q3 2013 global ddos attack report
TRANSCRIPT
www.prolexic.com
Q3 2013 Attack Report
2 CONFIDENTIAL
Types of DDoS attacks and their relative distribution in Q3 2013
ACK: 1.69%CHARGEN: 3.37%
FIN PUSH: 0.39%DNS: 8.94%
ICMP: 11.41% RESET: 1.94%
RIP: 0.13%
RP: 0.39%
SYN: 18.16% SYN PUSH: 0.13%
TCP Fragment: 0.65%UDP Floods: 14.66%
UDP Fragment: 14.66%
Infrastructure Layer: 76.52%
HTTP GET: 18.03%HEAD: 0.13%
HTTP POST: 3.37%
SSL POST: 0.26%
SSL GET: 0.78%PUSH: 0.91%
Application Layer: 23.48%
3 CONFIDENTIAL
Attack vectors Q3 2013, Q2 2013 and Q3 2012
ACK
CHARGEN
FIN PUSH
DNS
ICMP
RESET
RIP
RP
SYN PUSH
SYN
TCP Fragment
UDP
UDP Fragment
IGMP
HTTP GET
HEAD
NTP
HTTP POST
PUSH
SSL GET
SSL POST
0% 5% 10% 15% 20% 25% 30% 35%
0.0143
0.0041
0.0492
0.1779
0.0286
0.0102
0.0041
0.2353
0.002
0.1963
0.09
0.002
0.135
0.002
0.0307
0.0102
0.0061
0.002
0.0053
0.0725
0.1515
0.0119
0.3122
0.0026
0.1041
0.087
0.2148
0.0013
0.025
0.0039
0.0053
0.0026
1.69%
3.37%
0.39%
8.94%
11.41%
1.94%
0.13%
0.39%
0.13%
18.16%
0.65%
14.66%
14.66%
18.03%
0.13%
3.37%
0.91%
0.78%
0.26%
Q3 2013Q2 2013Q3 2012
4 CONFIDENTIAL
Per
cen
tag
e
1-Jul 8-Jul 15-Jul 22-Jul 29-Jul 5-Aug 12-Aug 19-Aug 26-Aug 2-Sep 9-Sep 16-Sep 23-Sep 30-Sep-50%
0%
50%
100%
150%
200%
250%
-7%
17%
118%
34%
84% 80%
43%
96%
190%
109%
-16%
82%
46% 43%
Time Day of Week
Changes in DDoS attacks per week Q3 2013 vs. Q3 2012
5 CONFIDENTIAL
China62.26%
United States9.06%
Republic of Korea7.09%
Brazil4.46%
Russian Federation4.45%
India3.45%
Taiwan2.95%
Poland2.23%
Japan2.11% Italy
1.94%
Top ten source countries for DDoS attacks in Q3 2013
6 CONFIDENTIALChina
USAIndia
BrazilRussia
Saudi ArabiaThailand
UKVietnam
Egypt
0% 10% 20% 30% 40% 50% 60% 70%
35.46%27.85%
7.81%5.23%5.07%
4.55%3.89%3.69%3.68%
2.77%
Q3 2013
Q2 2013
Q3 2012
ChinaMexicoRussiaKorea
FranceUSAItalyIranUK
Taiwan
0% 10% 20% 30% 40% 50% 60% 70%
39.08%27.32%
7.58%7.29%
6.50%4.12%
2.28%2.14%1.88%1.81%
ChinaUSA
KoreaBrazil
RussiaIndia
TaiwanPolandJapan
Italy
0% 10% 20% 30% 40% 50% 60% 70%
62.26%9.06%
7.09%4.46%4.45%
3.45%2.95%
2.23%2.11%1.94%
Top ten source countries for DDoS attacks in Q3 2013, Q2 2013 and Q3 2012
7 CONFIDENTIAL Time
Q3
2013
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
2
4
6
8
10
12
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
2
4
6
8
10
12
Percentage
Q2
2013
Q3
2012
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
2
4
6
8
10
12
Attack campaign start time – Q3 2013, Q2 2013, Q3 2012
8 CONFIDENTIAL
Border traffic and mitigation bits for a September 6 attack
9 CONFIDENTIAL
Example of a DrDoS reflection attack
PACKET1Spoofed Source (Target)Destination (Victim)
PACKET2 ReflectedPacketSource (Victim)Destination (Target)Victim Victim Victim
Malicious ActorPrimary Target
10 CONFIDENTIAL
cdos.c tool generating a CHARGEN packet with a size of 29 bytes
11 CONFIDENTIAL
A Microsoft Windows 2000 server victim
12 CONFIDENTIAL
Packet data of the amplified DrDoS traffic
13 CONFIDENTIAL
Source regions of CHARGEN attacks against gambling industry customer
14 CONFIDENTIAL
6.90%
11.40%
12.20%59.40%
KRNIC-ASBLOCK-AP KRNIC
CHINANET-SH-AP China Telecom (Group)
CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center
ATT-INTERNET4 - AT&T Services, Inc.
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
LGDACOM LG DACOM Corporation
CHINA169-BACKBONE CNCGROUP China169 Backbone
HANARO-AS Hanaro Telecom Inc.
CHINANET-BACKBONE No.31,Jin-rong Street
Top 10 ASNs participating in the attack against the gambling industry customer
15 CONFIDENTIAL
Bandwidth graphs during this CHARGEN attack
16 CONFIDENTIAL
Pricing options for a stressor service
17 CONFIDENTIAL
4.20%
5.50%
5.70%
7.70%
8.90%
9.90%10.90%
38.60%
CNNIC-ALIBABA-CN-NET-AP Hangzou Alibaba Advertising Co.,Ltd.
OCN NTT Communications Corporation
CABLE-NET-1 - Cablevision Systems Corp.
CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
HANARO-AS Hanaro Telecom Inc.
CHINA169-BACKBONE CNCGROUP China169 Backbone
CMCS - Comcast Cable Communications, Inc.
LGDACOM LG DACOM Corporation
CHINANET-BACKBONE No.31,Jin-rong Street
Top 10 ASNs participating in the attack against the entertainment industry customer
18 CONFIDENTIAL
Source regions of CHARGEN attacks against entertainment industry customer
19 CONFIDENTIAL
Mitigation control for CHARGEN campaign against the entertainment industry customer
20 CONFIDENTIAL
Screenshot of RAGE booter
21 CONFIDENTIAL
Rage Booter API service panel
22 CONFIDENTIAL
RAGE booter API service panel
23 CONFIDENTIAL
Stressor panel with CHARGEN features
24 CONFIDENTIAL
Screenshot of advert selling a reflection IP list
25 CONFIDENTIAL
A forum for selling DrDoS scanners
26 CONFIDENTIAL
The attack console interface of the cdos.c DrDoS toolkit
27 CONFIDENTIAL
Forum chatter about leaked tool market saturation
28 CONFIDENTIAL
Forum selling CHARGEN scanner tool
29 CONFIDENTIAL
Linux
Unix
Windows
Other
99.3%
99 percent of servers participating in a CHARGEN reflection attack ran a Microsoft Windows server operating system
30 CONFIDENTIAL
CHARGEN has been turned off