14
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT VOLUME 4, ISSUE 2 – 2ND QUARTER 2017 Complimentary report supplied by
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 4, ISSUE 2 – 2ND QUARTER 2017
Complimentary report supplied by
EXECUTIVE SUMMARY 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2017 4DDoS Attacks Decrease in Frequency but Remain Unpredictable and Persistent 4Multi-Vector DDoS Attacks Remain the Norm 6Largest Volumetric Attack and Highest Intensity Flood Attack 8
FEATURE ARTICLE Ransom and Extortion Motivated Attacks 11
VERISIGN DDoS TRENDS REPORT | Q2 2017 2
CONTENTS
EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during the second quarter of 2017 from April 1, 2017 through June 30, 2017 (“Q2 2017”). This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q2 2017.*
Verisign observed the following key trends in Q2 2017:
VERISIGN DDoS TRENDS REPORT | Q2 2017 3
55%decrease compared to the first quarter of 2017 (“Q1 2017”) to Q2 2017
Number of Attacks
Volume
12 Gigabits per second (Gbps)
Attack Peak Size
2.5 Million packets per second (Mpps)
2.7 Gbps
Average Attack Peak Size
25%of attacks over 5 Gbps
25%5 Gbps
Speed
81% decrease compared to Q1 2017
57%of attacks were User Datagram Protocol (UDP) floods
Most Common Attack Type Mitigated
74%of attacks employed multiple attack types
of attacks in Q2 2017 peaked at over
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2017DDoS Attacks Decrease in Frequency but Remain Unpredictable and PersistentWhen comparing Q2 2017 to Q1 2017, Verisign saw a 55 percent decrease in the number of attacks, and an 81 percent decrease in the average attack peak size. Attackers continue to launch repeated attacks against their targets. In fact, Verisign observed that 50 percent of customers who experienced DDoS attacks in Q2 2017 were targeted multiple times during the quarter.
In Q2 2017, Verisign observed that DDoS attacks remain unpredictable and persistent, and vary widely in terms of volume, speed and complexity. As such, DDoS events need to be closely monitored for changing vectors in order to optimize mitigation strategies.
Figure 1: Mitigation Peaks by Quarter from Q3 2015 to Q2 2017
2016-Q4 2017-Q1 2017-Q22015-Q3 2015-Q4 2016-Q1 2016-Q2 2016-Q3
>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps
0
20
40
60
80
100
Perc
ent o
f Atta
cks
VERISIGN DDoS TRENDS REPORT | Q2 2017 4
46% peaked over 1 Gbps 25% peaked over
5 Gbps
Attack Size
VERISIGN DDoS TRENDS REPORT | Q2 2017 5
decrease in average attack peak size
compared to Q1 2017
Average Attack Peak Size
Figure 2: Average Attack Peak Size by Quarter from Q3 2015 to Q2 2017
6.97.0
2015-Q3 2015-Q4
19.4
2016-Q1
17.4
2016-Q2
12.8
2016-Q3
11.2
2016-Q4
14.1
2017-Q1
2.7
2017-Q20
2
4
6
8
10
12
14
16
18
20
Gbps
2.7 Gbps81%
decrease in average attack peak size compared to Q1 2017 81%
74%of DDoS attacks in Q2
2017 utilized at least two different attack types.
Multi-Vector DDoS Attacks Remain the Norm Seventy-four percent of DDoS attacks mitigated by Verisign in Q2 2017 employed multiple attack types. Verisign observed DDoS attacks targeting a multitude of network services and changing attack types over the course of a DDoS event. It is not uncommon for DDoS attack tools to offer multiple attack types. For example, the Mirai botnet has the ability to launch multiple TCP and UDP flood attack types in addition to Layer 7 attacks.1 These types of attacks require continuous monitoring to optimize mitigation strategies.
Figure 3: Number of Attack Types per DDoS Event in Q2 2017
1 Attack Type2 Attack Types3 Attack Types4 Attack Types5+ Attack Types39%
26%
22%
4%
9%
VERISIGN DDoS TRENDS REPORT | Q2 2017 6
1 Mirai Botnet DDoS Attack Type. https://www.corero.com/resources/ddos-attack-types/mirai-botnet-ddos-attack.html. Retrieved Aug. 24, 2017.
VERISIGN DDoS TRENDS REPORT | Q2 2017 7
IP Fragment Attacks
Layer 7TCP Based
UDP Based
57%7%
20%
16%
Types of DDoS Attacks UDP flood attacks dominated in Q2 2017, making up 57 percent of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), and Lightweight Directory Access Protocol (LDAP) reflective amplification attacks.
In Q2 2017 Verisign observed a notable increase in the number of UDP-based LDAP reflective amplification attacks. LDAP is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
57%of attacks were
UDP FLOODS
Figure 4: Types of DDoS Attacks in Q2 2017
Largest Volumetric Attack and Highest Intensity Flood AttackThe largest volumetric DDoS attack observed by Verisign in Q2 2017 was a multi-vector attack that peaked at approximately 12 Gbps and around 1 Mpps. This attack sent a flood of traffic to the targeted network for about an hour, abated for an hour and then sent another wave of traffic for an additional hour. The attack consisted primarily of a DNS reflective amplification attack in addition to invalid packets.
The highest intensity packet flood observed during Q2 2017 peaked at approximately 2.5 Mpps and around 6 Gbps. The attack consisted of SSDP reflective amplification attack vectors mixed with invalid packets and lasted approximately 40 minutes.
VERISIGN DDoS TRENDS REPORT | Q2 2017 8
3.3 Gbps
Average attack size:
1.4 Gbps
Average attack size:
VERISIGN DDoS TRENDS REPORT | Q2 2017 9
Mitigations on Behalf of Verisign Customers by Industry for Q2 20172
52%of mitigations
IT Services/Cloud/SaaS
13%of mitigations
E-Commerce and Online Advertising
2 The attacks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Services customer base.
0.2 Gbps
Average attack size:
Media and Entertainment/Content
4%of mitigations
1.7 Gbps
Average attack size:
Financial
31%of mitigations
Attacks Against Financial Sector Remain SteadyThe financial sector continues to be a consistent target of DDoS attacks. In Q2 2017, Verisign’s financial sector customers experienced the second highest number of DDoS attacks (31 percent) of any industry sector within Verisign’s customer base, and grew from 28 percent of mitigations reported in Q1 2017.
VERISIGN DDoS TRENDS REPORT | Q2 2017 10
Figure 5: Peak DDoS Attack Size by Industry from Q3 2016 to Q2 2017
Financial Media &Entertainment
E-Commerce/Online
IT Services/Cloud/SaaS
Q3 2016 Q4 2016 Q1 2017 Q2 2017
0
50
100
150
200
250
300
Gbps
Telecommunications& Other
Public Sector
Peak DDoS Attack Size by Industry (Q2 2017)
VERISIGN DDoS TRENDS REPORT | Q2 2017 11
3 Weagle, Stephanie. The Links Between Ransom, Ransomware and DDoS Attacks. https://www.corero.com/blog/759-the-links-between-ransom-ransomware-and-ddos-attacks.html. Retrieved Aug. 24, 2017.4 Weagle, Stephanie. The Links Between Ransom, Ransomware and DDoS Attacks. https://www.corero.com/blog/759-the-links-between-ransom-ransomware-and-ddos-attacks.html. Retrieved Aug. 24, 2017.5 Chappell, Bill. WannaCry Ransomware: What We Know Monday. http://www.npr.org/sections/thetwo-way/2017/05/15/528451534/wannacry-ransomware-what-we-know-monday. Retrieved Aug. 24, 2017.6 40 Percent of Enterprises Hit by Ransomware in the Last Year. http://www.securitymagazine.com/articles/87332-percent-of-enterprises-hit-by-ransomware-in-the-last-year/. Retrieved Aug. 24, 2017.7 Cimpanu, Catalin. $1 Million Ransomware Payment Has Spurred New DDoS-for-Bitcoin Attacks. https://www.bleepingcomputer.com/news/security/-1-million-ransomware-payment-has-spurred-new-ddos-for-bitcoin-attacks/. Retrieved Aug. 24, 2017.
FEATURE ARTICLERANSOM AND EXTORTION MOTIVATED ATTACKS In a digital climate in which avoiding downtime is a competitive advantage, ransom-motivated attacks can be a nightmare for network security teams. Ransomware is malicious software designed to infect a vulnerable computer system and encrypt its files so that an attacker can demand a sum of money to unlock them.There are two main types of cyber-attacks companies face today that involve ransom and extortion:
1. Ransom attack: Attackers encrypt the files on an organization’s network with ransomware, effectively holding the data hostage and refusing to unlock the files unless a ransom fee is paid.3
2. DDoS extortion attack: Attackers threaten an organization with a DDoS attack unless a fee is paid.4 DDoS extortion has been a problem for security teams for many years, and it remains a primary motivator for DDoS attacks.
Two recent global ransomware attacks, WannaCry and NotPetya, have increased public visibility into the devastating effects that ransomware can have on an organization’s critical assets. The WannaCry ransomware attack affected more than 300,000 computers in more than 150 countries.5 The NotPetya ransomware attack was more destructive. It spread faster than the WannaCry ransomware and caused “permanent and irreversible damage” to a computer’s hard drive. One report shows that in 2016 almost half of United States-based companies experienced a ransomware incident.6
Ransomware represents a serious threat to enterprise security teams because:1. Encrypted data could be permanently lost;2. The ransomware payment cost could be significant. In one case, a South Korean web hosting company paid
a ransomware demand that was over $1 million, the largest ransomware payment to date, to gain access to its servers;7
VERISIGN DDoS TRENDS REPORT | Q2 2017 12
8 Rashid, Fahmida Y. 4 reasons not to pay up in a ransomware attack. http://www.infoworld.com/article/3043197/security/4-reasons-not-to-pay-up-in-a-ransomware-attack.html. Retrieved Aug. 24, 2017.9 Hunt, Elle. Don’t pay WannaCry demands, cybersecurity experts say. https://www.theguardian.com/technology/2017/may/15/dont-pay-ransomware-demands-cybersecurity-experts-say-wannacry. Retrieved Aug. 24, 2017.10 Buck, Phillip. DDoS extortion campaigns: The threat facing the financial sector. http://www.itproportal.com/features/ddos-extortion-campaigns-the-threat-facing-the-financial-sector/. Retrieved Aug. 24, 2017.11 Poremba, Sue Marquette. Dual Threat Coming from Ransomware and DDoS Attacks. http://www.itbusinessedge.com/blogs/data-security/dual-threat-coming-from-ransomware-and-ddos-attacks.html. Retrieved Aug. 24, 2017.
3. Making a ransom payment does not guarantee that the attacker will provide a decryption key8; and 4. Paying the ransomware demand could increase a company’s chances of being attacked again in the future.9
Organizations within industries where 24/7 availability is expected as the standard (such as the financial industry) are more susceptible to extortion and ransomware attacks. In 2016, financial companies were threatened with DDoS attacks unless a payment was made by a specified date and time. The attackers also threatened to infect the companies’ networks with ransomware if payment was not made.10
DDoS attacks and ransomware attacks are damaging enough when used separately to cripple an organization’s network. However, cybercriminals are becoming more sophisticated and are combining DDoS attacks and ransomware for greater impact. In one published attack, there was a ransomware variant that held the organization’s machine and data hostage until the ransom was paid. While the attackers waited for the ransom payment, they used the organization’s machines as botnets to launch DDoS attacks on another unsuspecting victim.11
The Role of DNS in Defending Against Ransomware AttacksDomain Name System (DNS) controls can play an important role in helping to identify and protect users from malware and ransomware attacks. When DNS resolvers utilize security risk information feeds, such information can be leveraged to set up filters to proactively analyze and identify Command and Control connection mechanisms. Such filters can help to stop the encryption process leveraged by many ransomware strains. For more information, download our e-book, Using DNS to Combat Ransomware.
VERISIGN DDoS TRENDS REPORT | Q2 2017 13
TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.
About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net top-level domains and two of the internet’s root servers, as well as performs the root zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com.
*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in “AS IS” condition. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.
Verisign Public VRSN_DDoS_TR_Q2-17_FlowTraq_201709
Verisign.com© 2017 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.
