Q3 2013 Global DDoS Attack Report
Upcoming SlideShare
Loading in...5
×
 

Q3 2013 Global DDoS Attack Report

on

  • 575 views

 

Statistics

Views

Total Views
575
Views on SlideShare
575
Embed Views
0

Actions

Likes
1
Downloads
11
Comments
1

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Q3 2013 Global DDoS Attack Report Q3 2013 Global DDoS Attack Report Presentation Transcript

  • Q3 2013 Attack Report www.prolexic.com
  • Types of DDoS attacks and their relative distribution in Q3 2013 Infrastructure Layer: 76.52% ACK: 1.69% CHARGEN: 3.37% RESET: 1.94% ICMP: 11.41% SYN: 18.16% RIP: 0.13% FIN PUSH: 0.39% TCP Fragment: 0.65% UDP Floods: 14.66% RP: 0.39% DNS: 8.94% Application Layer: 23.48% HTTP GET: 18.03% 2 HEAD: 0.13% SYN PUSH: 0.13% SSL POST: 0.26% SSL GET: 0.78% PUSH: 0.91% HTTP POST: 3.37% CONFIDENTIAL UDP Fragment: 14.66%
  • Attack vectors Q3 2013, Q2 2013 and Q3 2012 SSL POST SSL GET PUSH 0.26% 0.26% 0.20% 0.78% 0.53% 0.61% 0.91% 0.39% 1.02% Q3 2013 Q2 2013 3.37% 2.50% 3.07% HTTP POST NTP Q3 2012 0.20% 0.13% 0.13% HEAD 18.03% HTTP GET IGMP 0.20% UDP Fragment 14.66% 8.70% 9.00% UDP 10.41% 14.66% 19.63% 0.65% 0.26% 0.20% TCP Fragment 18.16% SYN 31.22% 23.53% 0.13% SYN PUSH 0.41% 0.39% RP 0.13% 1.02% 1.94% 1.19% 2.86% RIP RESET 11.41% ICMP DNS 4.92% 7.25% 15.15% 17.79% 8.94% 0.39% FIN PUSH 0.41% 3.37% CHARGEN 1.69% 0.53% 1.43% ACK 3 21.48% 13.50% 0% 5% 10% 15% CONFIDENTIAL 20% 25% 30% 35%
  • Changes in DDoS attacks per week Q3 2013 vs. Q3 2012 250% 190% 200% 150% Percentage 118% 109% 96% 100% 84% 50% 82% 80% 46% 43% 34% 43% 23-Sep 30-Sep 17% 0% -7% -16% -50% 1-Jul 8-Jul 15-Jul 22-Jul 29-Jul 5-Aug 12-Aug 19-Aug 26-Aug Time Day of Week 4 CONFIDENTIAL 2-Sep 9-Sep 16-Sep
  • Top ten source countries for DDoS attacks in Q3 2013 Taiwan 2.95% Poland 2.23% Japan 2.11% Italy 1.94% India 3.45% Russian Federation 4.45% Brazil 4.46% Republic of Korea 7.09% United States 9.06% 5 China 62.26% CONFIDENTIAL
  • Top ten source countries for DDoS attacks in Q3 2013, Q2 2013 and Q3 2012 Q3 2013 Italy Japan Poland Taiwan India Russia Brazil Korea USA China 1.94% 2.11% 2.23% 2.95% 3.45% 4.45% 4.46% 7.09% 9.06% 62.26% 0% Q2 2013 Taiwan UK Iran Italy USA France Korea Russia Mexico China 6 20% 30% 40% 50% 60% 70% 50% 60% 70% 50% 60% 70% 27.32% 39.08% 0% Q3 2012 10% 1.81% 1.88% 2.14% 2.28% 4.12% 6.50% 7.29% 7.58% Egypt Vietnam UK Thailand Saudi Arabia Russia Brazil India USA China 10% 20% 30% 40% 2.77% 3.68% 3.69% 3.89% 4.55% 5.07% 5.23% 7.81% 27.85% 35.46% 0% 10% 20% 30% CONFIDENTIAL 40%
  • Attack campaign start time – Q3 2013, Q2 2013, Q3 2012 Percentage 12 10 8 Q3 2013 6 4 2 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 12 10 8 Q2 2013 6 4 2 0 12 10 8 Q3 2012 6 4 2 7 0 CONFIDENTIAL Time
  • Border traffic and mitigation bits for a September 6 attack 8 CONFIDENTIAL
  • Example of a DrDoS reflection attack Primary Target Malicious Actor PACKET1 Spoofed Source (Target) Destination (Victim) Victim 9 Victim Victim CONFIDENTIAL PACKET2 Reflected Packet Source (Victim) Destination (Target)
  • cdos.c tool generating a CHARGEN packet with a size of 29 bytes 10 CONFIDENTIAL
  • A Microsoft Windows 2000 server victim 11 CONFIDENTIAL
  • Packet data of the amplified DrDoS traffic 12 CONFIDENTIAL
  • Source regions of CHARGEN attacks against gambling industry customer 13 CONFIDENTIAL
  • Top 10 ASNs participating in the attack against the gambling industry customer KRNIC-ASBLOCK-AP KRNIC CHINANET-SH-AP China Telecom (Group) 6.90% CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center ATT-INTERNET4 - AT&T Services, Inc. 11.40% 59.40% UUNET - MCI Communications Services, Inc. d/b/a Verizon Business CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network LGDACOM LG DACOM Corporation 12.20% CHINA169-BACKBONE CNCGROUP China169 Backbone HANARO-AS Hanaro Telecom Inc. CHINANET-BACKBONE No.31,Jin-rong Street 14 CONFIDENTIAL
  • Bandwidth graphs during this CHARGEN attack 15 CONFIDENTIAL
  • Pricing options for a stressor service 16 CONFIDENTIAL
  • Top 10 ASNs participating in the attack against the entertainment industry customer CNNIC-ALIBABA-CN-NET-AP Hangzou Alibaba Advertising Co.,Ltd. 4.20% OCN NTT Communications Corporation 5.50% 38.60% 5.70% 7.70% CABLE-NET-1 - Cablevision Systems Corp. CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network UUNET - MCI Communications Services, Inc. d/b/a Verizon Business HANARO-AS Hanaro Telecom Inc. CHINA169-BACKBONE CNCGROUP China169 Backbone 8.90% 10.90% 9.90% CMCS - Comcast Cable Communications, Inc. LGDACOM LG DACOM Corporation CHINANET-BACKBONE No.31,Jin-rong Street 17 CONFIDENTIAL
  • Source regions of CHARGEN attacks against entertainment industry customer 18 CONFIDENTIAL
  • Mitigation control for CHARGEN campaign against the entertainment industry customer 19 CONFIDENTIAL
  • Screenshot of RAGE booter 20 CONFIDENTIAL
  • Rage Booter API service panel 21 CONFIDENTIAL
  • RAGE booter API service panel 22 CONFIDENTIAL
  • Stressor panel with CHARGEN features 23 CONFIDENTIAL
  • Screenshot of advert selling a reflection IP list 24 CONFIDENTIAL
  • A forum for selling DrDoS scanners 25 CONFIDENTIAL
  • The attack console interface of the cdos.c DrDoS toolkit 26 CONFIDENTIAL
  • Forum chatter about leaked tool market saturation 27 CONFIDENTIAL
  • Forum selling CHARGEN scanner tool 28 CONFIDENTIAL
  • 99 percent of servers participating in a CHARGEN reflection attack ran a Microsoft Windows server operating system Linux Unix 0 Windows Other 99.3% 29 CONFIDENTIAL
  • CHARGEN has been turned off 30 CONFIDENTIAL