The document reports on distributed denial of service (DDoS) attack trends in Q3 2013. It finds that 76.52% of attacks targeted the infrastructure layer, with SYN floods being the most common at 18.16%. Application layer attacks made up 23.48% of attacks, led by HTTP GET floods at 18.03%. It analyzes attack vectors and source countries over time, finding that China was the top source country in Q3 2013 at 62.26%. Specific examples are also given of CHARGEN reflection attacks on gaming and entertainment industry customers.
2. Types of DDoS attacks and their relative
distribution in Q3 2013
Infrastructure Layer: 76.52%
ACK: 1.69%
CHARGEN: 3.37%
RESET: 1.94%
ICMP: 11.41%
SYN: 18.16%
RIP: 0.13%
FIN PUSH: 0.39%
TCP Fragment: 0.65%
UDP Floods: 14.66%
RP: 0.39%
DNS: 8.94%
Application Layer: 23.48%
HTTP GET: 18.03%
2
HEAD: 0.13%
SYN PUSH: 0.13%
SSL POST: 0.26%
SSL GET: 0.78%
PUSH: 0.91%
HTTP POST: 3.37%
CONFIDENTIAL
UDP Fragment: 14.66%
3. Attack vectors Q3 2013, Q2 2013 and Q3 2012
SSL POST
SSL GET
PUSH
0.26%
0.26%
0.20%
0.78%
0.53%
0.61%
0.91%
0.39%
1.02%
Q3 2013
Q2 2013
3.37%
2.50%
3.07%
HTTP POST
NTP
Q3 2012
0.20%
0.13%
0.13%
HEAD
18.03%
HTTP GET
IGMP
0.20%
UDP Fragment
14.66%
8.70%
9.00%
UDP
10.41%
14.66%
19.63%
0.65%
0.26%
0.20%
TCP Fragment
18.16%
SYN
31.22%
23.53%
0.13%
SYN PUSH
0.41%
0.39%
RP
0.13%
1.02%
1.94%
1.19%
2.86%
RIP
RESET
11.41%
ICMP
DNS
4.92%
7.25%
15.15%
17.79%
8.94%
0.39%
FIN PUSH
0.41%
3.37%
CHARGEN
1.69%
0.53%
1.43%
ACK
3
21.48%
13.50%
0%
5%
10%
15%
CONFIDENTIAL
20%
25%
30%
35%
4. Changes in DDoS attacks per week
Q3 2013 vs. Q3 2012
250%
190%
200%
150%
Percentage
118%
109%
96%
100%
84%
50%
82%
80%
46%
43%
34%
43%
23-Sep
30-Sep
17%
0%
-7%
-16%
-50%
1-Jul
8-Jul
15-Jul
22-Jul
29-Jul
5-Aug
12-Aug 19-Aug 26-Aug
Time Day of Week
4
CONFIDENTIAL
2-Sep
9-Sep
16-Sep
5. Top ten source countries for DDoS attacks in
Q3 2013
Taiwan
2.95%
Poland
2.23%
Japan
2.11%
Italy
1.94%
India
3.45%
Russian Federation
4.45%
Brazil
4.46%
Republic of Korea
7.09%
United States
9.06%
5
China
62.26%
CONFIDENTIAL
6. Top ten source countries for DDoS attacks in
Q3 2013, Q2 2013 and Q3 2012
Q3
2013
Italy
Japan
Poland
Taiwan
India
Russia
Brazil
Korea
USA
China
1.94%
2.11%
2.23%
2.95%
3.45%
4.45%
4.46%
7.09%
9.06%
62.26%
0%
Q2
2013
Taiwan
UK
Iran
Italy
USA
France
Korea
Russia
Mexico
China
6
20%
30%
40%
50%
60%
70%
50%
60%
70%
50%
60%
70%
27.32%
39.08%
0%
Q3
2012
10%
1.81%
1.88%
2.14%
2.28%
4.12%
6.50%
7.29%
7.58%
Egypt
Vietnam
UK
Thailand
Saudi Arabia
Russia
Brazil
India
USA
China
10%
20%
30%
40%
2.77%
3.68%
3.69%
3.89%
4.55%
5.07%
5.23%
7.81%
27.85%
35.46%
0%
10%
20%
30%
CONFIDENTIAL
40%
12. Packet data of the amplified DrDoS traffic
12
CONFIDENTIAL
13. Source regions of CHARGEN attacks against
gambling industry customer
13
CONFIDENTIAL
14. Top 10 ASNs participating in the attack against
the gambling industry customer
KRNIC-ASBLOCK-AP KRNIC
CHINANET-SH-AP China Telecom (Group)
6.90%
CHINANET-SCIDC-AS-AP CHINANET
SiChuan Telecom Internet Data Center
ATT-INTERNET4 - AT&T Services, Inc.
11.40%
59.40%
UUNET - MCI Communications
Services, Inc. d/b/a Verizon Business
CHINA169-BJ CNCGROUP IP network
China169 Beijing Province Network
LGDACOM LG DACOM Corporation
12.20%
CHINA169-BACKBONE CNCGROUP
China169 Backbone
HANARO-AS Hanaro Telecom Inc.
CHINANET-BACKBONE No.31,Jin-rong
Street
14
CONFIDENTIAL
17. Top 10 ASNs participating in the attack against
the entertainment industry customer
CNNIC-ALIBABA-CN-NET-AP Hangzou
Alibaba Advertising Co.,Ltd.
4.20%
OCN NTT Communications
Corporation
5.50%
38.60%
5.70%
7.70%
CABLE-NET-1 - Cablevision Systems
Corp.
CHINA169-BJ CNCGROUP IP network
China169 Beijing Province Network
UUNET - MCI Communications
Services, Inc. d/b/a Verizon Business
HANARO-AS Hanaro Telecom Inc.
CHINA169-BACKBONE CNCGROUP
China169 Backbone
8.90%
10.90%
9.90%
CMCS - Comcast Cable
Communications, Inc.
LGDACOM LG DACOM Corporation
CHINANET-BACKBONE No.31,Jin-rong
Street
17
CONFIDENTIAL
18. Source regions of CHARGEN attacks against
entertainment industry customer
18
CONFIDENTIAL
19. Mitigation control for CHARGEN campaign
against the entertainment industry customer
19
CONFIDENTIAL
29. 99 percent of servers participating in a CHARGEN reflection attack
ran a Microsoft Windows server operating system
Linux
Unix
0
Windows
Other
99.3%
29
CONFIDENTIAL