2013 NSFOCUS Mid-Year DDoS Threat Report

7/27/2019 2013 NSFOCUS Mid-Year DDoS Threat Report

1/20

NSFOCUS Mid-YearDDoS Threat Report

2013


2/20

- 1 -

NSFOCUS Mid-Year DDoS Threat Report 2013

Abstract

For years, NSFOCUS has dedicated itself to assuring secure and smooth

operation of its customers businesses. Every day, NSFOCUS prevention

products and monitoring systems detect and mitigate thousands of distributed

denial-of-service (DDoS) attacks that could potentially harm customers security.

This report has been compiled by the NSFOCUS Cloud Response Center to

inform the broader IT industry about observations and trends regarding DDoS

attacks.

DDoS attacks were frequently in the spotlight during the first half of 2013. The

hacker collective Izz ad-Din al-Qassam Cyber Fighters continued to challenge

the U.S. by disrupting the online services of some top American banks. The

anti-spam organization Spamhaus suffered an astonishing DDoS attack of 300

Gbps that was described as the biggest cyber attack in history. Faced with

such a massive flood, it is easy to understand that no defense system is

absolutely impregnable.

Though it is often large enterprises and organizations in the headlines, small to

medium enterprises and businesses (SMEs and SMBs) were plagued by DDoS

threats as well. In the first half of 2013, more than 90 percent of DDoS attacks

lasted less than half an hour, more than 80 percent of the traffic recorded was

less than 50Mbps, and about two-thirds of the victims suffered more than one

attack. The repeated launching of low-and-slow DDoS attacks may be driven by

the growth of low-cost DDoS-for-hire services.

This report depicts the overview, targets and methods of DDoS threats during

the first half of 2013. The statistics in this report are sourced from 90 major news

reports and 168,459 attacks monitored by NSFOCUS. All of the data collected

through our active monitoring efforts has been anonymized to protect our

customers information.


3/20

- 2 -


Contents

OVERVIEW OF DDOS ATTACKS ................................................................................................. 4

FINDING 1:DDOS ATTACK FREQUENCYONE MAJOR DDOS NEWS EVENT HAPPENED EVERY

TWO DAYS AND ONE COMMON DDOS ATTACK HAPPENED EVERY TWO MINUTES. ...................... 4

FINDING 2:DDOS MOTIVES -HACKTIVISM TOPS THE LIST. ...................................................... 5

TARGETS OF DDOSATTACKS ................................................................................................... 6

EVENT 1: OPERATIONABABIL.............................................................................................. 6

FINDING 3:DDOS VICTIMSMOST LIKELY TARGETS WERE BANKS, GOVERNMENTS AND

ENTERPRISES ....................................................................................................................... 9

FINDING 4:MORE THAN 68 PERCENT OF VICTIMS SUFFERED MULTIPLE ATTACKS ..................... 9

DDOSATTACK METHODS ....................................................................................................... 10

EVENT 2: THE BIGGEST DDOS ATTACK IN HISTORY ............................................................ 11

FINDING 5:TCPFLOOD AND HTTPFLOOD REMAIN THE MOST POPULAR ATTACK METHODS. . 13

FINDING 6:MOST DDOS ATTACKS ARE SHORT. .................................................................... 14

FINDING 7:MOST ATTACKS ARE NOT VERY BIG. .................................................................... 14

FINDING 8:HYBRID ATTACKS BECAME PREVALENT. .............................................................. 16

CONCLUSIONS........................................................................................................................ 17

CONTACTS ............................................................................................................................. 18


4/20

- 3 -


Figures

FIGURE 1 MAJOR DDOS NEWS EVENTS ........................................................................ 5

FIGURE 2 DDOS ATTACKS MONITORED BY NSFOCUS ............................................... 5

FIGURE 3 CAUSES FOR MAJOR DDOS ATTACKS ......................................................... 6

FIGURE 4 TIMELINE OF 2013 OPERATION ABABIL ....................................................... 8

FIGURE 5 TARGETS OF MAJOR DDOS ATTACKS ......................................................... 9

FIGURE 6 FREQUENCY OF DDOS ATTACKS ............................................................... 10

FIGURE 7 DNS REFLECTION ATTACK .......................................................................... 12

FIGURE 8 DDOS ATTACK METHODS ............................................................................ 13

FIGURE 9 DURATIONS OF DDOS ATTACKS ................................................................. 14

FIGURE 10 DISTRIBUTION OF DDOS ATTACK TRAFFICBPS.............................. 15

FIGURE 11 DISTRIBUTION OF THE DDOS PACKET RATEPPS ........................... 15

FIGURE 12 HYBRID DDOS ATTACKS ............................................................................ 16


5/20

- 4 -


Overview of DDoS attacks

The first half of 2013 witnessed frequent DDoS events and attacks. A major

DDoS event broke out every two days on average, and NSFOCUS detected one

DDoS attack every two minutes from NSFOCUS monitoring networks. The

frequency of DDoS attacks monitored by NSFOCUS and major DDoS events

reported by media peaked during April and May, respectively. Hacktivism was

the primary motive for major DDoS events, followed by business crimes and

cyber war between competing countries. Based on the 168,459 attacks that

NSFOCUS monitored, 91.3 percent of the attack targets were located in China,

followed by the U.S. at 5.8 percent, Hong Kong at 1 percent, Korea at 0.5

percent, Philippines at 0.2 percent and Germany at 0.1 percent.

Finding 1: DDoS attack frequency One major DDoS

news event happened every two days, and one common

DDoS attack happened every two minutes.

NSFOCUS traced 90 major DDoS events reported by the news media, with an

average of one major event every two days. Meanwhile, NSFOCUS monitored a

total of 168,459 DDoS attacks with 1.29 occurring every two minutes, on

average. Major DDoS events reported by media (Figure 1) and detected by

NSFOCUS (Figure 2) peaked in May and April, respectively.


6/20

- 5 -


Figure 1 Major DDoS News Events

Figure 2 DDoS Attacks Monitored by NSFOCUS

Finding 2: DDoS motives - Hacktivism tops the list.

Among the 90 major DDoS events reported by the media and traced by

NSFOCUS, hacktivism was the primary motivator, followed by business crime,

0

5

10

15

20

25

30

Jan Feb Mar Apr May Jun

11

3

1920

30

7

DDoS Attack Frequency

0

5000

10000

15000

20000

25000

30000

35000

40000

Jan Feb Mar Apr May Jun

19812

29962

3380736266

2501623596

DDoS Attack Frequency


7/20

- 6 -


which mostly got involved in profit-driven competition or extortion, such as

competition in the online gaming industry and cyber war between countries.

Figure 3 Causes for Major DDoS Attacks

Targets of DDoS Attacks

DDoS attacks became a hot topic in the security sector during the first half of

2013, due mainly to Izz ad-din Al-Qassam Cyber Fighters Operation Ababil

activity, in which the U.S. banking industry became a major target, along with

some government departments and enterprises. Among the common DDoS

attacks monitored by NSFOCUS, two-thirds of the victims were attacked more

than once.

Event 1: Operation Ababil

The Operation Ababil campaign, launched by Izz ad-din Al-Qassam Cyber

Fighters (Cyber Fighters), has gone through three phrases between September

2012 and June 2013, with a fourth phase initiated in July 2013. In July 2012, atrailer for a movie about the Islam prophet Mohammed, produced and directed

91.1%

4.4%2.2%

2.2%

Hacktivism

Business Crime

Cyber War

Other


8/20

- 7 -


by American Sam Bacile, was posted on YouTube, sparking strong objections

and protests in the Muslim world. On September 18, 2012 Cyber Fighters

announced on Pastebin that it would attack U.S. banks and the New York Stock

Exchange with a series of DDoS attacks in retaliation for the video, declaring the

attacks would persist until the movie was removed from the website. Operation

Ababil was named after a story in the Koran, in which Allah dispatches a group

of swallows to knock out a group of elephants sent by the king of Yemen to

attack Mecca.

The first phase started on September 18, 2012 and lasted for five weeks, with

the second starting on December 10, 2012 and lasting for seven weeks. The

third phase continued for nine weeks from March 5, 2013 to May 6, 2013. The

fourth phase began July 23, 2013.

This campaign has affected the online banking services of massive American

financial institutions, including Bank of America, Citigroup, Wells Fargo, U.S.

Bancorp, PNC Financial Services Group, Capital One, Fifth Third Bank, BB&T,

and HSBC. These DDoS attacks had severe impacts on business continuity and

the availability of banks websites, and they have brought incalculable losses to

these banks reputations. The U.S. government had several departments

working on the investigation of this event, including the Department of Homeland

Security (DHS), the Federal Bureau of Investigation (FBI) and financial

regulators.


9/20

- 8 -


Figure 4 Timeline of 2013 Operation Ababil


10/20

- 9 -


Finding 3: DDoS victims Most likely targets were

banks, governments and enterprises.

Of the 90 major DDoS attacks that occurred worldwide in the first half of 2013,

39 (43 percent) targeted banks, mainly resulting from the Operation Ababil

campaign. Government and enterprises were assaulted in 26 (29 percent) and

19 (21 percent) major DDoS events, respectively. Non-profit organizations

(NPOs) and Internet service providers (ISPs) also fell victim to these attacks.

Figure 5 Targets of Major DDoS Attacks

Finding 4: More than 68 percent of victims suffered

multiple attacks.

The first half of 2013 saw a rise in multiple attacks targeting the same target, with

more than two-thirds of victims being attacked more than once. Our findings

show that, so far, 31.3 percent of victims suffered a single DDoS attack in the

first half of this year, a decrease from 50.7 percent observed in 2012, while 6.2

percent suffered attacks more than 10 times in the first half of 2013, an increase

from 5.2 percent the year prior. The percentage of victims suffering multiple

attacks rose from nearly half (49.3 percent) in 2012 to more than two-thirds (68.7

43%

29%

21%

5%1%

1%

Bank

Government

Enterprise

NPO

ISP

Other


11/20

- 10 -


percent) in the first half of 2013. NSFOCUS expects the trend of cyber criminals

attacking the same target multiple times will continue to grow over the second

half of 2013. We postulate there are two factors contributing to this trend :

A: Cost DDoS-for-hire (botnet rental) has been growing over the past couple of

years, making repetitive attacks over short periods more effective and less

expensive.

B: Willingness to pay ransom After the media reported that some affected

websites lacking defense capabilities had reluctantly paid ransoms, such sites

became priority targets of other cyber criminals.

Figure 6 Frequency of DDoS Attacks

DDoS Attack Methods

In the first half of the year, the methods adopted by DDoS attackers have

become very diverse. On one hand, attackers continued to pursue larger attack

traffic, such as the 300Gbps Spamhaus attack in March, considered by experts

to be the biggest cyber attack in history. But events such as these are rare, as

attackers have widely adopted the application-consumption-based DDoS attackmethod (e.g., HTTP Flood). Although the latter produces only minor flow and

0%

10%

20%

30%

40%

50%

60%

70%

1 2 - 10 11 - 20 20+

31.3%

62.5%

4.4% 1.8%

DDoS Attack Times


12/20

- 11 -


packet rates, it can be just as destructive as a massive flood. This dichotomy

shows a level of sophistication; the attackers are scouting their targets and

applying the methods best suited to cause disruption. NSFOCUS has also noted

hybrid attacks become more prevalent, with ICMP+TCP+UDP Flood being the

most common combination.

Event 2: The biggest DDoS attack in history

Spamhaus is an anti-spam NGO based in London and Geneva, and it maintains

a colossal spam blacklist that is widely used by numerous universities, researchinstitutions, ISPs, militaries and commercial enterprises.

Beginning on March 18, 2013, Spamhaus suffered a DDoS attack in which

hackers exploited botnet and DNS reflection technologies. The attack traffic

continuously rose from 10Gbps to an astonishing 300Gbps on March 27,

recording it as the largest scale (traffic-wise) DDoS attack aimed at a single

target in history.

The attack utilized a DDoS reflection (DNS amplification) method. Even though

this style of attack has been around for quite some time, the technology has

become more popular, with the major component of large-scale DDoS attacks

aimed at Layer-3. This basic procedure sends DNS name lookup requests

containing the extension field OPT RR (pseudo resource record) to massive

open DNS resolvers with the source address spoofed to be the targets address.

After receiving the request, the open DNS servers will resolve and query the

request and return the response data to the attack target. Since the requested

data is much smaller than the response data, the attackers are able to employ

this technology to effectively amplify their bandwidth and attack traffic.


13/20

- 12 -


Figure 7 DNS Reflection Attack

In this event, the attacker sent resolving requests of the domain name ripe.net

to more than 30,000 open DNS servers with the source IP address spoofed to be

the IP address of Spamhaus. The response traffic from those DNS servers

generated about 300Gbps in attack traffic. As a DNS request data with the size

of 36byte leads to a response data with the size of 3,000byte, DNS reflection

amplified the data about 100 times. Therefore, the attacker just needs to control

a botnet that can produce around 3Gbps request attack traffic to launch a larger

scale of (about 300Gbps) response attack traffic. In addition to DNS reflection

technology, the attacker also exploited ACK reflection and other technologies in

the attack.

On July 25, 2013, the Internet Systems Consortium (ISC) declared that the

response rate limiting (RRL) module was added to the latest version of BIND

software to defend against DNS reflection DDoS attacks, claiming it to be the

most efficient method to mitigate DNS reflection attacks. NSFOCUS believes

that all network administrators should deploy RRL and should closely follow

ISC's efforts to continue the enhancement of RRL.


14/20


15/20

- 14 -


Finding 6: Most DDoS attacks are short.

The duration of most DDoS attacks is not very long. The vast majority of DDoS

attacks, 93.2 percent, were less than 30 minutes in duration, about the same as

what we observed in 2012.

Figure 9 Durations of DDoS Attacks

Finding 7: Most attacks are not very big.

Among the DDoS attacks monitored by NSFOCUS, 80.1 percent of the attacks

saw the traffic rate reach no higher than 50 Mbps, with only 0.9 percent of

attacks recorded above 2 Gbps. Layer 7 attacks, such as HTTP Flood attacks,have become more prevalent in recent years because of their effectiveness with

just a small amount of traffic. Thus, we are seeing the trend shift from volumetric

attacks during years past to more cost-effective application layer attacks.

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

0 - 30min 30min - 12h 12h - 24h 24h - 48h 48h+

93.2%

4.3%0.9% 0.3%

1.1%


16/20

- 15 -


Figure 10 Distribution of DDoS Attack Trafficbps

According to our data, 69.1 percent of attacks were less than 0.2million packets

per second (Mpps). This data correlates to the smaller attack volume illustrated

in the previous chart, and further confirms application layer attacks are widely

adopted.

Figure 11 Distribution of the DDoS Packet Ratepps

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

90.0%

1-50M 50M-2G 2G+

80.1%

13.0%

0.9%

(bps)

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

0-0.2M 0.2M-3.2M 3.2M+

69.1%

30.7%

0.2%

pps


17/20

- 16 -


Finding 8: Hybrid attacks became prevalent.

NSFOCUS monitored a total of 6,956 hybrid DDoS attacks, which accounted for

4.1 percent of total attacks. Most of them were analyzed and categorized

according to the protocol types they used. Among these hybrid attacks,

ICMP+TCP+UDP was identified as the most common combination (50.6

percent). ICMP+TCP+UDP+DNS and ICMP+TCP ranked in second and third

place with 18.5 percent and 10.2 percent, respectively.

Figure 12 Hybrid DDoS Attacks

50.6%

18.5%

10.2%

9.8%

10.8%

The combination of Hybrid DDoS Attacks

ICMP+TCP+UDP

ICMP+TCP+UDP+DNS

ICMP+TCP

TCP HYBRIDOther


18/20

- 17 -


Conclusions

According to our statistics, while the amount of DDoS attacks may fluctuate on a

monthly basis, the overall trend of attack incidents is on the rise year after year.

Although cyber war and hacktivism incidents are eye-catching and more widely

reported by the media, attacks driven by commercial competition and malicious

ransom are actually the majority. Profit-driven cybercriminals pay much closer

attention to hackernomics, using the least amount of resources to cause the

maximum damage or disruption to victims. This is why we should expect

application layer attacks to become the most prevalent attacks now and in the

future. A typical application layer attack like HTTP Flood is popular among

hackers because it specifically targets consumption of CPU/storage/database

resources, which can shut down a victims website without generating a large

amount of network traffic. That being said, the traditional TCP Flood and UDP

Flood will not disappear either, since they are still the most effective attacks

against victims that are not protected by dedicated anti-DDoS mitigation

equipment or service.


19/20

- 18 -


Contacts

If you have feedbacks or comments, please contact us:

Email :[email protected]

Tel : +1 408-907-6638

Address: 1793 Lafayette Street, Suite120, Santa Clara, CA95050

About NSFOCUS

Founded in 2000, NSFOCUS, Inc. (NSFOCUS) provides enterprise-level, carrier-grade

solutions and services for distributed denial of service (DDoS) mitigation, Web security and

enterprise-level network security. With more than 10 years of experience in DDoS research

and development and mitigation, NSFOCUS has helped customers around the world

maintain high levels of Internet security, website uptime and business operations to ensure

that their online systems remain available. The NSFOCUS Anti-DDoS System (ADS)

empowers customers to find and fend off a variety of incidents, from simple network layer

attacks to more sophisticated and potentially damaging application-layer attacks, all while

guaranteeing legitimate traffic gets through to networks and corporate-critical systems. For

more information, visitwww.nsfocus.com.
mailto:[email protected]:[email protected]:[email protected]://www.nsfocus.com/http://www.nsfocus.com/http://www.nsfocus.com/http://www.nsfocus.com/mailto:[email protected]


20/20

- 1 -


Documents

2013 NSFOCUS Mid-Year DDoS Threat Report