www.prolexic.com
Attack Spotlight: Q1’s Record-setting DDoS Attack
Overview
• In Q1 2014, Prolexic successfully mitigated the largest Distributed Denial of Service (DDoS) attack campaign to ever cross its network
• The attackers used a combination of Network Time Protocol (NTP) reflection and Domain Name Service (DNS) reflection as the main attack vectors
• Variations of the POST flood attack were also used • The attack exceeded 10 hours in duration and was
directed at a European Internet media company • This campaign peaked at more than 200 Gbps and
53.5 Mpps
DDos techniques involved
• PLXsert identified the latest NTP and DNS reflection attack tools, as well as popular DDoS toolkit known as Drive, in the attack
• The NTP and DNS protocols are susceptible to abuse by malicious actors, producing highly amplified results
• Drive, a DIRT Jumper variant, utilizes a traditional botnet architecture achieved through malware infection
Validated attack vectors
• POST1 & POST2 floods, which target Layer 7 (application layer)
• DNS reflection, which targets Layer 3 & Layer 4 (infrastructure layer)
• NTP monlist reflection, which targets Layer 3 and Layer 4
Validated attack vectors (cont)
• DNS ANY request flood and NTP reflection attack signatures were detected during the campaign
• An application layer attack (Layer 7) generated multiple HTTP (POST) requests with several different signatures, attempting to evade DDoS mitigation technologies
• The POST flood Layer 7 attacks appeared to match those generated by the DIRT Jumper Drive malware
Analysis of associated malware
• The Drive variant associated with this campaign supports nine attack vectors: – GET – POST1 – POST2 – IP – IP2 – UDP – request – timeout – thread
CONFIDENTIAL
Analysis of sourced traffic
• The majority of DNS reflectors were from the United States, as well as Russia and Brazil
• The principal sources of the application attacks were identified as Turkey, Iran and Argentina
• PLXsert verifies the majority of sources from these countries match CPE device signatures
Attack traffic at Prolexic scrubbing centers
Q1 2014 Global Attack Report
• Download the Q1 2014 Global DDoS Attack Report
• The Q1 2014 report covers: – Analysis of recent DDoS attack trends
– Breakdown of average Gbps/Mpps statistics
– Year-over-year and quarter-by-quarter analysis
– Types and frequency of application layer attacks
– Types and frequency of infrastructure attacks
– Trends in attack frequency, size and sources
– Where and when DDoSers launch attacks
– Case study and analysis
CONFIDENTIAL
About Prolexic
• Prolexic Technologies, now part of Akamai, has successfully stopped DDoS attacks for more than a decade
• Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers