these “things” are now the cyber weapon of choice for attackers because they are easy to compromise, they are plentiful, and they often reside in unmanaged networks where there is little chance of malware detection and remediation. Attackers know this and are building botnets at an alarming rate out of things like IP cameras, SOHO routers, DVRs, and CCTV. Seventy-four percent of thingbots we know about today were discovered just in the last two years. That list includes Mirai, the most infamous DDoS botnet, which was forked into at least 10 other Mirai spin-off botnets that also have DDoS capabilities; Reaper, which has the capability of launching a 12 Tbps attack; and JenX, which offers 300 Gbps attacks for a mere $20. The average weekly allowance of a child in the US is $17.1 That means a child in the US could afford to take almost any business offline with a DDoS attack (excluding service providers and major banks, which have the capacity to withstand a 300 Gbps attack).
Speaking of children, in June, ProtonMail was under attack by a “youth” group that goes by the name of Apophis Squad. The group of young adults claimed they learned from YouTube videos how to build the botnet they used for the attack.
After days of enduring a steady barrage of attacks, ProtonMail came to F5 Silverline for DDoS protection assistance. After F5 Silverline mitigated the ongoing attacks, another more sophisticated threat actor that goes by the name of NullingOVH stepped in and began launching well-crafted, application-targeted attacks that took down ProtonMail. Application-targeted attacks don’t need to be high rate to cause an impact. A lot of organizations are struggling to mitigate application-target DDoS attacks because they require both DDoS and application expertise to mitigate.
This story highlights the severity of the state we are in globally. Unsophisticated attackers can learn from YouTube videos how to create botnets and launch attacks that interrupt service. And they don’t have to be large, volumetric attacks; they can be small, multi-vector attacks that cause sustained application performance impact. (It’s also worth mentioning that the ProtonMail attacks played out on Twitter for every script kiddie hacktivist and criminal to see and learn from. This part is perhaps the most concerning of all, given we know they learn from each other and adapt faster than defenders do!) According to respondents we surveyed for the F5 Labs 2018 Application Protection Report, a “service-interrupting DDoS attack” will cost 76% of respondents between $500,000 and $50 million.
DDoS Attacks by Region
In Q2, total attacks declined, and that trend played out in each region, as well. In Q2, APAC was the most targeted region, surpassing North America for the first time ever. This trend began for F5 Silverline in late Q1 and stayed consistent throughout Q2. Other DDoS mitigation vendors have reported similar spikes in APAC, as well.2
Following APAC was North America, which received the lowest number of attacks in a quarter over the past two and a half years. In Q1, we speculated that DDoS attack targets would start leveling out globally versus North America always receiving the lion’s share, and we are starting to see that now.