2

Executive Summary

For the period starting July 1, 2014 and ending Sept. 30,

2014, Verisign observed the following key trends:

• Attacks exceeding 10 Gbps in size increased in frequency to

account for more than 20% of all mitigations.

• Attackers were persistent in launching attacks against

targeted customers, averaging more than three separate

attempts per target.

• The most frequently targeted industry this quarter was Media

and Entertainment, representing more than 50% of all

mitigation activity.

• The largest attacks observed this quarter targeted the E-

Commerce/Online Advertising industry, the largest peaking at

more than 90 Gbps.

3

Attack StatsMitigations by Attack Size:

• Q3 attacks averaged 6.46 Gbps , a 65% increase

in average attack size from Q1 2014.

• Number of attacks 10 Gbps and above grew by

38% over Q2

• Largest volumetric UDP-based attack: 90 Gbps;

largest TCP-based attack: more than 30 Gbps.

Mitigations by Vertical:

• Media and Entertainment had the largest

volume of attacks, peaking at just over 20

Gbps in Q3.

• E-Commerce/Online Advertising attacked less

frequently, but had the largest attack of the

quarter at over 90 Gbps

Increased Attack Frequency:

• Q3 saw more than three attacks per targeted

customer

4

Q3 SSDP Attacks:

• Largest SSDP-based attacks in Q3 targeted IT Services and peaked at just under 15 Gbps

and 4.58 Mpps.

• Though amplification smaller than DNS or NTP reflection attacks, SSDP attacks can still

overwhelm organizations using traditional security appliances for protection.

• Malicious actors will spoof the source IP when making an SSDP request to target a victim.

Mitigation:

• Audit internal assets to ensure that you’re not unknowingly being used for SSDP-based

DDoS attacks

• For most organizations, SSDP implementations should not need to be open to the Internet.

• Inbound queries targeting SSDP can be blocked at the network edge

Feature: SSDP Used for Reflection AttacksIn Q3 2014, the most common attack type Verisign observed continued to be UDP reflective amplification attacks

leveraging the NTP protocol.

As Q3 progressed, Verisign observed the first instances of the Simple Service Discovery Protocol (SSDP) being

exploited in DDoS amplification attacks against customers

5

What is SSDP?• Network protocol used for the advertisement and discovery of network services

and presence information

• Most commonly used as the basis of the discovery protocol for Universal Plug-

and-Play. Implementations; sends and receives information using the UDP on

port number 1900.

• According to ShadowServer (https://ssdpscan.shadowserver.org): more than 15

million vulnerable devices that have SSDP enabled

• Attackers spoof source IP address of the request to match the intended target;

this causes all vulnerable devices to flood the target with SSDP responses.

• US-CERT alert (https://www.us-cert.gov/ncas/alerts/TA14-017A), referencing an

Internet Society article (http://www.internetsociety.org/doc/amplification-hell-

revisiting-network-protocols-ddos-abuse) identifies SSDP as having bandwidth

application factor of as much as 30.8.

6

DDoS Malware Trends: DBOT Linux DDoS Malware

In Q3, Verisign iDefense analysts discovered a variant of the DBOT backdoor which runs on Unix-like systems

and is primarily used for DDoS attacks.

• Controlled through an Internet Relay Chat (IRC) command-and-control (C&C) channel

• Will set its process name to look like common system processes (such as syslogd or crond)

• Used not only to perform DDoS attacks, but includes full reverse-shell access and mail-

sending capabilities (e.g., for spam)

• No IP address spoofing currently occurs during the execution of any of the built-in DDoS

attack commands, meaning, most observed attacker IPs will be legitimate, increasing

mitigation speed.

• Its reverse shell function allows arbitrary command execution, allowing an attacker the

unlimited ability to manually modify attack patterns or install additional DDoS tools as needed.

• Samples of the malware analyzed by iDefense have an MD5 hash of

579190b74b86f591097b9b6773c1176b.

7

DDoS Malware Trends:

“SHELLSHOCK” Used to Deploy Linux DDoS Malware

Verisign iDefense researchers analyzed ELF malware, which was observed to be delivered via the “Shellshock”

BASH vulnerability.

What is Shellshock?

• Common name for a series of critical vulnerabilities in the Bash shell application, in a wide array of operating

systems

• Caused by a flaw in the command and argument parser of GNU Bash versions 1.14 through 4.3; results in

incorrect processing of commands placed after function definitions in the added environment variable.

Behavior

• ELF malware communicates with specific hard-coded C&C servers to receive commands and links to additional

malicious contents or payloads in the form of raw Pastebin links.

• Checks for commonly used set of usernames and weak passwords to launch DDoS attacks

• Malware samples analyzed by iDefense have an MD5 hash of 5B345869F7785F980E8FF7EBC001E0C7.

© 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of

VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.