It’s no surprise to anyone who’s following trends in the DDoS industry that 2017 was absent a major world record-setting DDoS event. The DDoS industry, fresh off the Tbps DDoS attacks launched against OVH and DynDNS by the Mirai thingbot in late 2016, was bracing itself for new record-setting attacks in 2017, but they never happened. That by no means implied that attackers were finished launching massive volumetric attacks, they simply weren’t firing the enormous cyber weapons at their disposal—at the full capacity with which they could attack—until now.
Mirai is still actively attacking and retains the Tbps capabilities it displayed in 2016, which is why we disclosed its C2s in December, and the top 50 attacking IPs (theoretically infected IoT devices), in our latest Hunt for IoT report. In January, the “JenX” DDoS-for-hire thingbot1 was discovered. It offers 300 Gbps DDoS attacks for a mere $20, enabling anyone with a petty grudge to knock their target offline. In March, a new world record was set when Github was the recipient of a 1.35 Tbps DDoS attack launched from insecure memcached systems. F5 Silverline Security Operations Center (SOC) is reporting a sizable outbreak of DDoS in 2018. So far, the SOC has fended off an onslaught of high-rate volumetric attacks between 100 and 300 Gbps. Volumetric attacks are slamming back in full force.
This article covers the trends in attacks from 2016 through Q1 2018 and highlights the high-rate, multi-vector volumetric attacks we have seen over the past few weeks.
Businesses in Europe, the Middle East, and Asia Pacific are now being targeted at the same rate as North American businesses.
Volumetric DDoS attacks, specifically UDP floods, maintained their number one attack type for the past two years, however UDP fragmented attacks were the number one attack type for Q1 2018.
Financial organizations and hosting companies continue to be the top targeted industries; however, the gap is closing between them and other industries with the rise of cheap DDoS-for-hire services that make it easy to target any type of business.
The F5 SOC began mitigating application- (versus network-) targeted DDoS attacks in Q3 2016. DDoS attacks that directly target applications are expected to be a rising attack vector as business make the move towards virtualized, application-centric services.
After a 2017 hiatus, high- rate volumetric attacks were back in Q1 2018. In March 2018, the F5 SOC mitigated a 325 Gbps multi-vector attack, most of which was sourced from systems inside the U.S.
Global Attack Growth
The number of attacks mitigated globally by F5 from 2016 to 2017 increased by 26%. Q1 historically receives the lowest number of attacks. Based on the Q1 2018 attack count, the number of DDoS attacks will exceed 33% growth in 2018.
Taking Q1 2018 into account, the amount of DDoS attacks against targets in the Asia Pacific (APAC) region are increasing faster than any other region of the world. North America (N-AMER), Europe, the Middle East and North Africa (EMEA) have been steadily increasing year over year but did not see the same Q1 2018 growth as APAC.
North American targets have received the majority of DDoS attacks since their inception. This trend changed in 2017 when DDoS attacks targeting North America dropped below 50%, while EMEA-targeted DDoS attacks rose above a third, and APAC grew from 8% in 2016 to 17% in 2017. In Q1 2018, businesses in APAC received almost as many attacks as businesses in North America.
One thing to consider about the Q1 2018 data is that it’s only one quarter in comparison to the annual averages of 2016 and 2017, and that Q1 typically receives the least number of attacks of any quarter. If attacks against North America decline in Q2, as they have done the past 2 years, the trend of North America declining in overall percentage of attacks received will continue to drop. Attacks against EMEA entities increased in Q2 in 2016 and 2017, indicating there is a good chance EMEA’s percentage of the total will continue to rise, potentially surpassing North American targets for the first time.
Attacks by Target Industry
Web hosting providers and financial organizations have always been top DDoS attack targets, and that trend continued in 2017. Why? Because those two industries directly translate downtime into dollars lost. Therefore, blackmail DDoS attacks are a very lucrative attack type as paying the ransom is an effective way to stop the pain.
The gap between the traditional top targets and other various industries including technology providers, ISP’s, online gaming, and business service providers is steadily closing. Every year we continue to see a broader scope of DDoS targets with the growth in DDoS-for-hire services at extremely affordable rates, and availability of DDoS tools to the common script kiddie.
Online Gaming businesses were the top DDoS target in Q1 2018, followed by financial services and hosting providers. Collectively those industries received 76% of the DDoS attacks in Q1 2018.
Seasonality of DDoS Attacks
When looking at the number of attacks received by month over the past two years, DDoS is a year-round sport for attackers. September through December is typically the peak DDoS season, however in 2017, we saw a rise in attacks from February through May.
DDoS Attacks by Type
UDP floods, a volumetric attack, was the most common DDoS attack type in 2016 (see Figure 8) and 2017 (see Figure 9). The second most popular attack type in 2016 (see Figure 8) was DNS Reflection attacks, but that attack type fell to the #4 position in 2017 (Figure 9). SYN floods, another volumetric attack, was in the #3 position in both 2016 and 2017.
NTP reflection jumped into the #2 attack type position in 2017 up from the fifth position in 2016.
UDP floods remain a popular DDoS attack type but have been on the decline for the past two years. They are down to 19% of the total attacks in Q1 2018 compared to 25% in 2017 and 50% in 2016. The new top attack type is UDP fragmented attacks. This attack type is becoming increasingly popular with DDoS attackers that use multiple vectors in their attacks to “fill up the pipe” by maximizing the packets and fragments being sent through it. The other attack types maintaining consistency are DNS Reflection, SYN Flood and NTP reflection. ICMP floods and SSDP reflection attacks have declined by over 50% each.
When breaking down the DDoS attacks into volumetric, reflection, or application attack categories, volumetric attacks have always been the majority of DDoS attacks types regardless, of how “voluminous” they were. Applications, as opposed to the traditional network, are the rising DDoS attack vector. Application attacks are more precise and require traffic scrubbing, versus the typical blocking of unwanted port traffic at the network layer. As the Internet moves towards a virtualized application environment, we expect DDoS attacks targeting applications to take a larger slice of the pie in the future.
Peak Attack Volumes by Month
2017 was not an impressive year in terms of DDoS attack size, but it’s important to keep in context that the largest circuit available to the majority of businesses across North America, EMEA and APAC is 10 Gbps. With the exception of February 2017, the peak attacks mitigated in 2017 and 2018 would saturate the circuit and take down the services of most businesses in the world (with the exception of ISPs and DDoS scrubbing stations).
F5 has already mitigated multiple attacks greater than 250 Gbps in 2018. The large volumetric attacks referenced in Figure 13 below consisted of multiple vectors designed to cause the most damage possible to their targets. The attack initially consisted of CLDAP reflection traffic and DNS reflection, followed by UDP fragments as an additional vector. When UDP fragments was added, the attack reached 325 Gbps.
The interesting thing about these attacks is that it was clear the attackers had done their homework. They knew the prefixes they were targeting as they targeted multiple hosts in the same /24 subnet simultaneously, while constantly changing the target hosts. As mitigations were applied, the attackers continued to target other prefixes. In total, 3 different /24 subnets were targeted.
These attacks continued for many days with the same attack pattern and vectors used, including:
The top 10 source traffic countries remained the same throughout all attacks, which could indicate that the attacks were launched from the same systems over the four-day period. This type of attack behavior is consistent with IoT devices in which compromises and subsequent attacks go undetected or, in less likely scenarios, compromised systems owned by businesses (that don’t know they have been compromised) and are being used to launch attacks.
The largest source of the attacks came from the US, which is not typical. This is an indicator of a significant number of vulnerable systems (potentially compromised memcached systems or IoT devices) in the US being targeted to launch DDoS attacks from.
With the rise in IoT devices, cloud computing and online databases, more vulnerable systems are becoming available to attackers to launch devastating DDoS attacks than ever before. Yet the controls required to secure these systems from easy exploit before they become weapons that attack business are the same basic security controls that have been best practices for decades.
Don’t expose remote administration to the entire Internet, especially not IoT devices or online databases.
Protect your systems with secure access protocols, complex administration credentials (or SSH keys whenever you can), and don’t allow brute force attacks.
Patch on a regular basis all systems that touch the Internet, and immediately upon discovery of a remote code execution vulnerability or design flaw that can allow for remote exploits.
When defending against modern cyber threats, no business is immune to damaging DDoS attacks. If you cannot afford downtime, get a DDoS strategy in place now so you don’t have to scramble to put one in place while you’re under attack.
Join the Discussion
To comment, first sign in and opt in to Disqus.
Sara Boddy was a Senior Director overseeing F5 Labs and Communities. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years; prior to Demand Media, she held various roles in the information security community over 11 years at Network Computing Architects and Conjungi Networks.
Justin Shattuck was a Principal Threat Researcher for F5 Labs. He has been an avid threat hunter for most of his life and continually tracks attack campaigns and threat actors. He routinely participates in takedowns and helps to inform various law enforcement agencies of nefarious cyber activity. Justin has been a security product developer and researcher for over 15 years. Most recently he was the Manager of Product Development for F5 Silverline where he was responsible for developing features and enhancements to F5 Silverline's managed security services including Web Application Firewall and DDoS attack mitigation.
Global Security Operations and Threat Intelligence Manager, F5
Ilan Meller is the Global Security Operations and Threat Intelligence Manager at F5. He manages the F5 Silverline & Anti-Fraud teams worldwide, protecting F5 customers from banking malware, phishing, DDoS, and web application attacks. Ilan led the opening of multiple F5 Security Operations Center (SOC) locations, establishing a global team that delivers layer 3-7 security services to F5 customers. Prior to F5, Ilan was the first SOC Analyst at Versafe, Ltd. (acquired by F5 in 2013) where he helped scale the business and improve security and operational processes. He also successfully signed up 11 new partners worldwide and built the company's inside sales department.