VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 4, ISSUE 4 – 4TH QUARTER 2017

Complimentary report supplied by

EXECUTIVE SUMMARY 3

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q4 2017 4DDoS Attacks Vary in Speed and Complexity 4Multi-Vector DDoS Attacks Remain Constant 6Types of DDoS Attacks 7Largest Volumetric Attack and Highest Intensity Flood Attack 8

FEATURE ARTICLE 9Collaboration is Critical for Effective DDoS Mitigation

VERISIGN DDoS TRENDS REPORT | Q4 2017 2

CONTENTS

EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during the fourth quarter of 2017 from October 1, 2017 through December 31, 2017 (Q4 2017). This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for the Q4 2017 quarter.*

Verisign observed the following key trends in Q4 2017:

VERISIGN DDoS TRENDS REPORT | Q4 2017 3

25%decrease compared to the third quarter of 2017 from July 1, 2017 through September 30, 2017 (Q3 2017)

Number of Attacks

Volume

53 Gigabits per second (Gbps)

Largest Attack Peak Size

5 Million packets per second (Mpps)

7.6 Gbps

Average of Attack Peak Sizes

40%of attacks over 5 Gbps

46%

Speed

850% increase compared to Q3 2017, but a 32% year-over-year decrease compared to Q4 2016

42%of attacks were User Datagram Protocol (UDP) floods

Most Common Attack Type Mitigated

82%of attacks employed multiple attack types

of attacks employed five or more attack types

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q4 2017DDoS Attacks Vary in Speed and Complexity Verisign observed a 25 percent decrease in the number of attacks in Q4 2017 compared to Q3 2017 and an 850 percent increase in the average of attack peak sizes. This large increase is partially attributed to the historically low average of attack peak sizes observed in Q3 2017. From Q4 2016 to Q4 2017, Verisign observed a year-over-year decrease of 32 percent in the average of attack peak sizes. Verisign also observed that 25 percent of customers who experienced DDoS attacks in Q4 2017 were targeted multiple times during the quarter. While the number of DDoS attacks has continued to decrease from quarter to quarter, DDoS attacks remain unpredictable in speed and complexity.

Figure 1: Mitigation Peaks by Quarter from Q1 2016 to Q4 20171

Q4 2016 Q1 2017 Q2 2017 Q4 2017Q3 2017Q1 2016 Q2 2016 Q3 2016

>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps

0

20

40

60

80

100

Perc

ent o

f Atta

cks

VERISIGN DDoS TRENDS REPORT | Q4 2017 4

67% peaked over 1 Gbps

Attack Size

1 Notice of Correction: In the previously published Verisign Distributed Denial of Service Trends Report, Volume 3, Issue 2 – 2nd Quarter 2016, a clerical error was made in the graphic titled Figure 1: Mitigation Peaks by Quarter from Q3 2014 to Q2 2016 (“Figure 1”). In the column labeled “Q2 2016” in Figure 1, the colors indicating mitigations peaks between “>1<5 Gbps” (green) and “>5<10Gbps” (yellow) were erroneously switched in the original publication. Figure 1 should have reflected that there were more mitigation peaks between “>1<5 Gbps” than between “>5<10Gbps”. The original publication has been corrected with an accurate graphic.

VERISIGN DDoS TRENDS REPORT | Q4 2017 5

Average of Attack Peak Sizes

Figure 2: Average of Attack Peak Sizes by Quarter from Q1 2016 to Q4 2017

7.6

Q4 2017

19.4

Q1 2016

17.4

Q2 2016

12.8

Q3 2016

11.2

Q4 2016

14.1

Q1 2017

2.7

Q2 2017

0.8

Q3 20170

2

4

6

8

10

12

14

16

18

20

Gbps

7.6 Gbps850%

increase in average of attack peak sizes compared to Q3 2017

82%of DDoS attacks in Q4

2017 utilized at least two different attack types

Multi-Vector DDoS Attacks Remain Constant Eighty-two percent of DDoS attacks mitigated by Verisign in Q4 2017 employed multiple attack types. Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Today’s DDoS attacks require continuous monitoring to optimize mitigation strategies.

Figure 3: Number of Attack Types per DDoS Event in Q4 2017

1 Attack Type2 Attack Types3 Attack Types4 Attack Types5+ Attack Types

18%

18%

9%9%

46%

VERISIGN DDoS TRENDS REPORT | Q4 2017 6

VERISIGN DDoS TRENDS REPORT | Q4 2017 7

30%

12%14%2%

42%

IP Fragment AttacksTCP BasedUDP BasedLayer 7Other

Types of DDoS Attacks Continuing the trend, UDP flood attacks were the most common attack vector in Q4 2017, accounting for 42 percent of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Lightweight Directory Access Protocol (LDAP) and Simple Service Discovery Protocol (SSDP) reflective amplification attacks.

42%of attacks were

UDP FLOODS

Figure 4: Types of DDoS Attacks in Q4 2017

1.9 Gbps

Average attack size:

<1 Gbps

Average attack size:

VERISIGN DDoS TRENDS REPORT | Q4 2017 8

Mitigations on Behalf of Verisign Customers by Industry for Q4 20172

33%of mitigations

IT Services/Cloud/SaaS

7%of mitigations

Media and Entertainment/Content

1.7 Gbps

Average attack size:

Telecom

13%of mitigations

13 Gbps

Average attack size:

Financial

40%of mitigations

Average attack size:

7%of mitigations

E-Commerce and Online Advertising

22.2 Gbps

2 The attacks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Service customer base.

Largest Volumetric Attack and Highest Intensity Flood AttackThe largest volumetric and highest intensity DDoS attack observed by Verisign in Q4 2017 was a multi-vector attack that peaked at approximately 53 Gbps and over 5 Mpps. This attack sent a flood of traffic to the targeted network for about an hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods, DNS amplification attacks, Internet Control Message Protocol (ICMP) floods and invalid packets.

VERISIGN DDoS TRENDS REPORT | Q4 2017 9

3 https://datatracker.ietf.org/wg/dots/about/4 https://tools.ietf.org/html/draft-ietf-dots-use-cases-00

FEATURE ARTICLECOLLABORATION IS CRITICAL FOR EFFECTIVE DDoS MITIGATIONCollaboration is vital for effective distributed denial of service (DDoS) mitigation. A mitigation response could often benefit from the involvement of a number of stakeholders, including Internet Service Providers (ISPs), DDoS mitigation providers, Content Delivery Networks (CDNs), various cloud providers and an organization’s internal mitigation team. In an ideal scenario, all groups could work to mitigate the DDoS attack and bring the organization’s critical systems back to optimal levels as quickly as possible.

This level of complex coordination has traditionally been carried out using telephones and emails. However, there are other options for mitigation providers to help facilitate automated collaboration during a DDoS mitigation. A standard method of signaling for mitigation assistance upstream could simplify and streamline the process of coordinating the many components usually deployed in a DDoS mitigation. This is where DDoS Open Threat Signaling (DOTS) comes into play. DOTS, an Internet Engineering Task Force (IETF) working group,3 is standardizing a protocol that addresses multiple DDoS use cases.4 This ultimately will allow an automated (and distributed) call for mitigation or help to be triggered from an operator upstream or to its mitigation service or cloud providers. Providers may then use the same protocol to coordinate a response among their own partners and peers.

Under the DOTS framework, a client-side application can be built into on-premise DDoS mitigation appliances for hybrid deployment. This application can also be tied to an enterprise monitoring or management system. When an attack threshold is reached or a policy event matched, the DOTS mitigation request is triggered and sent to the service provider with some information about the attack. The DDoS provider can then use this information to build a suitable mitigation response to protect targeted systems. A key feature of the DOTS framework is that it is not attached to a specific vendor or service provider. The DOTS framework is available for implementation with any client or server. Under the DOTS framework, any client–such as an application, a router, a switch or a firewall–can signal between each other.

VERISIGN DDoS TRENDS REPORT | Q4 2017 10

Enterprises will be able to deploy an on-premise DDoS mitigation system and have it signal to any service or cloud provider when significant DDoS events require high-capacity DDoS mitigation support, or prefer to have a third party cloud provider handle the mitigation. Verisign currently offers a similar solution with the Verisign OpenHybrid™ platform. Through an API, the Verisign OpenHybrid™ platform seamlessly integrates with existing on-premise and cloud environments for faster DDoS mitigation. In addition, the DOTS framework is designed to be sustainable into the future. During a large DDoS attack, internet links may get congested. The DOTS framework is designed to maintain availability throughout the DDoS attacks. The DOTS working group effort continues today and welcomes contributions from across the telecommunications and cybersecurity industries.

TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.

About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net top-level domains and two of the internet’s root servers, as well as performs the root zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com.

*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. All information in this Report is solely a reflection of the observations and insights derived from the DDoS attack mitigations enacted on behalf of, and in cooperation with, the customers of Verisign DDoS Protection Services. Verisign provides this Report for your use in “AS IS” condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.

Verisign Public VRSN_DDoS_TR_Q4-17_Axians_201803

Verisign.com© 2018 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.