CDNetworks Q2 2017 DDoS Attack Trends Report Attack... · CDNetworks Q2 2017 DDoS Attack Trends Report ... hacking group “Armada Collective ... attacks were included in addition

CDNetworks

Q2 2017 DDoS Attack Trends Report

2017. 7. | Security Service Team

<Public> 2 CopyrightⓒCDNetworks. All rights reserved.

Table of Contents

I. Introduction ....................................................................................................................... 3

II. Major DDoS attack issues in 2017 .................................................................................. 3

1. Issue of DDoS attack threats demanding Bitcoin from the financial sector ........ 4

III. DDoS attack trends in Q2 2017........................................................................................ 5

1. Number of DDoS response times in Q2 of each year ................................................. 5

2. Number of DDoS response times by area ..................................................................... 6

3. Number of attacks by industry ......................................................................................... 7

4. Number of attacks by protocol ......................................................................................... 8

5. Analysis by attack type....................................................................................................... 8

6. Analysis of amplification attacks ..................................................................................... 9

7. Analysis by attacker source IP ....................................................................................... 10

8. Analysis by scale of attacks ............................................................................................ 10

IV.GRE (Generic Routing Encapsulation) packet flooding analysis ............................. 11

1. GRE Tunneling .................................................................................................................... 11

2. Mirai Botnet .......................................................................................................................... 12

V. GRE Packet Flooding analysis #1 ................................................................................. 12

1. GRE Flooding Attack ......................................................................................................... 12

VI.GRE Packet Flooding analysis #2 ................................................................................. 14

VII. Closing remarks ............................................................................................................ 16


I. Introduction

This report is designed to understand the latest DDoS attack trends and derive the most

effective countermeasures against incoming DDoS attack threats. Details of DDoS

attacks against CDNetworks CDN and security service customers that have occurred in

the second quarter of 2017 were collected and analyzed to inform this report.

Data on past DDoS attacks against foreign customers as well as domestic ones can act

as a solid guideline to prepare for new types of DDoS attacks in the future.

II. Major DDoS attack issues in 2017

Period Description

January 2017 “Mirai”, the malicious code inducing DDoS attacks, found in Korea.

IoT security measures are deemed urgent

February 2017 Why has Asiana Airlines become the focus of hackers?

“2017 is expected to be the worst year in the history of security.”

March 2017

DDoS attacks from China paralyzed Lotte Duty Free Shop’s

website... “Damages amounted to hundreds of millions of won”

Cyber attacks are proliferating in retaliation against THAAD

April 2017 New botnet Amnesia attacked more than 220,000 DVRs

“Hajime” conquers the IoT world using 300,000 infected devices

May 2017

“DDoS attacks are coming for you!” 82,000 infected devices

attacked gambling sites

Small and medium-sized businesses are becoming regular targets

of cyber attacks. Why?

June 2017

7 banks received DDoS attack threats...”Send Bitcoin by the 26th”

Only 40GB Cyber Shelter is ready for 1TB DDoS attacks in the

financial sector

<Table 1> Major DDoS attack issues in 2017


1. Issue of DDoS attack threats demanding Bitcoin from the financial

sector

The DDoS attack threat against the Korean finance industry by the international

hacking group “Armada Collective” seems to have ended on July 3. It is likely that

global hackers will continue to blackmail Korean enterprises after attacking the

Korean hosting company “Nayana” with ransomware. It is known that “Nayana”

negotiated with hackers after being infected by ransomware and agreed to pay 1.5

million USD in ransom, kicking off a bad precedent of responding to hackers’ threats.

Since then, “Armada Collective” has sent blackmail emails and threats to leading

Korean financial businesses and securities companies. Several financial and

security companies experienced temporary system failures (e.g., connection failures)

due to the attack but did not give in to their demands.

Similar DDoS attack threat and Bitcoin demands on financial businesses were also

committed by a different hacking group called “DD4BC (DDoS for Bit Coin)” in 2015

and several security companies suffered from extended periods of connection errors.

Armada Collective, which threatened domestic companies on this occasion, is also

known to be associated with DD4BC. There are always risks of DDoS attacks, so

business’ response to incoming attacks should be developed even though all attacks

and threats against the service open to the public may not be blocked in advance.

There are many ways to address this problem, but applying cloud-based DDoS defense services is an effective solution.


III. DDoS attack trends in Q2 2017

1. Number of DDoS response times for CDNetworks Global Customers in

Q2 of each year

<Figure 1> Number of DDoS response times in Q2 of each year

The number of DDoS attack times in Q2 2017 increased significantly compared with

the same quarters in 2015 and 2016. The number of DDoS attacks increased by

44.3% from 2015 (106) and 96.2% from 2016 (78). It seems that the DDoS attacks

increased due to accurate monitoring of the CDNetworks network using the

upgraded DDoS monitoring system, which was adopted in the second half of 2016,

and also the increase of overseas customers. The drastic increase in number of

attacks every month over 3 years can be found in the monthly graph below.

<Figure 2> Number of DDoS response times by month in the Q2 of each year

153

78

106

0 20 40 60 80 100 120 140 160 180

2017

2016

2015

16

45 43

2419

3536

5661

0

10

20

30

40

50

60

70

April May June

2015 2016 2017


2. Number of DDoS response times by area

<Figure 3> Number of DDoS response times by area

In the second quarter of 2017, regional DDoS attacks accounted for 60.4% of total

attacks, with a large increase in attacks against Asia, including Hong Kong. The

percentage increased by 32.3% from the previous year (28.2%). In contrast, the

United States accounted for 14.6% of all attacks, down from 43.6% of the previous

year 's total attacks. Overall, attacks occurred in more diverse areas than before,

because of DDoS monitoring capabilities on CDNetworks infrastructure since 2H’16.

50.9%43.6%

14.6%

32.1%

25.6%

13.2%

7.6%

9.0%

4.2%

3.8%

2.6%

11.8%

3.8%

29.9%

5.6%2.8%2.8%2.8%

5.7%

15.4% 12.5%

0.0%

20.0%

40.0%

60.0%

80.0%

100.0%

2015 2016 2017

U.S. Japan Germany Korea U.K. Hong Kong

Thailand Mexico Brazil India Complex


3. Number of attacks by industry

<Figure 4> Number of attacks experienced by industry

The gambling industry experienced 2.7 times more attacks than in Q2’16. It occupies

the largest share of attacks in Q2’17 (92 attacks, 60.1%), followed by gaming and e-

commerce industries. In the e-commerce industry, a total of 24 attacks occurred in

2017 (15.7%), which is 2.4 times more than the same quarter of both 2015 and 2016.

On the contrary, <Figure 4> shows that the attack frequency is still high in the game

industry, but the number of attacks has dropped by 12.6% from the same quarter of

2016.

24

92

31

6

2

34

35

4

3

1

1

1

3

48

3

22

27

0 20 40 60 80 100

Community

e-Learning

eCommerce

Gambling

Game

GovernmentAgency

Hosting

Media

Public

2015 2016 2017


4. Number of attacks by protocol

<Figure 5> Comparison by attack in the Q2 of each year

The attack type by protocol in Q2 2017 shows that attacks using UDP and TCP

protocols have increased, but attacks using HTTP protocol have decreased by 13x,

compared with the same quarter of 2016. The increasing trend of UDP attacks seem

to be related to the Mirai botnet (IoT-based attack tool) as well as the increase of

attacks using the UDP-based Internet service such as amplification attacks.

5. Analysis by attack type

<Figure 6> Comparison by attack type in Q2 of each year

73

118

14

35

20 19

4

99

43

63 2

0

20

40

60

80

100

UDP TCP HTTP ICMP Complex

2015 2016 2017

2

3

6

25

43

74

4

2

17

11

20

24

14

1

7

44

12

28

0 10 20 30 40 50 60 70 80

Complex

ICMP Flooding

HTTP POST Flooding

HTTP GET Flooding

UDP Flooding

TCP SYN Flooding

Amplification

2015 2016 2017


When attacks were analyzed by type, amplification, TCP SYN flooding, and UDP

flooding, it was noted that attacks have increased by a large extent, but HTTP GET

Flooding and complex attacks have decreased. Amongst them, the increase in the

number of amplification attacks is noticeable; more than three times that of the same

quarter of 2016. A detailed analysis of the attacks can be found in Figure (7).

6. Analysis of amplification attacks

<Figure 7> Comparison of amplification attacks in Q2 by year

Amplification attacks in Q2 2017 amounted to 78, which is about 2.5x increase from

the same quarter of last year (31 attacks). In addition, DNS and NTP attacks have

increased significantly. The attack using the NTP recorded 53 cases (7.6xincrease

from the previous year), of which occupied 67.9% of the entire amplification attack

in Q2 2017. This trend is similar to Q1 and leads to a conclusion that attackers prefer

attacks using the NTP in the first half of 2017.

5

5

19

53

7

8

17

13

4

3

5

1

1

0 20 40 60 80

2017

2016

2015

SSDP NTP DNS CharGen SNMP


7. Analysis of attacker source IP

<Figure 8> Comparison of top 5 attack IP countries in the Q2 of each year

The analysis of the attacker source IP in Q2 2017 indicates that the proportion of

attacks from China has moderately declined from both Q1 and Q2, whereas attacks

from other countries increased evenly. Amongst those countries, Korea accounted for

8.1% of all source IPs and became one of top 5 countries to issue attacks as compared

Q2’FY16. It seems that those IPs were detected while defending duty-free shop sites

against the THAAD retaliation attack from China. The accuracy of statistics on source

IP calculation in Q2’17 has improved greatly as the details of actual blocked L3/L4

attacks were included in addition to the previous L7 attack IP extraction method.

8. Analysis by scale of attacks

<Figure 9> Trends of attack scale in the Q2 of each year

97

38

39

49

20

52

6

16

15

1

4

0 20 40 60 80 100 120 140 160

2017

2016

2015

Under 1G Under 10G Under 50G Over 50G


Average attack traffic in Q2’17 was 2.1 Gbps, a 75.6% and 47.5% decrease from the

same quarter for 2016 (8.6 Gbps) and 2015 (4 Gbps) respectively. It seems that the

smallest average attack traffic has occurred among the same quarter of the last 3

years, because small-scale attacks (under 1 Gbps) have increased by 2.6x and large-

scale attacks (over 10 Gbps) have decreased by 65%.

IV. GRE (Generic Routing Encapsulation) packet flooding analysis

1. GRE Tunneling

GRE (Generic Routing Encapsulation) is a protocol used between network equipment,

and to create a virtual dedicated line by connecting routers. It can be easily

understood that GRE is a VPN (Virtual Private Network) among routers. Recently,

GRE is widely used to defend against DDoS attacks that declare the defending IP by

linking with the BGP (Border Gateway Protocol) and connects the actual network with

GRE Tunneling.

<Figure 10> Overview of GRE (Generic Routing Encapsulation) Tunneling


2. Mirai Botnet

Mira Botnet is an attack tool that first appeared in September 2016, which exploits

IoT devices as a bot and is an advanced attack method that uses an existing PC or

server as a bot. Mirai Botnet received wide media coverage due to the attack that

infected devices on a record-breaking scale as soon as it appears, and its source

was opened at the end of October 2016. Since then, the frequency and scale of DDoS

attacks has significantly increased. Various types of attacks can be made and

thousands/tens of thousands of IoT devices such as CCTV can be exploited as a

botnet if the basic connection information is not changed.

<Figure 11> Articles related to Mirai Botnet

V. GRE Packet Flooding analysis #1

1. GRE Flooding Attack

Following the previously published DDoS trends report for Q1’17, this report analyzes

DDoS attacks using the GRE packet among the attacks specified in the Mirai Botnet

source code. A description on GRE Tunneling can be found in the previous section

4.1.


<Figure 12> Mirai Botnet source code

Attack naming called “GRE IP / Ethernet Flooding” can be found in <Figure 12>.

<Figure 13> GRE Flooding Packet

In fact, if you check the packets used in the attack, you can see Random Source IP, Destination

IP, Source Port and Destination Port. Packet size is consistently 578 bytes.


<Figure 14> GRE Flooding Packet details #1

However, if you examine the packet in detail, you can see two IP headers as shown in

<Figure 14>. You can see the actual attacker and the IP address of the attacker in

header 1. Header 2, is an unknown IP that is representative of a packet dump file.

VI. GRE Packet Flooding analysis #2

The (1) header in <Figure 14> shows that the protocol is Generic Routing Encapsulation

(47), as shown in <Figure 15>. If it were an actual GRE packet, it should have finished at

the router end. However, this packet is an attack packet masquerading as GRE and the

destination IP is a victim of the attack. The source IP and destination IP can be identified

as in <Figure 15> if it is found as a packet dump. However, some network defense

equipment classifies the pertinent details as GRE, and recognizes as the spoofing IP in

the header (2) of <Figure 14>, which makes prevention difficult.



Normal IP headers can be found in <Figure 15> as in <Figure 16>. However, all of the

header contents are forged and altered and doesn’t affect the actual packet path at all.

Rather, <Figure 14> is recognized as a GRE header by some network defense equipment

and not detected by monitoring. Only the spoofed contents shown in <Figure 15> are

displayed and make defense impossible.


In fact, when an attack occurs, the trusted DDOS defense device recognizes only the

spoofed IP because it does not recognize the GRE IP header. To prevent those attacks,

network equipment can block the protocol number 47 using the ACL (Access Control List).

If we dump and check the attack packet, we can easily confirm that it is an attack

exploiting the GRE packet. Otherwise, it becomes muddled due to the destination IP,

which is irrelevant to the service that is checked if we solely depend on network

equipment. This is a case in which securing the process of checking the packet during a

detected attack is quite helpful in defending against DDoS.


VII. Closing remarks

DDoS attacks were exploited as a tool to demand money from the financial sector in the

Q2’2017. DDoS attacks have become a means of such crimes because they can be easily

accessed by criminals and there are limits in responding to such attacks individually even

though victims may be well prepared. In the end, the defender is in a disadvantaged

position for this fight. The attacker briefly consumes resources for an attack, whereas the

defender should have enough infrastructures to cope with sporadic and instantaneous

attacks. The defense side should be overly concerned with the way of winning this fight

due to being in a vulnerable position.

The solution is not that far from reach. Introducing a Cloud DDoS defense service using

will help immensely. The user will save costs because the they don’t have to

independently maintain a large-scale infrastructure, and head of enterprise IT can be

relieved from the burden of operations because defense experts provide 24x7 support. In

addition, the user can obtain know-how about defending against attacks, which is

accumulated by other companies. Cloud infrastructure is an absolute must for the DDoS

defense system of each individual enterprise.

CDNetworks provides a cloud security service, which can block DDoS and automated bot

access, and web vulnerability attacks using the multi-stage protection functions with a

CDN-based cloud type web firewall optimized for DDoS prevention. CDNetworks

provides a DDoS defense service to various enterprises with experience in handling more

than 500 malicious instances a year by its differentiated experts.


About CDNetworks

CDNetworks is a global content delivery network (CDN) with a fully integrated cloud solution, offering unparalleled speed, security and reliability for the almost instant delivery of web content. Optimised for any device, browser and network, we ensure all users have a fast and safe web experience - whether you’re serving B2B or B2C customers, mobile employees or remote offices.

CDNetworks accelerates and secures websites and web applications over our strategically built network of global PoPs in both established and emerging markets. We specialise in those parts of the world where keeping a website accessible is most difficult: Mainland China, Russia, South East Asia and the Middle East.

No matter where you are and which device is being used, our in-country experts can advise you on licensing requirements and regulations to deliver the best web experience to your users.

Since 2000, we have been providing our customers with exceptional customer services and support, thanks to our team of dedicated tech engineers located across the globe. Businesses with an international web presence trust CDNetworks to protect their websites, web applications and cloud services.

CDNetworks has offices located in the UK, France, Germany, US, South Korea, China, Japan, and Singapore.

https://www.cdnetworks.com

Copyright notice

CopyrightⓒCDNetworks. All rights reserved.

CDNetworks retains the copyright of this document, and no portion of this document may be quoted or

distributed without prior consent. All information contained in this document is subject to change without

notice.

https://www.cdnetworks.com/


Global Offices

US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA 95008-2220 +1 408 228 3700

EMEA 85 Gresham Street, London EC2V 7NQ, UK +44 203 657 2727

Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul (06239) +82 2 3441 0400

Japan Nittochi Nishi-shinjuku Building, 8th Floor, 6-10-1Nishishinjuku, Shinjuku-ku, Tokyo 160-0023 +81 3 5909 3373

China 1502 Tower A, High-Tech Bldg. 900 Yishan Rd, Xuhui District, Shanghai +86 21 5423 4802-102

Singapore Winsland House I, 3 Killiney Rd, #04-05, Singapore 239519 +65 6908 1198

Documents

CDNetworks Q2 2017 DDoS Attack Trends Report Attack... · CDNetworks Q2 2017 DDoS Attack Trends Report ... hacking group “Armada Collective ... attacks were included in addition