2014 Botnets and DDoS Attacks Report€¦ · Botnet Development Trends Botnet variants and platforms will continue to diversify, while network behavior will become more personal

INNOVATIVE ICT BUILDING A BETTER CONNECTED WORLD

2014 Botnets and DDoS Attacks Report

1Report Overview

Hotspot Events

On June 02, 2014, the US Department of Justice (DoJ) and FBI joined together with law enforcement and network security

companies from multiple countries to takedown the GameOver Zeus botnet and seek criminal action against the hacker responsible.

Botnet Conditions

Botnets have become more widespread and have begun to use more diverse platforms. At the same time, they have

become better disguised, and their use for seeking commercial profit has become clearer. More and more cutting-edge

botnets now feature CaaS (Crime as a Service) characteristics.

Globally, the top three countries with the most zombie hosts are the United States, Russia and China; the top three countries

with the most controlled servers are the United States, Russia and Germany, respectively.

In China, zombie hosts were most widely distributed throughout Guangdong, Zhejiang and Hong Kong.

Botnet Development Trends

Botnet variants and platforms will continue to diversify, while network behavior will become more personal.

Motivated by profit, mobile botnets will become more standardized.

Fast-flux, DGA and other evasion techniques will be likely to lead to the explosive growth of cross-platform botnets.

The deployment and spread of CaaS botnets will become increasingly apparent.

Expert Opinion

Botnet governance is a global responsibility and only by shutting down control servers or C&C servers and by pursuing legal

action against the hackers involved can we begin to contain botnets.

Compared with traditional detection, DNS-based traffic monitoring detection has higher positive predictive value and is cross-platform.

1 2014 Botnets and DDoS Attacks Report

DDoS Attack Conditions

2014 witnessed the proliferation of various UDP-based amplification attacks and large packet SYN flooding; in December,

traffic attacks hit with peak bandwidth refresh rates of up to 500 Gbit/s.

Data centers (DCs), including cloud-based DCs, are still a major target for DDoS attacks, and they are faced with both

inbound and outbound DDoS threats. Compared to conventional DCs, cloud-based DCs must also deal with cross-bound

tenant-to-tenant DDoS threats.

DC servers, free Internet proxies, various open DNS, NTP and UDP servers and low-cost cloud-based DC virtual machines (VMs)

have become pervasive hotbeds for botnet and DDoS attacks.

To effectively evade security device filtering, botnet initiated application layer DDoS attacks are often personalized.

DDoS attacks also feature CaaS characteristics. CaaS has effectively expanded the network scope and attack strength of DDoS attacks.

Development Trends of DDoS Attacks

As CT shifts to IT-oriented developments, and IT moves to the cloud, DDoS attacks and defense will become much more complicated.

Network attacks are becoming much more profit-based and the CaaS model of DDoS attack services will become

increasingly common.

A huge number of open UDP servers will lead to frequent hybrid amplification attacks in the coming years which will further

boost the peak traffic bandwidth of attacks.

Expert Opinion

Compared to conventional DCs, cloud-based DC security faces tougher odds. Given that SaaS are their only form of defense,

cloud-based DC providers have invested heavily infrastructure security. Cutting-edge cloud-based DCs have also begun to

provide tenants with anti-DDoS SaaS protection.

The prospects for DNS caching and recursive service system security are less than optimistic, and large Internet companies have

begun to consider building their own powerful anti-DDoS DNS systems to guarantee the serviceability of their Internet applications.


2Hotspot Events

2.1 Hotspot Events

On June 2, 2014, the US Department of Justice (DoJ) and FBI announced that they had joined together with law

enforcement and network security companies from various countries to takedown the GameOver Zeus botnet and initiate

criminal action against the mastermind Russian national Evgeniy Mikhailovich Bogachev on charges including hacking,

phishing, bank fraud and money laundering.

GameOver Zeus is a Zeus botnet variant first seen in September 2011. To better conceal its actions, GameOver Zeus

abandoned the Zeus HTTP-based centralized control architecture for a P2P architecture. Just like Zeus, GameOver Zeus was

spread through spam or phishing websites to infect between 500 thousand to 1 million PCs across the globe. Similar to

Zeus, after hacking into a PC, GameOver Zeus searches for bank passcode information. Once given the control terminal

mandate, the bank passcode information is sent back to the attacker, and the money in the user’s account is transferred

overseas. The FBI estimates that GameOver Zeus has already caused a global loss of over 100 million US dollars and is one

of the most sophisticated botnets that the FBI and its partners have ever tracked.

2.2 Event Analysis

This crackdown on the GameOver Zeus botnet was led by the US Department of Justice (DoJ). US authorities collaborated

with the law enforcement of over 10 countries, including Australia, Germany, France, the Netherlands and Japan as well as

multiple network security companies, including Microsoft, Symantec and McAfee.

The US Department of Justice (DoJ) also announced that they have discovered which IP addresses were infected by

GameOver Zeus bots and have helped those users remove malware. This goes to show that global botnet stings require the

active participation of multiple countries and network security-related organizations. Success is only possible through joint

action.


3Botnets

3.1 Botnet Conditions

In terms of their spread, platform usage and behavior, botnets have become much more diversified. As their network

behavior has become more personal, botnets have become increasingly profit-driven and characterized by the "Crime as a

Service" (CaaS) business model.

Major developments have mainly occurred in the following aspects of the botnet black market industry chain: the division of labor

is more precise, botnets evolve much faster, and their spread and control paths have become much more diversified. Pushdo and

Bredolab, as "loaders", are responsible for malware customization, downloading and installation, including the download of the self-

copying Cutwail malware. Cutwail, in turn, is responsible for spam-based flooding to rapidly expand the scale of the given botnet.

With the case of Zeus botnets, since the code went public in 2011, they have evolved rapidly, and there are now a wide

variety of notorious Zeus-derived botnets, such as Citadel, KINS, Ice-IX and GameOver Zeus. When the main Zeus module

was removed, it automatically updated to the latest version to continue the infection through a warranty extension.

After the botnet code went public, almost anyone could overlay the base code to launch new attacks. This led to botnet

multiplicity. For example, early Zeus botnets were only used to steal bank accounts whereas later versions also were used

for DDoS attacks. In addition to the conventional spam and phishing website-based spread and control techniques. Social

networks are also now used for attacks. For example, the TwitterNET botnet is spread and controlled through Twitter.

As the IT ecosystem has diversified, botnet platforms have tended towards multiplicity. First of all, Windows is no longer

the only OS vulnerable to botnet infections; many popular bots now opt for Linux, Mac OS X, Apple iOS, Android and

other operating systems. Secondly, the more popular and more valuable the application, the greater chance that it will

be exploited for spreading bots. For example, according to the McAfee Labs Threats Report 2014 Q1, the Apple iOS and

Android versions of Flappy Bird gained in popularity in mid-2013. By February, the developer quickly pulled his game from

the App Store and Google Play, but there were already hundreds of clones, 80% of which contained malicious code.

Again, conventional DCs are unsafe and hosted servers often lack effective regulation, which invites the deployment of

ultra-heavy DDoS attack traffic. Cloud-based DCs are just as unsafe. According to The Bad Bot Landscape Report Q1 2014,

released by Distil Networks, 79.18% of Amazon cloud traffic is malicious.

Malicious botnet behavior often does a good job of simulating typical network access behavior to block network security device

tracking and filtering. Commonly simulated features include: 1. HTTP packets for the user-agent field are disguised as browsers

or mobile terminals; 2. Web proxies to hide their true trail; 3. Fake network crawlers that look like Google or Baidu crawlers.

Today’s botnets more directly reflect their ability to seek commercial profit, even with obvious APT attributes: 1. Zeus botnets

steal online bank accounts for direct profit; 2. Ongoing DDoS attacks are targeted against competing e-commerce websites

during holiday shopping seasons; 3. DDoS attacks are used as a smokescreen to hide the theft of core data.


Over the years, international law enforcement organizations have strengthened their efforts to crack down on botnets

because they directly endanger financial and Internet stability. The most effective botnet crackdown was the joint action

of multiple countries against GameOver Zeus. In June 2014, US authorities lead by the Department of Justice (DoJ) joined

together with Australian, German, French, Dutch and Japanese law enforcement as well as a number of network security

companies, including Microsoft, Symantec and McAfee to takedown the GameOver Zeus botnet.

As an underground business model, "Crime as a Service" (CaaS) has grown rapidly. To attackers, large, stable botnets are a

type of infrastructure, the deployment and maintenance of which takes investments in technology and manpower. While

ordinary attackers can’t launch such sophisticated efforts, a number of expert-level hackers have become to take advantage

of this aspect to cash in on CaaS in two different ways, namely in the form of deployment services and attack services. The

former is when bots are customized based on user needs; for example, Pushdo supports user-defined bot functionality.

As for the latter service, fee-based services (FBS) are provided through botnet deployment. For example, by controlling over

a thousand routers, international hacker organization Lizard built its own botnet to provide FBS, claiming that they can offer

DDoS attacks with traffic of up to 4T while their monthly rental costs are as low as 6 US dollars. Another example of attack

services is the Chinese IMDDOS botnet whose well-known DDoS services have already been around for several years.

3.2 Botnet Distribution

According to Huawei Cloud Security Center live network statistics, globally, the top three countries with the most zombie

hosts are the United States, Russia and China; the top three countries with the most control servers are the United States,

Russia and Germany, respectively.

Figure 3-1 Global Distribution of Zombie Hosts

Figure 3-2 Global Distribution of Botnet Controlled Servers


Figure 3-3 Regional Distribution of Zombie Hosts in China

The distribution of zombie hosts across China shows significant geographical features in that their distribution is directly

linked to the level of Internet usage across the provinces. Specifically, zombie hosts were most widely distributed throughout

Guangdong, Zhejiang and Hong Kong.

In China, the top five botnet controllers are Boer_Family, Yoyoddos_Family, XiaoYan_DDOS_Family, Glacier and IMDDOS. Of

the controllers, Yoyoddos_Family, XiaoYan_DDOS_Family and IMDDOS specialize in DDoS attack botnets which illustrates

that China has always been a target for DDoS attacks.

Boer_Family: 47%

Yoyoddos_Family: 30%

XiaoYan_DDOS_Family: 9.0%

Glacier: 8.0%

IMDDOS: 6.0%

Figure 3-4 Top 5 Chinese Botnets

3.3 Development Trends

As the Internet ecosystem continues to become more diversified, botnet variants and platform usage will also continue to

exhibit multiplicity. Also, to evade security checks and tracking, the network behavior of cutting-edge botnets will become

more and more personalized.

Over the next few years, as more people begin to use mobile payments and as mobile network bandwidth continues to

improve, mobile botnets, driven by profit, will become ever more standardized.

DNS servers lack effective security regulations, and Fast-flux, DGA and other evasion techniques will likely lead to the

explosive growth of cross-platform botnets.

The spread and deployment of botnets as a network attack infrastructure will become increasingly characterized by CaaS.


3.4 Expert Opinion

The prevention of various network attacks, especially DDoS and other such attacks that overuse network resources, has

had little success when only self-reinforced company service system security measures have been used. In a word, so long

as networks expose their service system to the open, attacks will be inevitable. Traffic filtering for various network attacks

is a passive means of defense. The most effective way to prevent network attacks is to strengthen botnet tracking and

governance, blocking botnet activity at the source. Botnet governance is a global responsibility and requires cooperation

amongst governments, operators and network security-related organizations to shut down botnet control servers and

pursue legal liability from their owners to contain them.

Among the techniques to explore botnets, the most effective one is to detect and filter a number of C&C domain name

DNS requests. DNS caching services are the first step when connecting to the Internet, and as such, the use of DNS caching

server traffic monitoring tends to have the best botnet detection rates. Given that the DNS detection technique is cross-

platform by nature, it can detect both fixed and mobile botnets.


4.1 DDoS Attack Conditions

2014 was marked by rampant UDP-based amplification attacks and large packet SYN flooding. With over 100Gbit/s DDoS

attacks on nearly a monthly basis, attack traffic peak bandwidths were again refreshed. Bandwidths in early 2014 were up

to 400 Gbit/s, which rose to 500 Gbit/s by the end of the year (a DDoS attack was launched in December 20, 2014, targeted

at specific Chinese cloud-based DCs hosting game servers; the attack which lasted 14 hours mainly consisted of ultra large-

packet SYN and UDP flooding from outside of China and some large DCs in China). Ultra-heavy traffic DDoS attacks already

threaten operator gateways, and global Tier-1 operators have begun to seek the source of the attack to quickly filter out

attack traffic through cloud cleaning solutions.

In March 2013, The Spamhaus Project was hit by heavy DDoS attack traffic, peaking at up to 300 Gbit/s, launched using

DNS amplification. In December 2013, the hacker organization DERP launched the first NTP amplification attack. Then in

February 2014, the peak bandwidth of NTP amplification attack traffic was refreshed to 400 Gbit/s. Shortly thereafter, UDP

amplification attacks were unleashed the world over.

DC servers with a lack of effective supervision, free Internet proxies, various open UDP servers and even inexpensive cloud-

based DC virtual machines (VMs) have become pervasive hotbeds for botnet and DDoS attacks.

DDoS attacks directly impact the availability of Internet services, and commercial attacks have become more targeted. As

soon as a target is locked in, the DDoS attack will replace the targeted IP and domain name: 1. On-going DDoS attacks

are launched against e-commerce websites during holiday shopping seasons, which throttle the targeted website so that

buffer times are slow, even to the point where pages won’t open, thus ruining the shopping experience to the point where

customers will opt for shopping on other websites instead; 2. During major sporting events, such as the World Cup, various

betting websites host gambling events, and during such events, ultra-heavy traffic DDoS attacks pop up out of the blue and

last for the duration of the entire event; 3. In recent years, many e-commerce websites have launched panic buy and seckill

time-limited promotions, such as mobile phone sales on popular Chinese websites which begin at 10:08 every Monday and

Friday; whenever a promotion is set to begin, DDoS attacks are suddenly launched so netizens will lose patience waiting for

the website to load and will give up on the promotion; after enough netizens leave, the DDoS attack will screech to a halt

and before the promotion expires, "scalping" software will rush in to place orders.

In 2014, DCs were still the main target of DDoS attacks. DCs, including cloud-based DCs, have to deal with two-way

DDoS attack threats. Inbound DDoS attacks directly endanger downlink bandwidths, DC infrastructures, and online service

availability; on the other hand, outbound DDoS attacks endanger the DC access layer uplink bandwidth and the DC’s

reputation. Compared to conventional DCs, cloud-based DCs have to deal with greater DDoS threats. This is primarily

because: first, there are a huge number of cloud hosts (upwards of 100-200 thousand); services are uploaded and

downloaded quickly, and many different services are available; it’s difficult to manage traffic as it fluctuates so frequently, and

targeted protection is difficult to achieve; secondly, the average cloud-based DC will have tons of tenants that come and go

4DDoS Attacks


randomly such that they cannot be physically isolated; after a cloud host is infected by a bot, not only will it threaten DC data

security, but they also often initiate outbound DDoS attacks and may even launch tenant-to-tenant cross-bound attacks.

Techniques for disguising network behavior are not isolated to the botnet communication process alone; rather, botnet

initiated application layer DDoS attacks will also use disguises. For example, HTTP Get flooding through mobile applications

can also use user-agents disguised as mobile terminals; HTTP Get flooding can also attack e-commerce websites during

holiday shopping seasons or promotions through user-agents disguised as browsers, specifically, Firefox and IE are typically

used because of their large number of users; HTTP Get flooding can also attack web servers when disguised as Baidu or

Google crawlers; many small and medium-scale web applications use CDN acceleration; attacks that target these kinds of

applications will often simulate proxy access which makes it hard for the defense system to distinguish whether or not the

behavior is malicious.

DDoS attacks also feature "Crime as a Service" characteristics, and CaaS has effectively expanded the network scope and

attack strength of DDoS attacks. The most famous CaaS DDoS botnets are none other than IMDDOS and Lizard DDoS.

According to Huawei Cloud Security Center live network monitoring data, IMDDOS has been the top fifth largest botnet

in China since 2010, and over these last few years, it has infected its fair share of high-performance DC servers. Following

its breaches of many large online gaming networks, such as Xbox Live, the Sony Playstation Network, Jagex, Blizzard, and

League of Legends (LOL), the well-known hacker organization Lizard Squad has recently begun to sell its DDoS attack

services through Twitter to offer its services at an affordable price. The actual price itself may directly determine the strength

of the purchased attack.

4.1 UDP Amplification Attacks

In March 2013, The Spamhaus Project, an international anti-spam organization based in Europe, was hit by heavy DDoS

attack traffic, peaking at up to 300 Gbit/s, launched using DNS amplification. In December 2013, hacker organization DERP

launched the first NTP amplification attack. Then in February 2014, the peak bandwidth of NTP amplification attack traffic

was refreshed to 400 Gbit/s. Shortly thereafter, UDP amplification attacks were unleashed the world over, and a variety of

amplification tools have been tapped one after another. Exploitable open UDP servers are as shown in Table 1.

Table 4-1 Open UDP Servers to Amplification

Category of Attack Amplification Exploitable Vulnerabilities

NTP Amplification Attack 556.9 monlist query

DNS Amplification Attack 28 to 54 Text query

SSDP Amplification Attack 30.8 SEARCH request

Chargen Amplification Attack 358.8 Character generation request

SNMP Amplification Attack 6.3 GetBulk request

NetBIOS Amplification Attack 3.8 Name resolution

QOTD Amplification Attack 140.3 Quote request

Quake Network Protocol Amplification Attack 63.9 Server info exchange

Steam Protocol Amplification Attack 5.5 Server info exchange

BitTorrent Amplification Attack 3.8 File search

Kad Amplification Attack 16.3 Peer list exchange


Figure 4-1 Global Distribution of Open Chargen Servers

Figure 4-3 Global Distribution of Open NTP Servers

Figure 4-2 Global Distribution of Open DNS Servers

Based on the Huawei Cloud Security Center live network attack statistics from 2014, NTP, DNS, SSDP and Chargen servers

usage accounted for the majority of amplification attacks. The main reason for this is that these types of services offer

widespread amplification and distribution across live networks.

Since January 2015, according to Huawei Cloud Security Center research, the number of open DNS servers has risen to

13,983,210; open SSDP servers followed thereafter with up to 9,473,641; ranking third were open NTP servers, with up to

1,871,764; finally, the number of open Chargen servers has risen to 1,696,095.


Figure 4-4 Global Distribution of Open SSDP Servers

Figure 4-5 Distribution of DDoS Attacks in China

4.3 Geographical Distribution of Attacks

In China, DDoS attacks were relatively concentrated in Zhejiang, Guangdong and Shandong. The reason for this is that the

majority of China’s large Internet company DCs are concentrated in these three provinces. According to statistics on nearly

100 typical DC attacks from 2014, the highest DC attack frequency was over 200 hits per month.

4.4 Distribution of Attacks by Category

According to Huawei Cloud Security Center statistics, DDoS attacks in 2014 were commonly launched in the forms of SYN,

UDP, HTTP Get and DNS flooding. The most striking feature compared to 2013 was the surge in ultra-large packet SYN

flooding and UDP-based amplification attacks, with 100Gbit/s DDoS attacks consisting of large multi-packet SYN flooding

and NTP or DNS amplification attacks. Compared to 2013, attacks targeted at DNS caching servers were still Cache Miss-

based, but the source IPs of the attacks were more limited to the same metropolitan areas as the targets. Attack traffic has

also risen. Attacks targeted at DNS authorization servers were similarly Cache Miss-based, but the source IPs were disguised

as DNS caching server IPs.


SYN Flooding: 22.87%

UDP Flooding: 43.26%

HTTP Get/Post Flooding: 15.54%

ACK Flooding: 6.06%

DNS Flooding: 9.31%

ICMP Flooding: 1.29%

FIN/RST Flooding: 0.35%

Other: 1.32%

Figure 4-6 DDoS Attacks by Category

Gaming: 48.40%

E-commerce: 35.49%

Finance: 6.30%

Healthcare: 2.51%

Education: 1.80%

Hotel & travel: 1.40%

Other: 4.10%

Figure 4-7 DDoS Attacks by Industry

4.5 Distribution of Attacks by Industry

The top three targets of DDoS attacks are e-commerce, online gaming and online finance, especially online finance, where

attackers were primarily motivated by malicious competition. Online service systems with higher profit margins tend to be

hit more frequently, and the attacks tend to last longer.

HTTP: 89.50%

DNS: 3.63%

HTTPS: 1.64%

Other: 5.23%

Figure 4-8 DDoS Attacks by Protocol

4.6 Distribution of Attacks by Application Protocol

According to Huawei Cloud Security Center statistics on the distribution of application-targeted attacks, HTTP is still the primary

target. Statistics show that the main reason for this result is because the HTTP protocol is still the most important Internet

application protocol and e-commerce and online gaming websites that are most susceptible to DDoS attacks all use HTTP protocol.

DNS applications are the second largest target of for DDoS attacks. Since DNS applications serve as an Internet

infrastructure, the influence terrain of attacks is much more widespread. Even though DNS service providers have reinforced

the security of their DNS servers in various ways over the last few years, DNS services are still the weakest of all applications

on the Internet. Even if Internet companies comprehensively reinforce their own DNS authorization servers, the security and

serviceability of DNS caching and recursive servers, as the Internet’s largest access gateways, is still worrisome. In December

2014, a number of China Telecom’s provincial DNS caching servers were hit by a Cache Miss attack, leading to network

outages of several hours. The worrisome state of DNS server security has forced large Internet companies into considering

building their own powerful anti-DDoS attack DNS systems.


4.7 Development Trends

As CT shifts to IT-oriented developments, and IT moves to the cloud, DDoS attacks and defense will become much more

complicated.

Network attacks are becoming much more profit-based and the CaaS model of DDoS attack services will become

increasingly common.

A huge number of open UDP servers will lead to frequent hybrid amplification attacks in the coming years which will further

boost the peak traffic bandwidth of attacks.

4.8 Expert Opinion

Compared to conventional DCs, the state of cloud-based DC security is worrisome, and such conditions will last for quite

some time. Security and protection will become a fundamental DC service alongside storage, computing and bandwidth for

DC tenants, and only after DCs can truly guarantee the quality of SaaS services will their infrastructure security investments

begin to pay off.

Cloud-based DCs are trending towards building closer relations with network infrastructure operators in the development

of DDoS security mechanisms. In this process, cloud-based DCs with professional DDoS protection capabilities will become

much more attractive to tenants than conventional cloud-based DCs, and as such, they will develop much more rapidly.

The prospects for DNS caching and recursive service system security are less than optimistic, and if their security cannot be

improved industry-wide, large Internet companies will have no choice but to begin to consider building their own powerful

anti-DDoS DNS systems to guarantee the serviceability of their Internet applications.


5.1 About Huawei Security Intelligence Center

Network security is a core customer requirement. Huawei’s security product line considers the long-term construction of

Security Intelligence Center as a core technology that builds competitive edge and will continue making investments in the

security area. A wide range of network security experts came together to establish the Huawei Security Intelligence Center,

focused on building an advanced security reputation system and cloud security architecture, safeguarding information

security, and striving to continuously develop customer service.

Drawing on Huawei’s cutting-edge security capabilities, the Security Intelligence Center collects malicious samples from various

channels, summarizes the massive number of samples into the management system, rapidly analyzes and converts these samples

to compile a signature database, and releases the database to security products deployed worldwide, so customers' networks are

equipped with the latest security defense capabilities. Besides inheriting legacy security capabilities, the Security Intelligence Center

draws together cutting-edge technologies, adapts them specifically to each field, and sets up dedicated security labs with rich technical

characteristics. The research team leverages security products and solutions to provide with an active security defense system.

As the Internet evolves, cloud computing and mobile terminals become more widespread, and innovative apps emerge,

as do subsequent new threats, posing new challenges for network security personnel. To meet these ever-increasing

challenges, Huawei continues the security capability construction and provides customized products, solutions, and services

to help customers effectively defend against global security threats and risks.

5.3 Feedback

If you have any comments about this report, please send them to [email protected].

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of

Huawei Technologies Co., Ltd. All information in this document is the internal data of Huawei Security Intelligence Center and

related labs. All information is for reference only and does not constitute a warranty of any kind, express or implied.

All trademarks, pictures, logos, and brands in this document are the property of Huawei Technologies Co., Ltd. or an authorized third party.

5.2 Data Source

The original data in this report come from Huawei Security Intelligence Center and some data come from partners.

5About


Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

General Disclaimer

The information in this document may contain predictive statements including,

without limitation, statements regarding the future financial and operating results,

future product portfolio, new technology, etc. There are a number of factors

that could cause actual results and developments to differ materially from those

expressed or implied in the predictive statements. Therefore, such information

is provided for reference purpose only and constitutes neither an offer nor an

acceptance. Huawei may change the information at any time without notice.

HUAWEI TECHNOLOGIES CO., LTD.

Huawei Industrial Base

Bantian Longgang

Shenzhen 518129, P.R. China

Tel: +86-755-28780808

Version No.: M3-032102-20150316-C-1.0

e.huawei.com

Trademark Notice

, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.

Other trademarks, product, service and company names mentioned are the property of their respective owners.

Documents

2014 Botnets and DDoS Attacks Report€¦ · Botnet Development Trends Botnet variants and platforms will continue to diversify, while network behavior will become more personal