The document reports on distributed denial of service (DDoS) attack trends in Q3 2013. It finds that 76.52% of attacks targeted the infrastructure layer, with SYN floods being the most common at 18.16%. Application layer attacks made up 23.48% of attacks, led by HTTP GET floods at 18.03%. It analyzes attack vectors and source countries over time, finding that China was the top source country in Q3 2013 at 62.26%. Specific examples are also given of CHARGEN reflection attacks on gaming and entertainment industry customers.

1. Q3 2013 Attack Report
www.prolexic.com

2. Types of DDoS attacks and their relative
distribution in Q3 2013
Infrastructure Layer: 76.52%
ACK: 1.69%
CHARGEN: 3.37%
RESET: 1.94%
ICMP: 11.41%
SYN: 18.16%
RIP: 0.13%
FIN PUSH: 0.39%
TCP Fragment: 0.65%
UDP Floods: 14.66%
RP: 0.39%
DNS: 8.94%
Application Layer: 23.48%
HTTP GET: 18.03%
2
HEAD: 0.13%
SYN PUSH: 0.13%
SSL POST: 0.26%
SSL GET: 0.78%
PUSH: 0.91%
HTTP POST: 3.37%
CONFIDENTIAL
UDP Fragment: 14.66%

3. Attack vectors Q3 2013, Q2 2013 and Q3 2012
SSL POST
SSL GET
PUSH
0.26%
0.26%
0.20%
0.78%
0.53%
0.61%
0.91%
0.39%
1.02%
Q3 2013
Q2 2013
3.37%
2.50%
3.07%
HTTP POST
NTP
Q3 2012
0.20%
0.13%
0.13%
HEAD
18.03%
HTTP GET
IGMP
0.20%
UDP Fragment
14.66%
8.70%
9.00%
UDP
10.41%
14.66%
19.63%
0.65%
0.26%
0.20%
TCP Fragment
18.16%
SYN
31.22%
23.53%
0.13%
SYN PUSH
0.41%
0.39%
RP
0.13%
1.02%
1.94%
1.19%
2.86%
RIP
RESET
11.41%
ICMP
DNS
4.92%
7.25%
15.15%
17.79%
8.94%
0.39%
FIN PUSH
0.41%
3.37%
CHARGEN
1.69%
0.53%
1.43%
ACK
3
21.48%
13.50%
0%
5%
10%
15%
CONFIDENTIAL
20%
25%
30%
35%

4. Changes in DDoS attacks per week
Q3 2013 vs. Q3 2012
250%
190%
200%
150%
Percentage
118%
109%
96%
100%
84%
50%
82%
80%
46%
43%
34%
43%
23-Sep
30-Sep
17%
0%
-7%
-16%
-50%
1-Jul
8-Jul
15-Jul
22-Jul
29-Jul
5-Aug
12-Aug 19-Aug 26-Aug
Time Day of Week
4
CONFIDENTIAL
2-Sep
9-Sep
16-Sep

5. Top ten source countries for DDoS attacks in
Q3 2013
Taiwan
2.95%
Poland
2.23%
Japan
2.11%
Italy
1.94%
India
3.45%
Russian Federation
4.45%
Brazil
4.46%
Republic of Korea
7.09%
United States
9.06%
5
China
62.26%
CONFIDENTIAL

6. Top ten source countries for DDoS attacks in
Q3 2013, Q2 2013 and Q3 2012
Q3
2013
Italy
Japan
Poland
Taiwan
India
Russia
Brazil
Korea
USA
China
1.94%
2.11%
2.23%
2.95%
3.45%
4.45%
4.46%
7.09%
9.06%
62.26%
0%
Q2
2013
Taiwan
UK
Iran
Italy
USA
France
Korea
Russia
Mexico
China
6
20%
30%
40%
50%
60%
70%
50%
60%
70%
50%
60%
70%
27.32%
39.08%
0%
Q3
2012
10%
1.81%
1.88%
2.14%
2.28%
4.12%
6.50%
7.29%
7.58%
Egypt
Vietnam
UK
Thailand
Saudi Arabia
Russia
Brazil
India
USA
China
10%
20%
30%
40%
2.77%
3.68%
3.69%
3.89%
4.55%
5.07%
5.23%
7.81%
27.85%
35.46%
0%
10%
20%
30%
CONFIDENTIAL
40%

7. Attack campaign start time –
Q3 2013, Q2 2013, Q3 2012
Percentage
12
10
8
Q3
2013
6
4
2
0
0
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23
0
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23
0
1
2
3
4
5
6
7
8
9
10 11 12 13 14 15 16 17 18 19 20 21 22 23
12
10
8
Q2
2013
6
4
2
0
12
10
8
Q3
2012
6
4
2
7
0
CONFIDENTIAL
Time

8. Border traffic and mitigation bits for a
September 6 attack
8
CONFIDENTIAL

9. Example of a DrDoS reflection attack
Primary Target
Malicious Actor
PACKET1
Spoofed Source (Target)
Destination (Victim)
Victim
9
Victim
Victim
CONFIDENTIAL
PACKET2 Reflected
Packet
Source (Victim)
Destination (Target)

10. cdos.c tool generating a CHARGEN packet with
a size of 29 bytes
10
CONFIDENTIAL

11. A Microsoft Windows 2000 server victim
11
CONFIDENTIAL

12. Packet data of the amplified DrDoS traffic
12
CONFIDENTIAL

13. Source regions of CHARGEN attacks against
gambling industry customer
13
CONFIDENTIAL

14. Top 10 ASNs participating in the attack against
the gambling industry customer
KRNIC-ASBLOCK-AP KRNIC
CHINANET-SH-AP China Telecom (Group)
6.90%
CHINANET-SCIDC-AS-AP CHINANET
SiChuan Telecom Internet Data Center
ATT-INTERNET4 - AT&T Services, Inc.
11.40%
59.40%
UUNET - MCI Communications
Services, Inc. d/b/a Verizon Business
CHINA169-BJ CNCGROUP IP network
China169 Beijing Province Network
LGDACOM LG DACOM Corporation
12.20%
CHINA169-BACKBONE CNCGROUP
China169 Backbone
HANARO-AS Hanaro Telecom Inc.
CHINANET-BACKBONE No.31,Jin-rong
Street
14
CONFIDENTIAL

15. Bandwidth graphs during this CHARGEN attack
15
CONFIDENTIAL

16. Pricing options for a stressor service
16
CONFIDENTIAL

17. Top 10 ASNs participating in the attack against
the entertainment industry customer
CNNIC-ALIBABA-CN-NET-AP Hangzou
Alibaba Advertising Co.,Ltd.
4.20%
OCN NTT Communications
Corporation
5.50%
38.60%
5.70%
7.70%
CABLE-NET-1 - Cablevision Systems
Corp.
CHINA169-BJ CNCGROUP IP network
China169 Beijing Province Network
UUNET - MCI Communications
Services, Inc. d/b/a Verizon Business
HANARO-AS Hanaro Telecom Inc.
CHINA169-BACKBONE CNCGROUP
China169 Backbone
8.90%
10.90%
9.90%
CMCS - Comcast Cable
Communications, Inc.
LGDACOM LG DACOM Corporation
CHINANET-BACKBONE No.31,Jin-rong
Street
17
CONFIDENTIAL

18. Source regions of CHARGEN attacks against
entertainment industry customer
18
CONFIDENTIAL

19. Mitigation control for CHARGEN campaign
against the entertainment industry customer
19
CONFIDENTIAL

20. Screenshot of RAGE booter
20
CONFIDENTIAL

21. Rage Booter API service panel
21
CONFIDENTIAL

22. RAGE booter API service panel
22
CONFIDENTIAL

23. Stressor panel with CHARGEN features
23
CONFIDENTIAL

24. Screenshot of advert selling a reflection IP list
24
CONFIDENTIAL

25. A forum for selling DrDoS scanners
25
CONFIDENTIAL

26. The attack console interface of the cdos.c
DrDoS toolkit
26
CONFIDENTIAL

27. Forum chatter about leaked tool market
saturation
27
CONFIDENTIAL

28. Forum selling CHARGEN scanner tool
28
CONFIDENTIAL

29. 99 percent of servers participating in a CHARGEN reflection attack
ran a Microsoft Windows server operating system
Linux
Unix
0
Windows
Other
99.3%
29
CONFIDENTIAL

30. CHARGEN has been turned off
30
CONFIDENTIAL