2

Summary

3

Summary

Largest Volumetric Attack in Q3

• Verisign defended a multi-vector attack against the IT Services/Cloud/SaaS vertical:

• TCP SYN flood

• Internet Control Message Protocol (ICMP) floods

• UDP reflected/spoofed attacks (primarily NTP)

• Peaked at 60 Gbps and 12 Mpps

Primary Attack Vector Used in Q3

• UDP floods consisting of NTP, DNS and SSDP traffic

Trend to Watch – Hackers target iOS and Linux operating systems to deploy

malware

• iOS: xCodeGhost malware

• Linux: Ballpit botnet

4

Mitigations by Attack Size

• 1/3 of attacks peaked over 5 Gbps

• 1 in 5 peaked over 10 Gbps

• Attacks in the 5-10 Gbps and over 10 Gbps ranges more than

doubled from the previous quarter

Mitigation Peaks by Quarter

5

Mitigations by Vertical• IT Services / Cloud / SaaS experienced the largest volume of attacks in Q3

• Over 1/3 of all attacks

• Peaked at 60 Gbps and 12 Mpps

• Media & Entertainment was the 2nd most targeted industry

• 26% of attacks mitigated by Verisign

• Averaging 4.4 Gbps

• Other sectors remain heavily targeted

• Financial: 15% of attacks, averaging 2 Gbps

• Public: 13% of attacks, averaging 8 Gbps

Mitigation by Industry

6

Mitigations by Vertical

YTD Attack Size by Industry

• IT Services / Cloud / SaaS and Media & Entertainment industries

both experienced the largest peak attack sizes this year

• Both ≥ 80 Gbps

7

XcodeGhost Brings Apple App Store Vulnerabilities to the Forefront

Summary: First identified in

September on the Chinese

microblog site, Sina Weibo,

XcodeGhost is an infection of

Xcode, the framework

developers use to create apps

for Apple’s iOS and OS X

operating systems. iDefense

research analysts leveraged

authoritative DNS traffic

patterns to examine a snapshot

of NXDOMAIN transactions and

found that, even though the

C&C domain delegations are

removed and therefore

disabled, the domains were still

receiving a large number of

queries per day.

Recommendations: Uninstall infected apps until they are updated

and change the related Apple ID password immediately. Be

cognizant of any dialogue boxes (e.g., emails or push notifications)

that show up on screens and do not enter any information without

verifying the source.

8

Summary: Ballpit, a Linux

client server-based botnet

believed to power

LizardSquad’s denial of service

(DoS) tool, LizzardStresser.su.

Verisign iDefense recently

collected intelligence on the

infrastructure of a Ballpit variant

that now also includes a

Microsoft Windows® payload.

The infrastructure spans at

least six C&C server IP

addresses, all of which

iDefense believes are managed

by the same actors.

Ballpit Botnet Exploits Linux

Recommendations: Monitor inbound network traffic to perimeter

defense devices in order to detect TCP or UDP traffic spikes that may

indicate a DDoS attack. Disable public-facing Telnet services. However,

if these services are critical to operations, organizations should be sure

to monitor for brute-force login attempts.

Visit www.Verisign.com/ddostrends

to download a copy

9

Read the Full Report

© 2015 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of

VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.