2016 ddos attack trends and 2017 outlook - cdnetworks · pdf file4 . d d o s atta ck t ren d s...

CDNetworks

2016 DDoS Attack Trends and 2017 Outlook

April, 2017 | CDNetworks Security Service Team Public Copyright©CDNetworks. All Rights Reserved.

Public Copyright©CDNetworks. All Rights Reserved.

Table of Contents

1 . Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

2 . O ver v i e w ..................................................................................................................................................... 3

3. Major DDoS attack issues in 2016.................................................................................. 4

3.1. Diversification of the attack purpose and type ........................................................................... 4

3.2. IoT development and large-scale attacks .................................................................... 5

4 . D D o S atta ck t ren d s in 2 01 6 .............................................................................................................. 6

4.1. Number of DDoS response times by year .............................................................................. 6

4.2. Number of DDoS response times by month .............................................................................. 7

4.3. DDoS response analysis by area # 1......................................................................................... 8

4.3 DDoS response analysis by area # 2 ........................................................................................ 9

4.4 Number of attack experiences by industry .............................................................................. 10

4.5 . Atta ck a n a l ys i s by pr otoco l ...................................................................................................... 11

4.6. Analysis by attack type .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

4.7. A n a l y s i s of a m p l i f i c a t i o n a t t a c k ................................................................................ 13

4 .8 . A t t a c k s o u r c e IP a n a l y s i s ..................................................................................................... 14

4.9. Analysis by scale of attacks .................................................................................... 15

5 . D D o S a t t a c k o u t l o o k f o r 2017 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6 . C o n c l u s i o n.............................................................................................................................................. 16

3 Public Copyright©CDNetworks. All Rights Reserved.

1. Introduction

CDNetworks, a global content delivery network service company, provides CDN (Content Delivery Network) services and Cloud Security

services including DDoS defense and web application firewall.

This report is designed to share the information of minimizing damages caused by the DDoS attack, by analyzing various attack patterns

collected while providing security services to CDNetworks’ global customers, and forecasting DDoS attack trends in 2017 based on the

analysis.

This report, which covers the DDoS attack trends in 2016 and outlook for 2017, has been created with the data of customers who use

security services provided by CDNetworks. As a result, the total data may be few but the DDoS attack details of global customers in U.S.,

Europe, Korea, Singapore, and Japan are analyzed, which can be useful in understanding and forecasting DDoS attack trends around

the globe.

2. Overview

The number of DDoS attacks in 2016 decreased 5% compared to last year. However, the average DDoS attack traffic has increased

from 6.2Gbps to 6.8Gbps in 2016 (10% increase), and various types of attacks were made. On the other hand, the number of TCP

(Transmission Control Protocol) flooding attacks has increased by 103% from last year, which seems to be caused by the emergence of

attack tools that exploit Internet of Things (IoT) devices.

It seems that the number of DDoS attacks in 2016 has decreased by a small margin because UDP blocking rules were applied last year

to some top scrubbing PoP network equipment that frequently experienced UDP (User Datagram Protocol) attacks, and the L7 defense

rules applied to the CDN Edge Cache to block small-scale HTTP attacks worked effectively. Those measures successfully decreased the

UDP attacks of some PoP by 98% but other types of attacks have increased and the total number of attacks decreased by just 5%.

The Mirai botnet attack tool was unveiled in the fourth quarter of 2016 that exploits IoT devices as a botnet, and the scale and frequency

of attacks has significantly increased since then. This upward trend is expected to continue in 2017.


3. Major DDoS attack issues in 2016

3.1. Diversification of the attack purpose and type

DDoS attacks in 2016 have exhibited characteristics of various types of

attacks, such as existing business style attacks aiming for money,

hacktivism attacks, and attacks of individuals and groups for

interest and fun.

Typical attacks by hacktivism have included the JYP

Entertainment homepage attack in January by hackers

assumed to be Taiwanese, the attack on the

campaign website of U.S. presidential candidate

Donald Trump, and attacks against North Korean

websites. Threat type attacks against major Russian

banks is a traditional form of business style attacks.

In addition, the hacker group “PoodleCorp” has

attacked gaming sites for fun such as

Pokémon GO and Blizzard Entertainment’s Battle.net.

This means that anyone can unwittingly become

a victim to DDoS attacks without a specific purpose

or issue.

<Figure 1> DDoS attack issues I in 2016


<Figure 2> DDoS attack issues II in 2016

3.2. IoT development and large-scale attacks

When the IoT era began to affect our life, most people were just interested in the improvement of convenience in their daily lives.

But in 2017, the security sector is expected to be more concerned than ever.

We can assure that the major DDoS issue in 2016 certainly involved IoT. Beginning with attacks against famous security blogs in

the U.S. on September 13, 2016, large-scale DDoS attacks exploiting the vulnerability of IoT devices continued on until the DDoS

attack against DYN on October 21. In addition, the scale of L3 attacks started after October 30 have become larger than ever.

A more serious problem is that the number of IoT devices is increasing rapidly but the security of those devices is extremely weak.

In the future, 100Gbps class DDoS attacks coming from tens of thousands of IPs can be a routine thing.


4. DDoS attack trends in 2016

4.1. Number of DDoS response times by year

2014

2015

2016

0 100 200 300 400 500

<Figure 3> Number of DDoS response times by year

Attack frequency decreased by 5% in 2016 from the previous year, which seems to be caused by the effective application of UDP

blocking rules to the some top scrubbing PoP network equipment that frequently experienced UDP (User Datagram Protocol) attacks,

and defense rules to the CDN Edge Cache to block small-scale L7 attacks. More details can be found in Chapter 4.3.

208

463

441


4.2. Number of DDoS response times by month

120

100

80

60

40

20

0

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

2015 2016

<Figure 4> Number of DDoS response times by month

The monthly attack volume shows a pattern similar to the previous year, and attacks are concentrated in the summer due to the seasonal

factor. In addition, it was found that attacks increased to a large extent before and after the Mid-Autumn Festival in China which accounts

for a large portion of the attack sites.

113 109

78

55 45

42 43

35

46

39 34

22 24 31 25

28

19 18

18

11 18 14

23

14


4.3. DDoS response analysis by area #1

U.K.

Germany

America

Hongkong

Korea

Japan

More than 2 Countries

0 50 100 150 200 250

2015 2016

<Figure 5> DDoS response analysis by area

The total number of attacks in 2016 decreased by 5% from the previous year, and Korea, Germany, and Japan showed a noticeable

decline. On the contrary, the U.S. showed a 16% increase and the Hong Kong area added a new DDoS defense PoP. Previously, DDoS

attacks against Hong Kong was diverted to Japan. However, direct countermeasures can now be enabled by the DDoS PoP built in

Hong Kong, which decreased the number of attacks in Japan compared with the previous year. Of course, it also seems to be affected

by the application of UDP blocking rules on top of some PoP networks.

7 8

105 45

204 237

0 27

31 5

90 75

26 44


4.3. DDoS response analysis by area #2

80

60

40

20

0 UDP TCP HTTP Complex

2015 2016

<Figure 6> Analysis of the DDoS attack type in Japan

In 2016, the number of DDoS attacks responded by scrubbing PoP network equipment in Japan was 75, which is a 17% decrease over

the previous year. Among them, UDP attacks decreased by 98%, which is a big drop compared with the overall attack reduction rate.

The reason seems to be the influence of UDP blocking rule application to top-level network equipment as a countermeasure to frequent

large-scale UDP attacks against pertinent PoP in 2015. Considering a sharp increase in other attack types, the total number of attacks

could have increased drastically if there were no UDP blocking rules.

65

43

27

10 7 8

4 1


4.4. Number of attack experiences by industry

Ecommerce

Gambling

Game

Government

Hosting

Media

Others

0 50 100 150 200 250 300

2015 2016

<Figure 7> Number of attack experiences by industry

Hosting and Government experienced less attacks, whereas gaming and gambling industries experienced more attacks in 2016

compared with the previous year. It can be analyzed in such a way that the number of attacks decreased because some media

customers have changed their service and the UDP of the specific PoP used by Japanese hosting customers were blocked.

9 5

54 150

233 254

33 8

48 13

77 0

9 11


4.5. Attack analysis by protocol

UDP

TCP

HTTP

comple x

0 50 100 150 200 250 300 350

2015 2016

<Figure 8> Classification of attack protocols

In terms of the attack type by protocol, UDP and complex attacks with more than 2 types decreased by 18% and 57% respectively in

2016 over the past year, where as TCP and HTTP attacks increased by 103% and 48% respectively. It seems to be partly affected by the

application of UDP blocking rules, as described in Chapter 4.1, and the IoT-based attack tool “Mira botnet” that newly emerged in the

fourth quarter. Large-scale TCP attacks also increased significantly after October when the pertinent attack tool was released, which

seems to affect the change in attack type distribution.

324

265

29

59

66

98

44

19


4.6. Analysis by attack type

Attack types in 2015 Attack types in 2016

UDP TCP HTTP Amplification Complex

<Figure 9> Comparison by attack type

The result of analysis by attack type shows that UDP attacks, which accounted for 18% of all attacks in 2016, decreased by 19% over

the year and complex attacks with more than 2 types occupied 4% (6% decrease from the previous year). On the contrary, amplification

attacks accounting for 42% of all attacks in 2016 increased by 9% over the year, whereas TCP attacks and HTTP attacks increased by

7% and 8% respectively (accounting for 13% and 22% of all attacks). There seems to be a complex set of factors, such as UDP blocking

at a specific PoP and emergence of the IoT attack tool, as described earlier.

10%

37%

33%

6%

14%

3%

14%

41%

42%


4.7. Analysis of amplification attacks

2015

2016

CharGen DNS NTP SNMP SSDP

<Figure 10> Classification of amplification attacks

Amplification attacks showed an increase of 18% over last year in 2016, and the proportion of the attack type changed to a la rge extent.

Attacks using CharGen, which accounted for 5% of all amplification attacks in 2015, occupied 44% in 2016 (up 30% from the previous

year). On the contrary, the proportion of the SSDP (Simple Service Discovery Protocol), which was mainstream in 2015, decreased by

52%, which resulted in 13% of all amplification attacks in 2016. Overall, more attacks emerged in 2016, compared with the previous year.

The result seems to be caused by the change in preferred attack methods due to the increase in the number of customers in the

U.S./Asia and the popularization of the attack tool that supports amplification attacks.

5%

12%

18%

66%

44%

22%

15%

5%

13%

0% 20% 40% 60% 80% 100%


26%

44%

3%

3%

4%

20%

4.8. Attack source IP analysis

Top 5 attack IP countries in 2015 Top 5 attack IP countries in 2016

1%

China

1%

1% 7%

5%

China

US US

Korea Germany

Russia

Japan

France

Korea

Others

85%

Others

<Figure 11> Comparison by attack IP country

L7 attacks that originated from China occupied 85% in 2016 due to the increase in the number of service customers in that country,

which is a 41% increase over the year. In addition, European countries were newly listed among top 5 attack areas, whereas Russia

(changes in demographics) and Japan (decreased attacks due to the application of UDP blocking rules) were excluded from the top 5

area list. As CDNetworks uses non-spoofed IPs, which are not used for L7 attacks, when collecting attack IPs, accuracy is high even

though the parameters are relatively few. The number of IPs increased from 220,000 in 2015 to 190,000 in 2016, which seems to be

caused by the addition of the integrated L7 defense function to the CDN Edge Cache to defend against small-scale HTTP attacks.


4.9. Analysis by the scale of attacks

Proportion by the scale of attacks in 2015 Proportion by the scale of attacks in 2016

Below 1G Below 10G Below 50G Over than 50G

<Figure 12> Comparison by the scale of attacks

Average traffic increased from 6.2Gbps in 2015 to 6.8Gpbs in 2016 (10% increase). Even though attacks under 1Gbps increased by just

12% over the year, the number of attacks over 50G increased by 13 times over the year (3% of attacks), which increased overall

average traffic. Among them, massive traffic attacks over 50Gbps are concentrated in the fourth quarter, which seems to be re lated with

the release of the Mirai botnet at the end of September, which is an IoT-based botnet attack tool.

20%

29%

51%

4%

18%

42% 13%

22%


5. DDoS attack outlook for 2017

The DDoS attack trend in 2016 can be summarized as the “emergence of new attack methods and subjects”. Previously, most attacks

were made for money. Now, the number of DDoS attacks regarding the ideology and interests of a particular group or individual is on the

rise, and the overall DDoS attack frequency and scale are increasing with the appearance of bots exploiting IoT devices.

We can easily become a victim of attacks not for a particular reason but by merely opposing the ideology or interests of a particular group

or individual. It appears that the situation won’t be all that different in 2017. DDoS attacks against businesses will continue to rise, and

those due to an individual or group’s ideology and interests will also be more frequent.

In addition, IoT will become more popular as IT develops further, and attacks based on IoT will ensuingly increase. For most companies,

DDoS protection has become an integral part of IT security.

6. Conclusion

Since the advent of DDoS attacks, large-scale attacks have been on the rise, most recently ranging from 600Gbps to 1Tbps in 2016, and

CDNetworks has also responded to DDoS attacks of 200Gbps in size. However, 2016 may just be the beginning. Hackers have already

deployed botnets using IoT and are launching massive attacks using them. It is becoming a difficult task for the defender.

CDNetworks will develop a new type of DDoS attack defense system in 2017 to cope with global DDoS attack threats, and provide a

more advanced defense system than the one used to defend against the previous 200G attacks to CDNetworks security service

customers.

The world is changing and technology is advancing. Most technologies we’re benefiting from today were developed and evolved by war,

and the DDoS attack is the most deadly and easy-to-use weapon in cyber warfare. Developing shields to prevent these deadly weapons

is a challenge for the security industry, and CDNetworks is also working to become an effective shield for our customers.


About CDNetworks

CDNetworks is a global content delivery network (CDN) with a fully integrated cloud solution, offering unparalleled speed, security and

reliability for the almost instant delivery of web content. Optimised for any device, browser and network, we ensure all users have a fast

and safe web experience - whether you’re serving B2B or B2C customers, mobile employees or remote offices.

CDNetworks accelerates and secures websites and web applications over our strategically built network of global PoPs in both

established and emerging markets. We specialise in those parts of the world where keeping a website accessible is most difficult:

Mainland China, Russia, Southeast Asia and the Middle East.

CDNetworks has offices located in Singapore, the US, France, Germany, UK, South Korea, China and Japan.

For more information, please visit: http://www.cdnetworks.com/sg

Copyright Statement

Copyright © CDNetworks. All Rights Reserved.

Copyright in this document is owned by CDNetworks, and you may not reproduce or distribute this document without the prior permission

of CDNetworks. Information in this document is subject to change without notice.

Author

Shinwoo Lee, Manager of Security Service Team, CDNetworks

http://www.cdnetworks.com/


Global Offices

Singapore Winsland House I, 3 Killiney Road, #04-05, Singapore 239519 +65 6908 1198

US 1919 S. Bascom Avenue, Ste. 600, Campbell, CA 95008-2220 +1 408 228 3700

EMEA 85 Gresham Street, London EC2V 7NQ, UK +44 203 657 2727

Korea 2F, 37, Teheran-ro 8-gil, Gangnam-Gu, Seoul (06239) +82 2 3441 0400

Japan Nittochi Nishi-shinjuku Building, 8th Floor, 6-10-1Nishishinjuku, Shinjuku-ku, Tokyo 160-0023 +81 3 5909 3369

China F15-05 Tower B, Greenland Center, Science and Technology Business Area, Wangjing, Chaoyang District, Beijing, 100102 +86 10 8441 7749

2016 ddos attack trends and 2017 outlook - cdnetworks · pdf file4 . d d o s atta ck t ren d s...

Documents