www.prolexic.com

Attack Spotlight: Q1’s Record-setting DDoS Attack

Overview

• In Q1 2014, Prolexic successfully mitigated the largest Distributed Denial of Service (DDoS) attack campaign to ever cross its network

• The attackers used a combination of Network Time Protocol (NTP) reflection and Domain Name Service (DNS) reflection as the main attack vectors

• Variations of the POST flood attack were also used • The attack exceeded 10 hours in duration and was

directed at a European Internet media company • This campaign peaked at more than 200 Gbps and

53.5 Mpps

DDos techniques involved

• PLXsert identified the latest NTP and DNS reflection attack tools, as well as popular DDoS toolkit known as Drive, in the attack

• The NTP and DNS protocols are susceptible to abuse by malicious actors, producing highly amplified results

• Drive, a DIRT Jumper variant, utilizes a traditional botnet architecture achieved through malware infection

Validated attack vectors

• POST1 & POST2 floods, which target Layer 7 (application layer)

• DNS reflection, which targets Layer 3 & Layer 4 (infrastructure layer)

• NTP monlist reflection, which targets Layer 3 and Layer 4

Validated attack vectors (cont)

• DNS ANY request flood and NTP reflection attack signatures were detected during the campaign

• An application layer attack (Layer 7) generated multiple HTTP (POST) requests with several different signatures, attempting to evade DDoS mitigation technologies

• The POST flood Layer 7 attacks appeared to match those generated by the DIRT Jumper Drive malware

Analysis of associated malware

• The Drive variant associated with this campaign supports nine attack vectors: – GET – POST1 – POST2 – IP – IP2 – UDP – request – timeout – thread

CONFIDENTIAL

Analysis of sourced traffic

• The majority of DNS reflectors were from the United States, as well as Russia and Brazil

• The principal sources of the application attacks were identified as Turkey, Iran and Argentina

• PLXsert verifies the majority of sources from these countries match CPE device signatures

Attack traffic at Prolexic scrubbing centers

Q1 2014 Global Attack Report

• Download the Q1 2014 Global DDoS Attack Report

• The Q1 2014 report covers: – Analysis of recent DDoS attack trends

– Breakdown of average Gbps/Mpps statistics

– Year-over-year and quarter-by-quarter analysis

– Types and frequency of application layer attacks

– Types and frequency of infrastructure attacks

– Trends in attack frequency, size and sources

– Where and when DDoSers launch attacks

– Case study and analysis

CONFIDENTIAL

About Prolexic

• Prolexic Technologies, now part of Akamai, has successfully stopped DDoS attacks for more than a decade

• Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers