It’s no surprise to anyone who’s following trends in the DDoS industry that 2017 was absent a major world record-setting DDoS event. The DDoS industry, fresh off the Tbps DDoS attacks launched against OVH and DynDNS by the Mirai thingbot in late 2016, was bracing itself for new record-setting attacks in 2017, but they never happened. That by no means implied that attackers were finished launching massive volumetric attacks, they simply weren’t firing the enormous cyber weapons at their disposal—at the full capacity with which they could attack—until now.
Mirai is still actively attacking and retains the Tbps capabilities it displayed in 2016, which is why we disclosed its C2s in December, and the top 50 attacking IPs (theoretically infected IoT devices), in our latest Hunt for IoT report. In January, the “JenX” DDoS-for-hire thingbot1 was discovered. It offers 300 Gbps DDoS attacks for a mere $20, enabling anyone with a petty grudge to knock their target offline. In March, a new world record was set when Github was the recipient of a 1.35 Tbps DDoS attack launched from insecure memcached systems. F5 Silverline Security Operations Center (SOC) is reporting a sizable outbreak of DDoS in 2018. So far, the SOC has fended off an onslaught of high-rate volumetric attacks between 100 and 300 Gbps. Volumetric attacks are slamming back in full force.
This article covers the trends in attacks from 2016 through Q1 2018 and highlights the high-rate, multi-vector volumetric attacks we have seen over the past few weeks.
- Businesses in Europe, the Middle East, and Asia Pacific are now being targeted at the same rate as North American businesses.
- Volumetric DDoS attacks, specifically UDP floods, maintained their number one attack type for the past two years, however UDP fragmented attacks were the number one attack type for Q1 2018.
- Financial organizations and hosting companies continue to be the top targeted industries; however, the gap is closing between them and other industries with the rise of cheap DDoS-for-hire services that make it easy to target any type of business.
- The F5 SOC began mitigating application- (versus network-) targeted DDoS attacks in Q3 2016. DDoS attacks that directly target applications are expected to be a rising attack vector as business make the move towards virtualized, application-centric services.
- After a 2017 hiatus, high- rate volumetric attacks were back in Q1 2018. In March 2018, the F5 SOC mitigated a 325 Gbps multi-vector attack, most of which was sourced from systems inside the U.S.
Global Attack Growth
The number of attacks mitigated globally by F5 from 2016 to 2017 increased by 26%. Q1 historically receives the lowest number of attacks. Based on the Q1 2018 attack count, the number of DDoS attacks will exceed 33% growth in 2018.
Figure 1: Annual attack growth
Taking Q1 2018 into account, the amount of DDoS attacks against targets in the Asia Pacific (APAC) region are increasing faster than any other region of the world. North America (N-AMER), Europe, the Middle East and North Africa (EMEA) have been steadily increasing year over year but did not see the same Q1 2018 growth as APAC.
Figure 2: Attack Count Trendline by Region
North American targets have received the majority of DDoS attacks since their inception. This trend changed in 2017 when DDoS attacks targeting North America dropped below 50%, while EMEA-targeted DDoS attacks rose above a third, and APAC grew from 8% in 2016 to 17% in 2017. In Q1 2018, businesses in APAC received almost as many attacks as businesses in North America.
Figure 3: Percentage of DDoS attacks received by region, 2016 - Q1 2018
One thing to consider about the Q1 2018 data is that it’s only one quarter in comparison to the annual averages of 2016 and 2017, and that Q1 typically receives the least number of attacks of any quarter. If attacks against North America decline in Q2, as they have done the past 2 years, the trend of North America declining in overall percentage of attacks received will continue to drop. Attacks against EMEA entities increased in Q2 in 2016 and 2017, indicating there is a good chance EMEA’s percentage of the total will continue to rise, potentially surpassing North American targets for the first time.
Attacks by Target Industry
Web hosting providers and financial organizations have always been top DDoS attack targets, and that trend continued in 2017. Why? Because those two industries directly translate downtime into dollars lost. Therefore, blackmail DDoS attacks are a very lucrative attack type as paying the ransom is an effective way to stop the pain.
The gap between the traditional top targets and other various industries including technology providers, ISP’s, online gaming, and business service providers is steadily closing. Every year we continue to see a broader scope of DDoS targets with the growth in DDoS-for-hire services at extremely affordable rates, and availability of DDoS tools to the common script kiddie.
Figure 4: 2017 DDoS attacks by target industry
Online Gaming businesses were the top DDoS target in Q1 2018, followed by financial services and hosting providers. Collectively those industries received 76% of the DDoS attacks in Q1 2018.
Figure 5: Q1 2018 DDoS attacks by target industry
Seasonality of DDoS Attacks
When looking at the number of attacks received by month over the past two years, DDoS is a year-round sport for attackers. September through December is typically the peak DDoS season, however in 2017, we saw a rise in attacks from February through May.
Figure 6: Pattern of DDoS attacks received globally by month (2016 vs 2017)
DDoS Attacks by Type
UDP floods, a volumetric attack, was the most common DDoS attack type in 2016 (see Figure 8) and 2017 (see Figure 9). The second most popular attack type in 2016 (see Figure 8) was DNS Reflection attacks, but that attack type fell to the #4 position in 2017 (Figure 9). SYN floods, another volumetric attack, was in the #3 position in both 2016 and 2017.
Figure 7: DDoS attacks by type by quarter, 2016
NTP reflection jumped into the #2 attack type position in 2017 up from the fifth position in 2016.
Figure 8: DDoS attacks by type by quarter, 2017
UDP floods remain a popular DDoS attack type but have been on the decline for the past two years. They are down to 19% of the total attacks in Q1 2018 compared to 25% in 2017 and 50% in 2016. The new top attack type is UDP fragmented attacks. This attack type is becoming increasingly popular with DDoS attackers that use multiple vectors in their attacks to “fill up the pipe” by maximizing the packets and fragments being sent through it. The other attack types maintaining consistency are DNS Reflection, SYN Flood and NTP reflection. ICMP floods and SSDP reflection attacks have declined by over 50% each.
Figure 9: DDoS attacks by type by quarter, 2018
When breaking down the DDoS attacks into volumetric, reflection, or application attack categories, volumetric attacks have always been the majority of DDoS attacks types regardless, of how “voluminous” they were. Applications, as opposed to the traditional network, are the rising DDoS attack vector. Application attacks are more precise and require traffic scrubbing, versus the typical blocking of unwanted port traffic at the network layer. As the Internet moves towards a virtualized application environment, we expect DDoS attacks targeting applications to take a larger slice of the pie in the future.
Figure 10: DDoS attacks by category, 2016, 2017, Q1 2018
Peak Attack Volumes by Month
2017 was not an impressive year in terms of DDoS attack size, but it’s important to keep in context that the largest circuit available to the majority of businesses across North America, EMEA and APAC is 10 Gbps. With the exception of February 2017, the peak attacks mitigated in 2017 and 2018 would saturate the circuit and take down the services of most businesses in the world (with the exception of ISPs and DDoS scrubbing stations).
Figure 11: Peak attack sizes per month, in Gbps (2017 - Q1 2018)
F5 has already mitigated multiple attacks greater than 250 Gbps in 2018. The large volumetric attacks referenced in Figure 13 below consisted of multiple vectors designed to cause the most damage possible to their targets. The attack initially consisted of CLDAP reflection traffic and DNS reflection, followed by UDP fragments as an additional vector. When UDP fragments was added, the attack reached 325 Gbps.
Figure 12: Peak attack size in Gbps by day, March 2018
The interesting thing about these attacks is that it was clear the attackers had done their homework. They knew the prefixes they were targeting as they targeted multiple hosts in the same /24 subnet simultaneously, while constantly changing the target hosts. As mitigations were applied, the attackers continued to target other prefixes. In total, 3 different /24 subnets were targeted.
These attacks continued for many days with the same attack pattern and vectors used, including:
- CLDAP reflection
- NTP reflection
- DNS reflection
- SNMP reflection
- UDP fragments
- SYN flood
The top 10 source traffic countries remained the same throughout all attacks, which could indicate that the attacks were launched from the same systems over the four-day period. This type of attack behavior is consistent with IoT devices in which compromises and subsequent attacks go undetected or, in less likely scenarios, compromised systems owned by businesses (that don’t know they have been compromised) and are being used to launch attacks.
The largest source of the attacks came from the US, which is not typical. This is an indicator of a significant number of vulnerable systems (potentially compromised memcached systems or IoT devices) in the US being targeted to launch DDoS attacks from.
Figure 13: Top 10 source traffic countries in March 2018 attacks
With the rise in IoT devices, cloud computing and online databases, more vulnerable systems are becoming available to attackers to launch devastating DDoS attacks than ever before. Yet the controls required to secure these systems from easy exploit before they become weapons that attack business are the same basic security controls that have been best practices for decades.
- Don’t expose remote administration to the entire Internet, especially not IoT devices or online databases.
- Protect your systems with secure access protocols, complex administration credentials (or SSH keys whenever you can), and don’t allow brute force attacks.
- Patch on a regular basis all systems that touch the Internet, and immediately upon discovery of a remote code execution vulnerability or design flaw that can allow for remote exploits.
When defending against modern cyber threats, no business is immune to damaging DDoS attacks. If you cannot afford downtime, get a DDoS strategy in place now so you don’t have to scramble to put one in place while you’re under attack.