Post on 28-May-2020
transcript
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 3, ISSUE 3 – 3RD QUARTER 2016
Complimentary report supplied by
EXECUTIVE SUMMARY 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2016 4DDoS Attacks are Unpredictable 4Multi-Vector DDoS Attacks Continue to Dominate 6Types of DDoS Attacks 7Highest Intensity Flood and Largest Volumetric Attack 8Every Organization is at Risk 9
VERISIGN DDoS TRENDS REPORT | Q3 2016 2
CONTENTS
EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from July 1, 2016 through Sept. 30, 2016 (“Q3 2016”) and the security research of Verisign iDefense® Security Intelligence Services conducted during that time. It represents a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q3 2016.*
Verisign observed the following key trends in Q3 2016:
VERISIGN DDoS TRENDS REPORT | Q3 2016 3
13%decrease from the third quarter of 2015
Number of Attacks
Volume
257 Gigabits per second (Gbps)
Peak Attack Size
152 Million packets per second (Mpps) Highest intensity flood ever observed by Verisign
12.78 Gbps
Average Peak Attack Size
16%of attacks over 10 Gbps
49%of attacks were User Datagram Protocol (UDP) floods
Most Common Attack Mitigated
59%of attacks employed multiple attack types
37%of mitigation activity
IT Services/Cloud/SaaS
Speed
5 GBPSa “do-it-yourself”
approach to DDoS PROTECTION
would be challenging for most organizations.
With almost a third of attacks over
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2016DDoS Attacks Are UnpredictableDDoS attacks continue to be complex and unpredictable, making them more challenging for companies to mitigate. While not directly observed by Verisign, Q3 2016 was notable due to several attacks unprecedented in attack size. Specifically, the approximately 620 Gbps attack against KrebsonSecurity1 and a 579 Gbps attack reported by Arbor Networks2 were significant and widely reported within the industry.
Attackers in Q3 2016 launched sustained and repeated attacks against their targets. In fact, out of all the Verisign customers targeted by DDoS attacks in Q3 2016, 41 percent were targeted multiple times during the quarter.
Figure 1: Mitigation Peaks by Quarter from Q4 2014 to Q3 2016
2015-Q1 2015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 2016-Q3
>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps
0
20
40
60
80
100
Perc
ent o
f Atta
cks
2014-Q4
VERISIGN DDoS TRENDS REPORT | Q3 2016 4
81% peaked over 1 Gbps 30% peaked over
5 Gbps
Attack Size
1 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/; Retrieved on Nov. 1, 20162 https://www.arbornetworks.com/arbor-networks-releases-global-ddos-attack-data-for-1h-2016; Retrieved on Nov. 1, 2016
Average Peak Attack Size
Figure 2: Average Attack Peak Size by Quarter from Q4 2014 to Q3 2016
6.885.53
3.64
7.037.39
2015-Q1 2015-Q2 2015-Q3 2015-Q4
19.37
2016-Q1
17.37
2016-Q2
12.78
2016-Q30
2
4
6
8
10
12
14
16
18
20
2014-Q4
Gbps
VERISIGN DDoS TRENDS REPORT | Q3 2016 5
12.78 Gbps82%
increase in average attack peak size since Q3 2015
Overall, average attack peak sizes in 2016 have been larger than previous recorded years
41%of the DDoS attacks in Q3
2016 utilized 3 or more different attack types.
Multi-Vector DDoS Attacks Continue to Dominate Fifty-nine percent of the DDoS attacks mitigated by Verisign in Q3 2016 employed multiple attack types indicating that DDoS attacks continue to be complex, and thus require more time and effort to mitigate.
Figure 3: Number of Attack Types Per DDoS Event in Q3 2016
1 Attack Type2 Attack Types3 Attack Types4 Attack Types5 or More Attack Types
41%
18%23%
14%
4%
VERISIGN DDoS TRENDS REPORT | Q3 2016 6
VERISIGN DDoS TRENDS REPORT | Q3 2016 7
IP Fragment Attacks
Layer 7TCP Based
UDP Based
Other
49%
22%20%
6%3%
Types of DDoS Attacks UDP flood attacks continue to dominate in Q3 2016, making up 49 percent of the total attacks in the quarter. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) reflection attacks. 49%
of attacks were UDP FLOODS
Figure 4: Types of DDoS Attacks in Q3 2016
Highest Intensity Flood and Largest Volumetric Attack The highest intensity flood attack observed by Verisign in Q3 2016 was a TCP SYN flood that peaked at approximately 60 Gbps and 150 Mpps. This flood attack is one of the highest packets per second attacks ever observed by Verisign, surpassing the previous highest flood of 125 Mpps mitigated by Verisign in the fourth quarter of 2015.
The largest attack in Q3 2016 utilized the Generic Routing Encapsulation (GRE) protocol (IP protocol 47) and peaked at 250+ Gbps and 50+ Mpps. This is the first time Verisign observed this type of attack against its customer base. The attack was notable in that the attackers encapsulated UDP packets to legitimate service ports within the GRE protocol. Attackers were able to increase the payload and add volume to the attack with this technique. Both the source and destination IP addresses in the encapsulated data were spoofed.
VERISIGN DDoS TRENDS REPORT | Q3 2016 8
60 Gbps
150 Mpps
The highest intensity flood attack in Q3 2016 was a TCP SYN flood that
peaked at approximately
and
8.8 Gbps
Average attack size:
39.1 Gbps
Average attack size:
5.8 Gbps
Average attack size:
5.0 Gbps
Average attack size:
VERISIGN DDoS TRENDS REPORT | Q3 2016 9
Mitigations on behalf of Verisign Customers by Industry for Q3 20163
37%of mitigations
IT Services/Cloud/SaaS
Financial
29%of mitigations
Public Sector
12%of mitigations
10%of mitigations
E-Commerce and Online Advertising
Telecommunications and Other
2%of mitigations
Every Organization is at RiskDDoS attacks are not limited to any specific industry or vertical.
3 The attacks reported by industry in this document are solely a reflection of the Verisign DDoS Protection Services customer base.
4.1 Gbps
Average attack size:
0.6 Gbps
Average attack size:
Media and Entertainment/Content
10%of mitigations
VERISIGN DDoS TRENDS REPORT | Q3 2016 10
Figure 5: Peak DDoS Attack Size by Industry from Q4 2015 to Q3 2016
Financial Media &Entertainment
E-Commerce/Online
IT Services/Cloud/SaaS
Q1 2016 Q2 2016 Q3 2016Q4 2015
0
50
100
150
200
250
300
Gbps
Telecommunications& Other
Public Sector
Peak Attack Size by Industry (Quarterly)
The Financial industry saw the highest attack peak size in 2016 thus far. For Q3 2016, the attack peak size was 257 Gbps, a 47 percent increase from the second quarter of 2016.
VERISIGN DDoS TRENDS REPORT | Q3 2016 11
TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.
About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet’s root servers, as well as performs the root-zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include intelligence-driven Distributed Denial of Service Protection, iDefense Security Intelligence and Managed DNS. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.
*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in “AS IS” condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.
Verisign Public VRSN_DDoS_TR_A10_Q3-16_201611
Verisign.com© 2016 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.