11
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 5, ISSUE 1 – 1ST QUARTER 2018 Complimentary report supplied by
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 5, ISSUE 1 – 1ST QUARTER 2018
Complimentary report supplied by
EXECUTIVE SUMMARY 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2018 4DDoS Attacks Increase in Size and Number 4Multi-Vector DDoS Attacks Remain Constant 6Types of DDoS Attacks 7Largest Volumetric Attack and Highest Intensity Flood Attack 8Mitigations on Behalf of Verisign Customers by Industry for Q1 2018 8
FEATURE ARTICLE 9Selecting the Right DDoS Mitigation Strategy for Your Organization
VERISIGN DDoS TRENDS REPORT | Q1 2018 2
CONTENTS
EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during Q1 2018. This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q1 2018.*
Verisign observed the following key trends in Q1 2018:
VERISIGN DDoS TRENDS REPORT | Q1 2018 3
53%increase compared to Q4 2017
Number of Attacks
Volume
70 Gbps
Largest Attack Peak Size
7.4 Mpps
11.2 Gbps
Average of Attack Peak Sizes
39%of attacks over 5 Gbps
58%
Speed
47% increase compared to Q4 2017
50%of attacks were User Datagram Protocol (UDP) floods
Most Common Attack Type Mitigated
32%of attacks employed four or more attack types
of attacks employed multiple attack types
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q1 2018DDoS Attacks Increase in Size and Number Verisign observed that 74 percent of DDoS attacks were over 1 Gbps (Figure 1). When comparing Q1 2018 to Q4 2017, Verisign saw a 53 percent increase in the number of attacks and a 47 percent increase in the average of attack peak sizes (Figure 2). Year-over-year the average of attack peak sizes decreased 21 percent. Verisign additionally observed that 67 percent of its customers who experienced DDoS attacks in Q1 2018 were targeted multiple times during the quarter. Overall, DDoS attacks remain unpredictable and vary widely in terms of speed and complexity.
Figure 1: Mitigation Peaks by Quarter from Q2 2016 to Q1 2018
Q4 2016 Q1 2017 Q2 2017 Q4 2017 Q1 2018Q3 2017Q2 2016 Q3 2016
>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps
0
20
40
60
80
100
Perc
ent o
f Atta
cks
VERISIGN DDoS TRENDS REPORT | Q1 2018 4
74% peaked over 1 Gbps
Attack Size
VERISIGN DDoS TRENDS REPORT | Q1 2018 5
Average of Attack Peak Sizes
Figure 2: Average of Attack Peak Sizes by Quarter from Q2 2016 to Q1 2018
7.6
Q4 2017
11.2
Q1 2018
17.4
Q2 2016
12.8
Q3 2016
11.2
Q4 2016
14.1
Q1 2017
2.7
Q2 2017
0.8
Q3 20170
2
4
6
8
10
12
14
16
18
20
Gbps
11.2 Gbps47%
increase in average of attack peak sizes compared to Q4 2017
58%of DDoS attacks in Q1
2018 utilized at least two different attack types.
Multi-Vector DDoS Attacks Remain Constant Fifty-eight percent of DDoS attacks mitigated by Verisign in Q1 2018 employed multiple attack types (Figure 3). Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Multi-vector DDoS attacks require continuous monitoring to detect shifts in vectors as well as expert mitigation management to adapt countermeasures in response to the shifts.
Figure 3: Number of Attack Types per DDoS Event in Q1 2018
1 Attack Type2 Attack Types3 Attack Types>4 Attack Types
42%
16%10%
32%
VERISIGN DDoS TRENDS REPORT | Q1 2018 6
VERISIGN DDoS TRENDS REPORT | Q1 2018 7
26%
12%
6%
6%
50%
IP Fragment AttacksTCP BasedUDP BasedLayer 7Other
Types of DDoS Attacks UDP flood attacks were the most common attack vector in Q1 2018, accounting for 50 percent of total attacks in the quarter (Figure 4). The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Lightweight Directory Access Protocol (LDAP), Simple Network Management Protocol (SNMP) and Memcached reflective amplification attacks.
In Q1 2018, Verisign observed the emergence of the memcached reflection and amplification attacks. Unsecured memcached servers left exposed on the internet are exploited when an attacker sends UDP-based packets spoofed with the victim’s IP address to the unsecured memcache server. The memcache server response can be 51,000 times the size of the request, allowing for massive amplification in this volumetric DDoS threat.1
50%of DDoS attacks were
UDP FLOODS
Figure 4: Types of DDoS Attacks in Q1 2018
1 https://www.forbes.com/sites/leemathews/2018/03/07/a-frightening-new-kind-of-ddos-attack-is-breaking-records/#12f4b0c178e0
8.2 Gbps
Average attack size:
11.8 Gbps
Average attack size:
VERISIGN DDoS TRENDS REPORT | Q1 2018 8
Mitigations on Behalf of Verisign Customers by Industry for Q1 20182
57%of mitigations
Financial
17%of mitigations
Telecom
17.4 Gbps
Average attack size:
IT Services/ Cloud/SaaS
26%of mitigations
2 The attacks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Service customer base.
Largest Volumetric Attack and Highest Intensity Flood AttackThe largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2018 was a multi-vector attack that peaked at approximately 70 Gbps and 7.4 Mpps. This attack initially sent a flood of traffic for about thirty minutes that peaked at 10 Gbps. The attack returned thirty minutes later and sent another wave of traffic peaking at 70 Gbps and 7.4 Mpps. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods, DNS and SNMP Amplification attacks, ICMP floods and invalid packets.
VERISIGN DDoS TRENDS REPORT | Q1 2018 9
FEATURE ARTICLESELECTING THE RIGHT DDOS MITIGATION STRATEGY FOR YOUR ORGANIZATION As DDoS attacks remain a viable and unpredictable threat, how does your company determine the best mitigation strategy (or strategies) for protecting your online assets? What are your downtime tolerances? For example, you may require an always-on mitigation service to secure critical assets so your organization experiences minimal (if any) interruption in even the first minutes of an attack. However, you may have less stringent requirements for interruptions related to systems that are less vital to your business operations.
Whatever your organization’s downtime tolerance, staff readiness, and technical expertise, selecting a DDoS solution that accommodates a variety of mitigation strategies is paramount to getting the protection— and value—you deserve.
Your organization may need DDoS mitigation options that go beyond conventional offerings, such as always-on and on-demand. For example, you may proactively work with your vendor to predetermine response procedures based on alert thresholds (vendor-initiated mitigation), reducing time-to-mitigation during attack scenarios. Customer-activated mitigation enables customers to use automated processes to begin mitigation, bypassing vendor contact when timing is critical and monitoring tools are in place.
When assessing different mitigation options, there are several criteria to consider: risk to assets, time to mitigate, staff involvement, internal staff expertise, vendor support, and more.
Do you need control over when and how you start mitigation? Are your internal resources equipped to deal with DDoS attacks? What is your DDoS support team’s level of experience, and what kind of Service Level Agreement (SLA) do they provide? These questions must be considered when selecting the optimal DDoS mitigation solution to protect your business-critical systems.
TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.
VERISIGN DDoS TRENDS REPORT | Q1 2018 10
About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net top-level domains and two of the internet’s root servers, as well as performs the root zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include Distributed Denial of Service Protection and Managed DNS.
Definitions Q1 – First quarter of the year - January 1 to March 31 Q2 – Second quarter of the year - April 1 to June 30 Q3 – Third quarter of the year - July 1 to September 30 Q4 – Fourth quarter of the year - October 1 to December 31 Q1 2018 – First quarter of 2018 from January 1, 2018 to March 31, 2018Q4 2017 – Fourth quarter of 2018 from October 1, 2017 to December 31, 2017Gbps – Gigabits per secondMpps – Million packets per second
*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. All information in this Report is solely a reflection of the observations and insights derived from the DDoS attack mitigations enacted on behalf of, and in cooperation with, the customers of Verisign DDoS Protection Services. Verisign provides this Report for your use in “AS IS” condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.
Verisign Public VRSN_DDoS_TR_Q1-18_ Axians_201806
Verisign.com© 2018 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.
