q3 2013 global ddos attack report

www.prolexic.com

Q3 2013 Attack Report

2 CONFIDENTIAL

Types of DDoS attacks and their relative distribution in Q3 2013

ACK: 1.69%CHARGEN: 3.37%

FIN PUSH: 0.39%DNS: 8.94%

ICMP: 11.41% RESET: 1.94%

RIP: 0.13%

RP: 0.39%

SYN: 18.16% SYN PUSH: 0.13%

TCP Fragment: 0.65%UDP Floods: 14.66%

UDP Fragment: 14.66%

Infrastructure Layer: 76.52%

HTTP GET: 18.03%HEAD: 0.13%

HTTP POST: 3.37%

SSL POST: 0.26%

SSL GET: 0.78%PUSH: 0.91%

Application Layer: 23.48%

3 CONFIDENTIAL

Attack vectors Q3 2013, Q2 2013 and Q3 2012

ACK

CHARGEN

FIN PUSH

DNS

ICMP

RESET

RIP

RP

SYN PUSH

SYN

TCP Fragment

UDP

UDP Fragment

IGMP

HTTP GET

HEAD

NTP

HTTP POST

PUSH

SSL GET

SSL POST

0% 5% 10% 15% 20% 25% 30% 35%

0.0143

0.0041

0.0492

0.1779

0.0286

0.0102

0.0041

0.2353

0.002

0.1963

0.09

0.002

0.135

0.002

0.0307

0.0102

0.0061

0.002

0.0053

0.0725

0.1515

0.0119

0.3122

0.0026

0.1041

0.087

0.2148

0.0013

0.025

0.0039

0.0053

0.0026

1.69%

3.37%

0.39%

8.94%

11.41%

1.94%

0.13%

0.39%

0.13%

18.16%

0.65%

14.66%

14.66%

18.03%

0.13%

3.37%

0.91%

0.78%

0.26%

Q3 2013Q2 2013Q3 2012

4 CONFIDENTIAL

Per

cen

tag

e

1-Jul 8-Jul 15-Jul 22-Jul 29-Jul 5-Aug 12-Aug 19-Aug 26-Aug 2-Sep 9-Sep 16-Sep 23-Sep 30-Sep-50%

0%

50%

100%

150%

200%

250%

-7%

17%

118%

34%

84% 80%

43%

96%

190%

109%

-16%

82%

46% 43%

Time Day of Week

Changes in DDoS attacks per week Q3 2013 vs. Q3 2012

5 CONFIDENTIAL

China62.26%

United States9.06%

Republic of Korea7.09%

Brazil4.46%

Russian Federation4.45%

India3.45%

Taiwan2.95%

Poland2.23%

Japan2.11% Italy

1.94%

Top ten source countries for DDoS attacks in Q3 2013

6 CONFIDENTIALChina

USAIndia

BrazilRussia

Saudi ArabiaThailand

UKVietnam

Egypt

0% 10% 20% 30% 40% 50% 60% 70%

35.46%27.85%

7.81%5.23%5.07%

4.55%3.89%3.69%3.68%

2.77%

Q3 2013

Q2 2013

Q3 2012

ChinaMexicoRussiaKorea

FranceUSAItalyIranUK

Taiwan

0% 10% 20% 30% 40% 50% 60% 70%

39.08%27.32%

7.58%7.29%

6.50%4.12%

2.28%2.14%1.88%1.81%

ChinaUSA

KoreaBrazil

RussiaIndia

TaiwanPolandJapan

Italy

0% 10% 20% 30% 40% 50% 60% 70%

62.26%9.06%

7.09%4.46%4.45%

3.45%2.95%

2.23%2.11%1.94%

Top ten source countries for DDoS attacks in Q3 2013, Q2 2013 and Q3 2012

7 CONFIDENTIAL Time

Q3

2013

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230

2

4

6

8

10

12

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230

2

4

6

8

10

12

Percentage

Q2

2013

Q3

2012

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230

2

4

6

8

10

12

Attack campaign start time – Q3 2013, Q2 2013, Q3 2012

8 CONFIDENTIAL

Border traffic and mitigation bits for a September 6 attack

9 CONFIDENTIAL

Example of a DrDoS reflection attack

PACKET1Spoofed Source (Target)Destination (Victim)

PACKET2 ReflectedPacketSource (Victim)Destination (Target)Victim Victim Victim

Malicious ActorPrimary Target

10 CONFIDENTIAL

cdos.c tool generating a CHARGEN packet with a size of 29 bytes

11 CONFIDENTIAL

A Microsoft Windows 2000 server victim

12 CONFIDENTIAL

Packet data of the amplified DrDoS traffic

13 CONFIDENTIAL

Source regions of CHARGEN attacks against gambling industry customer

14 CONFIDENTIAL

6.90%

11.40%

12.20%59.40%

KRNIC-ASBLOCK-AP KRNIC

CHINANET-SH-AP China Telecom (Group)

CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center

ATT-INTERNET4 - AT&T Services, Inc.

UUNET - MCI Communications Services, Inc. d/b/a Verizon Business

CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network

LGDACOM LG DACOM Corporation

CHINA169-BACKBONE CNCGROUP China169 Backbone

HANARO-AS Hanaro Telecom Inc.

CHINANET-BACKBONE No.31,Jin-rong Street

Top 10 ASNs participating in the attack against the gambling industry customer

15 CONFIDENTIAL

Bandwidth graphs during this CHARGEN attack

16 CONFIDENTIAL

Pricing options for a stressor service

17 CONFIDENTIAL

4.20%

5.50%

5.70%

7.70%

8.90%

9.90%10.90%

38.60%

CNNIC-ALIBABA-CN-NET-AP Hangzou Alibaba Advertising Co.,Ltd.

OCN NTT Communications Corporation

CABLE-NET-1 - Cablevision Systems Corp.

CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network

UUNET - MCI Communications Services, Inc. d/b/a Verizon Business

HANARO-AS Hanaro Telecom Inc.

CHINA169-BACKBONE CNCGROUP China169 Backbone

CMCS - Comcast Cable Communications, Inc.

LGDACOM LG DACOM Corporation

CHINANET-BACKBONE No.31,Jin-rong Street

Top 10 ASNs participating in the attack against the entertainment industry customer

18 CONFIDENTIAL

Source regions of CHARGEN attacks against entertainment industry customer

19 CONFIDENTIAL

Mitigation control for CHARGEN campaign against the entertainment industry customer

20 CONFIDENTIAL

Screenshot of RAGE booter

21 CONFIDENTIAL

Rage Booter API service panel

22 CONFIDENTIAL

RAGE booter API service panel

23 CONFIDENTIAL

Stressor panel with CHARGEN features

24 CONFIDENTIAL

Screenshot of advert selling a reflection IP list

25 CONFIDENTIAL

A forum for selling DrDoS scanners

26 CONFIDENTIAL

The attack console interface of the cdos.c DrDoS toolkit

27 CONFIDENTIAL

Forum chatter about leaked tool market saturation

28 CONFIDENTIAL

Forum selling CHARGEN scanner tool

29 CONFIDENTIAL

Linux

Unix

Windows

Other

99.3%

99 percent of servers participating in a CHARGEN reflection attack ran a Microsoft Windows server operating system

30 CONFIDENTIAL

CHARGEN has been turned off