SlideShare a Scribd company logo

Q4 2014 spotlight lizard squad presentation

Akamai
Akamai

This document discusses a DDoS attack campaign against an Akamai customer in late 2014 that was claimed by the group Lizard Squad. The attacks peaked at 131 Gigabits per second and used Christmas tree packets, which contain nearly all TCP flags. The third attack showed signs of a new attack tool through increased volume and sophistication. Although Lizard Squad took credit, differences in the third attack suggest it may have been executed by a different attacker.

1 of 10
Download to read offline
akamai.com [Q4 2014]
= spotlight: TCP flag DDoS attacks • A group claiming to be Lizard Squad has engaged in an ongoing attack campaign against an Akamai customer • The attack vector and the events surrounding this attack campaign indicates the ongoing development of DDoS attack tools • Although it was not a record-breaking attack, it was large – peaking at 131 Gigabits per second (Gbps) and 44 Million packets per second (Mpps) • An attack of this level would slow or cause an outage in most corporate infrastructures • The attacks occurred in August and December 2014 2 / [state of the internet] / threat advisory
= SYN with a side of everything • The TCP-based attack was packed with TCP flags • One packet exhibited the greatest number of simultaneous flags set of all the packets – only an ACK flag was missing • In the order in which they appear [FSRPUEW], the flags included FIN, SYN, RST, PSH, URG, ECN, and CWR. • Such a flag-filled packet is commonly called a Christmas tree packet
= christmas tree packets • Christmas tree packets are almost always suspicious • They use more processing power than usual packets • As a result, they are commonly used in denial of service attacks • The TCP-based attack was packed with TCP flags, using all but one TCP flag • Christmas tree packets are also used in reconnaissance to probe system response 4 / [state of the internet] / threat advisory
= statistics for the three campaigns 3 / [state of the internet] / threat advisory
= new attack tool? • Some differences were present between the three attack campaigns • The December attack executed like a SYN flood • There was a significant increase in volume from earlier attacks • The increased attack strength suggests new attack tool development • The expansion and sophistication of the third attack may indicate new resources from the DDoS-for-hire underground 5 / [state of the internet] / threat advisory
= third attack may have been a different attacker • Although Lizard Squad claimed responsibility for the attacks, differences in the third attack campaign draw speculation of a new attacker • The first two attack campaigns did not produce even half of the volume of the third attack campaign • Although the first two attacks included a UDP flood, the third campaign did not make use of the UDP flood attack vector • The third campaign targeted random hosts in a specific /24 network and made use of the extra data in the Reset cause field on the packets with the Reset flag set 6 / [state of the internet] / threat advisory
= distribution by Akamai scrubbing center 7 / [state of the internet] / threat advisory
full security report • Download the full Q4 2014 State of the Internet - Security Report • The security report includes: • Analysis of DDoS attack trends • Bandwidth (Gbps) and volume (Mpps) statistics • Year-over-year and quarter-by-quarter analysis • Application layer attacks • Attack frequency, size and sources • Where and when DDoSers strike • Spotlight: A multiple TCP Flag DDoS attack • Malware: Evolution from cross-platform to destruction • Botnet profiling technique: Web application attacks • Performance mitigation: Bots, spiders and scrapers = full security report 9 / [state of the internet] / threat advisory
• StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. • Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape. = about stateoftheinternet.com 10 / [The State of the Internet] / Security (Q4 2014)

Recommended

1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksAcquia
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Q4 2014 security report botnet profiling technique excerpts document
Q4 2014 security report botnet profiling technique excerpts documentQ4 2014 security report botnet profiling technique excerpts document
Q4 2014 security report botnet profiling technique excerpts documentAkamai
 
Mohamed Aly
Mohamed AlyMohamed Aly
Mohamed AlyMohamed Aly
 
Khbd
KhbdKhbd
KhbdBich Nhat Tran Thi
 

Recommended

1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
12 types of DDoS attacks
12 types of DDoS attacks12 types of DDoS attacks
12 types of DDoS attacksHaltdos
 
The Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksThe Anatomy of DDoS Attacks
The Anatomy of DDoS AttacksAcquia
 
DDoS Attack and Mitigation
DDoS Attack and MitigationDDoS Attack and Mitigation
DDoS Attack and MitigationDevang Badrakiya
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Q4 2014 security report botnet profiling technique excerpts document
Q4 2014 security report botnet profiling technique excerpts documentQ4 2014 security report botnet profiling technique excerpts document
Q4 2014 security report botnet profiling technique excerpts documentAkamai
 
Mohamed Aly
Mohamed AlyMohamed Aly
Mohamed AlyMohamed Aly
 
Khbd
KhbdKhbd
KhbdBich Nhat Tran Thi
 
Events Coordinator-Recreation Assistant Resume
Events Coordinator-Recreation Assistant ResumeEvents Coordinator-Recreation Assistant Resume
Events Coordinator-Recreation Assistant ResumeLisa Bartolotta
 
2.3
2.32.3
2.3rakul-oi
 
5.1
5.15.1
5.1rakul-oi
 
15.1
15.115.1
15.1rakul-oi
 
14.2
14.214.2
14.2rakul-oi
 
Literate environment analysis
Literate environment analysisLiterate environment analysis
Literate environment analysisshancam08
 
Nightline: Late Evening News - ABC News
Nightline: Late Evening News - ABC NewsNightline: Late Evening News - ABC News
Nightline: Late Evening News - ABC Newscoldstudent3879
 
15.1
15.115.1
15.1rakul-oi
 
NOV CV template Technicians
NOV CV template TechniciansNOV CV template Technicians
NOV CV template TechniciansBro Obermeyer
 
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...coldstudent3879
 
14.1
14.114.1
14.1rakul-oi
 
Marketing Branding Leadership Management Data
Marketing Branding Leadership Management DataMarketing Branding Leadership Management Data
Marketing Branding Leadership Management DataJeff Rosenplot
 
7.1
7.17.1
7.1rakul-oi
 
16.3
16.316.3
16.3rakul-oi
 
13.2
13.213.2
13.2rakul-oi
 
17.4
17.417.4
17.4rakul-oi
 
1.3
1.31.3
1.3rakul-oi
 
Akamai security report
Akamai security reportAkamai security report
Akamai security reportHonza Beranek
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber CrimeShenick Network Systems
 
1766 1770
1766 17701766 1770
1766 1770Editor IJARCET
 
1766 1770
1766 17701766 1770
1766 1770Editor IJARCET
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPROIDEA
 

More Related Content

Viewers also liked

Events Coordinator-Recreation Assistant Resume
Events Coordinator-Recreation Assistant ResumeEvents Coordinator-Recreation Assistant Resume
Events Coordinator-Recreation Assistant ResumeLisa Bartolotta
 
Literate environment analysis
Literate environment analysisLiterate environment analysis
Literate environment analysisshancam08
 
Nightline: Late Evening News - ABC News
Nightline: Late Evening News - ABC NewsNightline: Late Evening News - ABC News
Nightline: Late Evening News - ABC Newscoldstudent3879
 
NOV CV template Technicians
NOV CV template TechniciansNOV CV template Technicians
NOV CV template TechniciansBro Obermeyer
 
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...coldstudent3879
 
Marketing Branding Leadership Management Data
Marketing Branding Leadership Management DataMarketing Branding Leadership Management Data
Marketing Branding Leadership Management DataJeff Rosenplot
 

Viewers also liked (17)

Events Coordinator-Recreation Assistant Resume
Events Coordinator-Recreation Assistant ResumeEvents Coordinator-Recreation Assistant Resume
Events Coordinator-Recreation Assistant Resume
 
2.3
2.32.3
2.3
 
5.1
5.15.1
5.1
 
15.1
15.115.1
15.1
 
14.2
14.214.2
14.2
 
Literate environment analysis
Literate environment analysisLiterate environment analysis
Literate environment analysis
 
Nightline: Late Evening News - ABC News
Nightline: Late Evening News - ABC NewsNightline: Late Evening News - ABC News
Nightline: Late Evening News - ABC News
 
15.1
15.115.1
15.1
 
NOV CV template Technicians
NOV CV template TechniciansNOV CV template Technicians
NOV CV template Technicians
 
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
The Homelessness Prevention and Rapid Re-Housing Program (HPRP) | Christine S...
 
14.1
14.114.1
14.1
 
Marketing Branding Leadership Management Data
Marketing Branding Leadership Management DataMarketing Branding Leadership Management Data
Marketing Branding Leadership Management Data
 
7.1
7.17.1
7.1
 
16.3
16.316.3
16.3
 
13.2
13.213.2
13.2
 
17.4
17.417.4
17.4
 
1.3
1.31.3
1.3
 

Similar to Q4 2014 spotlight lizard squad presentation

Akamai security report
Akamai security reportAkamai security report
Akamai security reportHonza Beranek
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPROIDEA
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliMarta Pacyga
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareTzar Umang
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622IJRAT
 
Time line-of-ddos-campaigns-against-mit-threat-advisory
Time line-of-ddos-campaigns-against-mit-threat-advisory Time line-of-ddos-campaigns-against-mit-threat-advisory
Time line-of-ddos-campaigns-against-mit-threat-advisory Andrey Apuhtin
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInformation Technology
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!PriyadharshiniHemaku
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSvtunotesbysree
 
I034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdfI034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdfDevesh Pawar
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standardarnaudlh
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDIDavid Sweigert
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments IJITCA Journal
 
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS IJITCA Journal
 

Similar to Q4 2014 spotlight lizard squad presentation (20)

Akamai security report
Akamai security reportAkamai security report
Akamai security report
 
Defining Cyber Crime
Defining Cyber CrimeDefining Cyber Crime
Defining Cyber Crime
 
1766 1770
1766 17701766 1770
1766 1770
 
1766 1770
1766 17701766 1770
1766 1770
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf AliPLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
PLNOG15 :DDOS Attacks & Collateral Damage. Can we avoid it? Asraf Ali
 
Cloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-wareCloud security From Infrastructure to People-ware
Cloud security From Infrastructure to People-ware
 
Paper id 41201622
Paper id 41201622Paper id 41201622
Paper id 41201622
 
Time line-of-ddos-campaigns-against-mit-threat-advisory
Time line-of-ddos-campaigns-against-mit-threat-advisory Time line-of-ddos-campaigns-against-mit-threat-advisory
Time line-of-ddos-campaigns-against-mit-threat-advisory
 
Internet Traffic Monitoring and Analysis
Internet Traffic Monitoring and AnalysisInternet Traffic Monitoring and Analysis
Internet Traffic Monitoring and Analysis
 
DDoS.ppt
DDoS.pptDDoS.ppt
DDoS.ppt
 
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
Unleash the Hammer on Denial-of-Service: Conquer DDos Attacks!
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 
DDoS attacks
DDoS attacksDDoS attacks
DDoS attacks
 
I034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdfI034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdf
 
Azure DDoS Protection Standard
Azure DDoS Protection StandardAzure DDoS Protection Standard
Azure DDoS Protection Standard
 
Cyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDICyber Threat Intelligence Integration Center -- ONDI
Cyber Threat Intelligence Integration Center -- ONDI
 
Next-Gen DDoS Detection
Next-Gen DDoS DetectionNext-Gen DDoS Detection
Next-Gen DDoS Detection
 
Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments Preventing Distributed Denial of Service Attacks in Cloud Environments
Preventing Distributed Denial of Service Attacks in Cloud Environments
 
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
PREVENTING DISTRIBUTED DENIAL OF SERVICE ATTACKS IN CLOUD ENVIRONMENTS
 

Q4 2014 spotlight lizard squad presentation

  • 2. = spotlight: TCP flag DDoS attacks • A group claiming to be Lizard Squad has engaged in an ongoing attack campaign against an Akamai customer • The attack vector and the events surrounding this attack campaign indicates the ongoing development of DDoS attack tools • Although it was not a record-breaking attack, it was large – peaking at 131 Gigabits per second (Gbps) and 44 Million packets per second (Mpps) • An attack of this level would slow or cause an outage in most corporate infrastructures • The attacks occurred in August and December 2014 2 / [state of the internet] / threat advisory
  • 3. = SYN with a side of everything • The TCP-based attack was packed with TCP flags • One packet exhibited the greatest number of simultaneous flags set of all the packets – only an ACK flag was missing • In the order in which they appear [FSRPUEW], the flags included FIN, SYN, RST, PSH, URG, ECN, and CWR. • Such a flag-filled packet is commonly called a Christmas tree packet
  • 4. = christmas tree packets • Christmas tree packets are almost always suspicious • They use more processing power than usual packets • As a result, they are commonly used in denial of service attacks • The TCP-based attack was packed with TCP flags, using all but one TCP flag • Christmas tree packets are also used in reconnaissance to probe system response 4 / [state of the internet] / threat advisory
  • 5. = statistics for the three campaigns 3 / [state of the internet] / threat advisory
  • 6. = new attack tool? • Some differences were present between the three attack campaigns • The December attack executed like a SYN flood • There was a significant increase in volume from earlier attacks • The increased attack strength suggests new attack tool development • The expansion and sophistication of the third attack may indicate new resources from the DDoS-for-hire underground 5 / [state of the internet] / threat advisory
  • 7. = third attack may have been a different attacker • Although Lizard Squad claimed responsibility for the attacks, differences in the third attack campaign draw speculation of a new attacker • The first two attack campaigns did not produce even half of the volume of the third attack campaign • Although the first two attacks included a UDP flood, the third campaign did not make use of the UDP flood attack vector • The third campaign targeted random hosts in a specific /24 network and made use of the extra data in the Reset cause field on the packets with the Reset flag set 6 / [state of the internet] / threat advisory
  • 8. = distribution by Akamai scrubbing center 7 / [state of the internet] / threat advisory
  • 9. full security report • Download the full Q4 2014 State of the Internet - Security Report • The security report includes: • Analysis of DDoS attack trends • Bandwidth (Gbps) and volume (Mpps) statistics • Year-over-year and quarter-by-quarter analysis • Application layer attacks • Attack frequency, size and sources • Where and when DDoSers strike • Spotlight: A multiple TCP Flag DDoS attack • Malware: Evolution from cross-platform to destruction • Botnet profiling technique: Web application attacks • Performance mitigation: Bots, spiders and scrapers = full security report 9 / [state of the internet] / threat advisory
  • 10. • StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats. • Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape. = about stateoftheinternet.com 10 / [The State of the Internet] / Security (Q4 2014)