www.prolexic.com
Attack Spotlight: Q1’s Record-setting DDoS Attack
Overview
• In Q1 2014, Prolexic successfully mitigated the largest
Distributed Denial of Service (DDoS) attack campaign
to...
DDos techniques involved
• PLXsert identified the latest NTP and DNS
reflection attack tools, as well as popular DDoS
tool...
Validated attack vectors
• POST1 & POST2 floods, which target Layer 7
(application layer)
• DNS reflection, which targets ...
Validated attack vectors (cont)
• DNS ANY request flood and NTP reflection attack
signatures were detected during the camp...
Analysis of associated malware
• The Drive variant associated with this campaign
supports nine attack vectors:
– GET
– POS...
Analysis of sourced traffic
• The majority of DNS reflectors were from the
United States, as well as Russia and Brazil
• T...
Attack traffic at Prolexic scrubbing centers
Q1 2014 Global Attack Report
• Download the Q1 2014 Global DDoS Attack Report
• The Q1 2014 report covers:
– Analysis of r...
About Prolexic
• Prolexic Technologies, now part of Akamai, has
successfully stopped DDoS attacks for more than a
decade
•...
Upcoming SlideShare
Loading in …5
×

DDoS Attack Spotlight | Record-setting DDoS Attack | Prolexic Podcast

448 views

Published on

http://bit.ly/UJCuJm | In Q1 2014, Prolexic successfully mitigated its largest DDoS attack campaign against a Prolexic customer, peaking at more than 200 Gbps and 53.5 Mpps. Learn what up-and-coming strategies were used by the attackers in this short presentation. Full details on this attack and other DDoS trends are provided in the Prolexic Q1 2014 DDoS attack report, available for a free download at http://bit.ly/UJCuJm.

  • Be the first to comment

  • Be the first to like this

DDoS Attack Spotlight | Record-setting DDoS Attack | Prolexic Podcast

  1. 1. www.prolexic.com Attack Spotlight: Q1’s Record-setting DDoS Attack
  2. 2. Overview • In Q1 2014, Prolexic successfully mitigated the largest Distributed Denial of Service (DDoS) attack campaign to ever cross its network • The attackers used a combination of Network Time Protocol (NTP) reflection and Domain Name Service (DNS) reflection as the main attack vectors • Variations of the POST flood attack were also used • The attack exceeded 10 hours in duration and was directed at a European Internet media company • This campaign peaked at more than 200 Gbps and 53.5 Mpps
  3. 3. DDos techniques involved • PLXsert identified the latest NTP and DNS reflection attack tools, as well as popular DDoS toolkit known as Drive, in the attack • The NTP and DNS protocols are susceptible to abuse by malicious actors, producing highly amplified results • Drive, a DIRT Jumper variant, utilizes a traditional botnet architecture achieved through malware infection
  4. 4. Validated attack vectors • POST1 & POST2 floods, which target Layer 7 (application layer) • DNS reflection, which targets Layer 3 & Layer 4 (infrastructure layer) • NTP monlist reflection, which targets Layer 3 and Layer 4
  5. 5. Validated attack vectors (cont) • DNS ANY request flood and NTP reflection attack signatures were detected during the campaign • An application layer attack (Layer 7) generated multiple HTTP (POST) requests with several different signatures, attempting to evade DDoS mitigation technologies • The POST flood Layer 7 attacks appeared to match those generated by the DIRT Jumper Drive malware
  6. 6. Analysis of associated malware • The Drive variant associated with this campaign supports nine attack vectors: – GET – POST1 – POST2 – IP – IP2 – UDP – request – timeout – thread CONFIDENTIAL
  7. 7. Analysis of sourced traffic • The majority of DNS reflectors were from the United States, as well as Russia and Brazil • The principal sources of the application attacks were identified as Turkey, Iran and Argentina • PLXsert verifies the majority of sources from these countries match CPE device signatures
  8. 8. Attack traffic at Prolexic scrubbing centers
  9. 9. Q1 2014 Global Attack Report • Download the Q1 2014 Global DDoS Attack Report • The Q1 2014 report covers: – Analysis of recent DDoS attack trends – Breakdown of average Gbps/Mpps statistics – Year-over-year and quarter-by-quarter analysis – Types and frequency of application layer attacks – Types and frequency of infrastructure attacks – Trends in attack frequency, size and sources – Where and when DDoSers launch attacks – Case study and analysis CONFIDENTIAL
  10. 10. About Prolexic • Prolexic Technologies, now part of Akamai, has successfully stopped DDoS attacks for more than a decade • Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers

×