2016 ddos attack trends and 2017 outlook - cdnetworks · pdf file4 . d d o s atta ck t ren d s...
TRANSCRIPT
CDNetworks
2016 DDoS Attack Trends and 2017 Outlook
April, 2017 | CDNetworks Security Service Team Public Copyright©CDNetworks. All Rights Reserved.
Public Copyright©CDNetworks. All Rights Reserved.
Table of Contents
1 . Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
2 . O ver v i e w ..................................................................................................................................................... 3
3. Major DDoS attack issues in 2016.................................................................................. 4
3.1. Diversification of the attack purpose and type ........................................................................... 4
3.2. IoT development and large-scale attacks .................................................................... 5
4 . D D o S atta ck t ren d s in 2 01 6 .............................................................................................................. 6
4.1. Number of DDoS response times by year .............................................................................. 6
4.2. Number of DDoS response times by month .............................................................................. 7
4.3. DDoS response analysis by area # 1......................................................................................... 8
4.3 DDoS response analysis by area # 2 ........................................................................................ 9
4.4 Number of attack experiences by industry .............................................................................. 10
4.5 . Atta ck a n a l ys i s by pr otoco l ...................................................................................................... 11
4.6. Analysis by attack type .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.7. A n a l y s i s of a m p l i f i c a t i o n a t t a c k ................................................................................ 13
4 .8 . A t t a c k s o u r c e IP a n a l y s i s ..................................................................................................... 14
4.9. Analysis by scale of attacks .................................................................................... 15
5 . D D o S a t t a c k o u t l o o k f o r 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
6 . C o n c l u s i o n.............................................................................................................................................. 16
3 Public Copyright©CDNetworks. All Rights Reserved.
1. Introduction
CDNetworks, a global content delivery network service company, provides CDN (Content Delivery Network) services and Cloud Security
services including DDoS defense and web application firewall.
This report is designed to share the information of minimizing damages caused by the DDoS attack, by analyzing various attack patterns
collected while providing security services to CDNetworks’ global customers, and forecasting DDoS attack trends in 2017 based on the
analysis.
This report, which covers the DDoS attack trends in 2016 and outlook for 2017, has been created with the data of customers who use
security services provided by CDNetworks. As a result, the total data may be few but the DDoS attack details of global customers in U.S.,
Europe, Korea, Singapore, and Japan are analyzed, which can be useful in understanding and forecasting DDoS attack trends around
the globe.
2. Overview
The number of DDoS attacks in 2016 decreased 5% compared to last year. However, the average DDoS attack traffic has increased
from 6.2Gbps to 6.8Gbps in 2016 (10% increase), and various types of attacks were made. On the other hand, the number of TCP
(Transmission Control Protocol) flooding attacks has increased by 103% from last year, which seems to be caused by the emergence of
attack tools that exploit Internet of Things (IoT) devices.
It seems that the number of DDoS attacks in 2016 has decreased by a small margin because UDP blocking rules were applied last year
to some top scrubbing PoP network equipment that frequently experienced UDP (User Datagram Protocol) attacks, and the L7 defense
rules applied to the CDN Edge Cache to block small-scale HTTP attacks worked effectively. Those measures successfully decreased the
UDP attacks of some PoP by 98% but other types of attacks have increased and the total number of attacks decreased by just 5%.
The Mirai botnet attack tool was unveiled in the fourth quarter of 2016 that exploits IoT devices as a botnet, and the scale and frequency
of attacks has significantly increased since then. This upward trend is expected to continue in 2017.
4 Public Copyright©CDNetworks. All Rights Reserved.
3. Major DDoS attack issues in 2016
3.1. Diversification of the attack purpose and type
DDoS attacks in 2016 have exhibited characteristics of various types of
attacks, such as existing business style attacks aiming for money,
hacktivism attacks, and attacks of individuals and groups for
interest and fun.
Typical attacks by hacktivism have included the JYP
Entertainment homepage attack in January by hackers
assumed to be Taiwanese, the attack on the
campaign website of U.S. presidential candidate
Donald Trump, and attacks against North Korean
websites. Threat type attacks against major Russian
banks is a traditional form of business style attacks.
In addition, the hacker group “PoodleCorp” has
attacked gaming sites for fun such as
Pokémon GO and Blizzard Entertainment’s Battle.net.
This means that anyone can unwittingly become
a victim to DDoS attacks without a specific purpose
or issue.
<Figure 1> DDoS attack issues I in 2016
5 Public Copyright©CDNetworks. All Rights Reserved.
<Figure 2> DDoS attack issues II in 2016
3.2. IoT development and large-scale attacks
When the IoT era began to affect our life, most people were just interested in the improvement of convenience in their daily lives.
But in 2017, the security sector is expected to be more concerned than ever.
We can assure that the major DDoS issue in 2016 certainly involved IoT. Beginning with attacks against famous security blogs in
the U.S. on September 13, 2016, large-scale DDoS attacks exploiting the vulnerability of IoT devices continued on until the DDoS
attack against DYN on October 21. In addition, the scale of L3 attacks started after October 30 have become larger than ever.
A more serious problem is that the number of IoT devices is increasing rapidly but the security of those devices is extremely weak.
In the future, 100Gbps class DDoS attacks coming from tens of thousands of IPs can be a routine thing.
6 Public Copyright©CDNetworks. All Rights Reserved.
4. DDoS attack trends in 2016
4.1. Number of DDoS response times by year
2014
2015
2016
0 100 200 300 400 500
<Figure 3> Number of DDoS response times by year
Attack frequency decreased by 5% in 2016 from the previous year, which seems to be caused by the effective application of UDP
blocking rules to the some top scrubbing PoP network equipment that frequently experienced UDP (User Datagram Protocol) attacks,
and defense rules to the CDN Edge Cache to block small-scale L7 attacks. More details can be found in Chapter 4.3.
208
463
441
7 Public Copyright©CDNetworks. All Rights Reserved.
4.2. Number of DDoS response times by month
120
100
80
60
40
20
0
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
2015 2016
<Figure 4> Number of DDoS response times by month
The monthly attack volume shows a pattern similar to the previous year, and attacks are concentrated in the summer due to the seasonal
factor. In addition, it was found that attacks increased to a large extent before and after the Mid-Autumn Festival in China which accounts
for a large portion of the attack sites.
113 109
78
55 45
42 43
35
46
39 34
22 24 31 25
28
19 18
18
11 18 14
23
14
8 Public Copyright©CDNetworks. All Rights Reserved.
4.3. DDoS response analysis by area #1
U.K.
Germany
America
Hongkong
Korea
Japan
More than 2 Countries
0 50 100 150 200 250
2015 2016
<Figure 5> DDoS response analysis by area
The total number of attacks in 2016 decreased by 5% from the previous year, and Korea, Germany, and Japan showed a noticeable
decline. On the contrary, the U.S. showed a 16% increase and the Hong Kong area added a new DDoS defense PoP. Previously, DDoS
attacks against Hong Kong was diverted to Japan. However, direct countermeasures can now be enabled by the DDoS PoP built in
Hong Kong, which decreased the number of attacks in Japan compared with the previous year. Of course, it also seems to be affected
by the application of UDP blocking rules on top of some PoP networks.
7 8
105 45
204 237
0 27
31 5
90 75
26 44
9 Public Copyright©CDNetworks. All Rights Reserved.
4.3. DDoS response analysis by area #2
80
60
40
20
0 UDP TCP HTTP Complex
2015 2016
<Figure 6> Analysis of the DDoS attack type in Japan
In 2016, the number of DDoS attacks responded by scrubbing PoP network equipment in Japan was 75, which is a 17% decrease over
the previous year. Among them, UDP attacks decreased by 98%, which is a big drop compared with the overall attack reduction rate.
The reason seems to be the influence of UDP blocking rule application to top-level network equipment as a countermeasure to frequent
large-scale UDP attacks against pertinent PoP in 2015. Considering a sharp increase in other attack types, the total number of attacks
could have increased drastically if there were no UDP blocking rules.
65
43
27
10 7 8
4 1
10 Public Copyright©CDNetworks. All Rights Reserved.
4.4. Number of attack experiences by industry
Ecommerce
Gambling
Game
Government
Hosting
Media
Others
0 50 100 150 200 250 300
2015 2016
<Figure 7> Number of attack experiences by industry
Hosting and Government experienced less attacks, whereas gaming and gambling industries experienced more attacks in 2016
compared with the previous year. It can be analyzed in such a way that the number of attacks decreased because some media
customers have changed their service and the UDP of the specific PoP used by Japanese hosting customers were blocked.
9 5
54 150
233 254
33 8
48 13
77 0
9 11
11 Public Copyright©CDNetworks. All Rights Reserved.
4.5. Attack analysis by protocol
UDP
TCP
HTTP
comple x
0 50 100 150 200 250 300 350
2015 2016
<Figure 8> Classification of attack protocols
In terms of the attack type by protocol, UDP and complex attacks with more than 2 types decreased by 18% and 57% respectively in
2016 over the past year, where as TCP and HTTP attacks increased by 103% and 48% respectively. It seems to be partly affected by the
application of UDP blocking rules, as described in Chapter 4.1, and the IoT-based attack tool “Mira botnet” that newly emerged in the
fourth quarter. Large-scale TCP attacks also increased significantly after October when the pertinent attack tool was released, which
seems to affect the change in attack type distribution.
324
265
29
59
66
98
44
19
12 Public Copyright©CDNetworks. All Rights Reserved.
4.6. Analysis by attack type
Attack types in 2015 Attack types in 2016
UDP TCP HTTP Amplification Complex
<Figure 9> Comparison by attack type
The result of analysis by attack type shows that UDP attacks, which accounted for 18% of all attacks in 2016, decreased by 19% over
the year and complex attacks with more than 2 types occupied 4% (6% decrease from the previous year). On the contrary, amplification
attacks accounting for 42% of all attacks in 2016 increased by 9% over the year, whereas TCP attacks and HTTP attacks increased by
7% and 8% respectively (accounting for 13% and 22% of all attacks). There seems to be a complex set of factors, such as UDP blocking
at a specific PoP and emergence of the IoT attack tool, as described earlier.
10%
37%
33%
6%
14%
3%
14%
41%
42%
13 Public Copyright©CDNetworks. All Rights Reserved.
4.7. Analysis of amplification attacks
2015
2016
CharGen DNS NTP SNMP SSDP
<Figure 10> Classification of amplification attacks
Amplification attacks showed an increase of 18% over last year in 2016, and the proportion of the attack type changed to a la rge extent.
Attacks using CharGen, which accounted for 5% of all amplification attacks in 2015, occupied 44% in 2016 (up 30% from the previous
year). On the contrary, the proportion of the SSDP (Simple Service Discovery Protocol), which was mainstream in 2015, decreased by
52%, which resulted in 13% of all amplification attacks in 2016. Overall, more attacks emerged in 2016, compared with the previous year.
The result seems to be caused by the change in preferred attack methods due to the increase in the number of customers in the
U.S./Asia and the popularization of the attack tool that supports amplification attacks.
5%
12%
18%
66%
44%
22%
15%
5%
13%
0% 20% 40% 60% 80% 100%
14 Public Copyright©CDNetworks. All Rights Reserved.
26%
44%
3%
3%
4%
20%
4.8. Attack source IP analysis
Top 5 attack IP countries in 2015 Top 5 attack IP countries in 2016
1%
China
1%
1% 7%
5%
China
US US
Korea Germany
Russia
Japan
France
Korea
Others
85%
Others
<Figure 11> Comparison by attack IP country
L7 attacks that originated from China occupied 85% in 2016 due to the increase in the number of service customers in that country,
which is a 41% increase over the year. In addition, European countries were newly listed among top 5 attack areas, whereas Russia
(changes in demographics) and Japan (decreased attacks due to the application of UDP blocking rules) were excluded from the top 5
area list. As CDNetworks uses non-spoofed IPs, which are not used for L7 attacks, when collecting attack IPs, accuracy is high even
though the parameters are relatively few. The number of IPs increased from 220,000 in 2015 to 190,000 in 2016, which seems to be
caused by the addition of the integrated L7 defense function to the CDN Edge Cache to defend against small-scale HTTP attacks.
15 Public Copyright©CDNetworks. All Rights Reserved.
4.9. Analysis by the scale of attacks
Proportion by the scale of attacks in 2015 Proportion by the scale of attacks in 2016
Below 1G Below 10G Below 50G Over than 50G
<Figure 12> Comparison by the scale of attacks
Average traffic increased from 6.2Gbps in 2015 to 6.8Gpbs in 2016 (10% increase). Even though attacks under 1Gbps increased by just
12% over the year, the number of attacks over 50G increased by 13 times over the year (3% of attacks), which increased overall
average traffic. Among them, massive traffic attacks over 50Gbps are concentrated in the fourth quarter, which seems to be re lated with
the release of the Mirai botnet at the end of September, which is an IoT-based botnet attack tool.
20%
29%
51%
4%
18%
42% 13%
22%
16 Public Copyright©CDNetworks. All Rights Reserved.
5. DDoS attack outlook for 2017
The DDoS attack trend in 2016 can be summarized as the “emergence of new attack methods and subjects”. Previously, most attacks
were made for money. Now, the number of DDoS attacks regarding the ideology and interests of a particular group or individual is on the
rise, and the overall DDoS attack frequency and scale are increasing with the appearance of bots exploiting IoT devices.
We can easily become a victim of attacks not for a particular reason but by merely opposing the ideology or interests of a particular group
or individual. It appears that the situation won’t be all that different in 2017. DDoS attacks against businesses will continue to rise, and
those due to an individual or group’s ideology and interests will also be more frequent.
In addition, IoT will become more popular as IT develops further, and attacks based on IoT will ensuingly increase. For most companies,
DDoS protection has become an integral part of IT security.
6. Conclusion
Since the advent of DDoS attacks, large-scale attacks have been on the rise, most recently ranging from 600Gbps to 1Tbps in 2016, and
CDNetworks has also responded to DDoS attacks of 200Gbps in size. However, 2016 may just be the beginning. Hackers have already
deployed botnets using IoT and are launching massive attacks using them. It is becoming a difficult task for the defender.
CDNetworks will develop a new type of DDoS attack defense system in 2017 to cope with global DDoS attack threats, and provide a
more advanced defense system than the one used to defend against the previous 200G attacks to CDNetworks security service
customers.
The world is changing and technology is advancing. Most technologies we’re benefiting from today were developed and evolved by war,
and the DDoS attack is the most deadly and easy-to-use weapon in cyber warfare. Developing shields to prevent these deadly weapons
is a challenge for the security industry, and CDNetworks is also working to become an effective shield for our customers.
17 Public Copyright©CDNetworks. All Rights Reserved.
About CDNetworks
CDNetworks is a global content delivery network (CDN) with a fully integrated cloud solution, offering unparalleled speed, security and
reliability for the almost instant delivery of web content. Optimised for any device, browser and network, we ensure all users have a fast
and safe web experience - whether you’re serving B2B or B2C customers, mobile employees or remote offices.
CDNetworks accelerates and secures websites and web applications over our strategically built network of global PoPs in both
established and emerging markets. We specialise in those parts of the world where keeping a website accessible is most difficult:
Mainland China, Russia, Southeast Asia and the Middle East.
CDNetworks has offices located in Singapore, the US, France, Germany, UK, South Korea, China and Japan.
For more information, please visit: http://www.cdnetworks.com/sg
Copyright Statement
Copyright © CDNetworks. All Rights Reserved.
Copyright in this document is owned by CDNetworks, and you may not reproduce or distribute this document without the prior permission
of CDNetworks. Information in this document is subject to change without notice.
Author
Shinwoo Lee, Manager of Security Service Team, CDNetworks
18 Public Copyright©CDNetworks. All Rights Reserved.
Global Offices
Singapore Winsland House I, 3 Killiney Road, #04-05, Singapore 239519 +65 6908 1198
US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA 95008-2220 +1 408 228 3700
EMEA 85 Gresham Street, London EC2V 7NQ, UK +44 203 657 2727
Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul (06239) +82 2 3441 0400
Japan Nittochi Nishi-shinjuku Building, 8th Floor, 6-10-1Nishishinjuku, Shinjuku-ku, Tokyo 160-0023 +81 3 5909 3369
China F15-05 Tower B, Greenland Center, Science and Technology Business Area, Wangjing, Chaoyang District, Beijing, 100102 +86 10 8441 7749