-
www.prolexic.com
Attack Spotlight: Q1s Record-setting DDoS Attack
-
Overview
In Q1 2014, Prolexic successfully mitigated the largest
Distributed Denial of Service (DDoS) attack campaign to ever cross
its network
The attackers used a combination of Network Time Protocol (NTP)
reflection and Domain Name Service (DNS) reflection as the main
attack vectors
Variations of the POST flood attack were also used The attack
exceeded 10 hours in duration and was
directed at a European Internet media company This campaign
peaked at more than 200 Gbps and
53.5 Mpps
2
-
DDos techniques involved
3
PLXsert identified the latest NTP and DNS reflection attack
tools, as well as popular DDoS toolkit known as Drive, in the
attack
The NTP and DNS protocols are susceptible to abuse by malicious
actors, producing highly amplified results
Drive, a DIRT Jumper variant, utilizes a traditional botnet
architecture achieved through malware infection
-
Validated attack vectors
POST1 & POST2 floods, which target Layer 7 (application
layer)
DNS reflection, which targets Layer 3 & Layer 4
(infrastructure layer)
NTP monlist reflection, which targets Layer 3 and Layer 4
4
-
Validated attack vectors (cont)
DNS ANY request flood and NTP reflection attack signatures were
detected during the campaign
An application layer attack (Layer 7) generated multiple HTTP
(POST) requests with several different signatures, attempting to
evade DDoS mitigation technologies
The POST flood Layer 7 attacks appeared to match those generated
by the DIRT Jumper Drive malware
5
-
Analysis of associated malware
The Drive variant associated with this campaign supports nine
attack vectors: GET POST1 POST2 IP IP2 UDP request timeout
thread
6 CONFIDENTIAL
-
Analysis of sourced traffic
The majority of DNS reflectors were from the United States, as
well as Russia and Brazil
The principal sources of the application attacks were identified
as Turkey, Iran and Argentina
PLXsert verifies the majority of sources from these countries
match CPE device signatures
7
-
Attack traffic at Prolexic scrubbing centers
8
-
Q1 2014 Global Attack Report
Download the Q1 2014 Global DDoS Attack Report The Q1 2014
report covers:
Analysis of recent DDoS attack trends Breakdown of average
Gbps/Mpps statistics Year-over-year and quarter-by-quarter analysis
Types and frequency of application layer attacks Types and
frequency of infrastructure attacks Trends in attack frequency,
size and sources Where and when DDoSers launch attacks Case study
and analysis
9 CONFIDENTIAL
-
About Prolexic
Prolexic Technologies, now part of Akamai, has successfully
stopped DDoS attacks for more than a decade
Our global DDoS mitigation network and 24/7 security operations
center (SOC) can stop even the largest attacks that exceed the
capabilities of other DDoS mitigation service providers
10
Attack Spotlight: Q1s Record-setting DDoS AttackOverviewDDos
techniques involvedValidated attack vectorsValidated attack vectors
(cont)Analysis of associated malwareAnalysis of sourced
trafficAttack traffic at Prolexic scrubbing centersQ1 2014 Global
Attack ReportAbout Prolexic
