verisign distributed denial of service trends report · more important to layer these and other...
TRANSCRIPT
VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 4, ISSUE 3 – 3RD QUARTER 2017
Complimentary report supplied by
EXECUTIVE SUMMARY 3
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017 4DDoS Attacks Decrease in Volume But Remain Unpredictable 4Multi-Vector DDoS Attacks Remain the Norm 6Largest Volumetric Attack and Highest Intensity Flood Attack 8
FEATURE ARTICLEComprehensive Network Protection – Inbound and Outbound 10
VERISIGN DDoS TRENDS REPORT | Q3 2017 2
CONTENTS
EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services during the third quarter of 2017 from July 1, 2017 through September 30, 2017 (“Q3 2017”). This report offers a unique view into the attack trends unfolding online, including attack statistics and behavioral trends during Q3 2017.*
Verisign observed the following key trends in Q3 2017:
VERISIGN DDoS TRENDS REPORT | Q3 2017 3
17%decrease compared to the second quarter of 2017 from April 1, 2017 through June 30, 2017 (“Q2 2017”)
Number of Attacks
Volume
2.5 Gigabits per second (Gbps)
Attack Peak Size
2.3 Million packets per second (Mpps)
<1 Gbps
Average Attack Peak Size
30%of attacks over 1 Gbps
29%
Speed
70% decrease compared to Q2 2017
56%of attacks were User Datagram Protocol (UDP) floods
Most Common Attack Type Mitigated
88%of attacks employed multiple attack types
of attacks employed five or more attack types
VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2017DDoS Attacks Decrease in Volume But Remain Unpredictable When comparing Q3 2017 to Q2 2017, Verisign saw a 17 percent decrease in the number of attacks, and a 70 percent decrease in the peak size of the average attack. Attackers continue to launch repeated attacks against their targets. In fact, Verisign observed that 45 percent of customers who experienced DDoS attacks in Q3 2017 were targeted multiple times during the quarter. DDoS attacks remain unpredictable and vary widely in terms of speed and complexity.
Figure 1: Mitigation Peaks by Quarter from Q4 2015 to Q3 2017
2016-Q4 2017-Q1 2017-Q2 2017-Q32015-Q4 2016-Q1 2016-Q2 2016-Q3
>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps
0
20
40
60
80
100
Perc
ent o
f Atta
cks
VERISIGN DDoS TRENDS REPORT | Q3 2017 4
30% peaked over 1 Gbps
Attack Size
VERISIGN DDoS TRENDS REPORT | Q3 2017 5
decrease in average peak attack size
compared to Q2 2017
Average Attack Peak Size
Figure 2: Average Peak Attack Size by Quarter from Q4 2015 to Q3 2017
6.9
2015-Q4
19.4
2016-Q1
17.4
2016-Q2
12.8
2016-Q3
11.2
2016-Q4
14.1
2017-Q1
2.7
2017-Q2
0.8
2017-Q30
2
4
6
8
10
12
14
16
18
20
Gbps
0.8 Gbps70%
decrease in average peak attack size compared to Q2 2017 70%
88%of DDoS attacks in Q3
2017 utilized at least two different attack types.
Multi-Vector DDoS Attacks Remain the Norm Eighty-eight percent of DDoS attacks mitigated by Verisign in Q3 2017 employed multiple- attack types. Verisign observed attacks targeting networks at multiple layers and attack types that changed over the course of a DDoS event. Today’s DDoS attacks require continuous monitoring to more efficiently tailor mitigation strategies.
Figure 3: Number of Attack Types per DDoS Event in Q3 2017
1 Attack Type2 Attack Types3 Attack Types4 Attack Types5+ Attack Types
35%
12%
18%
6%
29%
VERISIGN DDoS TRENDS REPORT | Q3 2017 6
VERISIGN DDoS TRENDS REPORT | Q3 2017 7
IP Fragment AttacksTCP Based
UDP Based
27%
17%
56%
Types of DDoS Attacks UDP flood attacks dominated in Q3 2017, accounting for 56 percent of total attacks in the quarter. The most common UDP floods included Domain Name System (DNS), Network Time Protocol (NTP), Simple Service Discovery Protocol (SSDP), Character Generator Protocol (CHARGEN) and Simple Network Management Protocol (SNMP) reflective amplification attacks.
56%of attacks were
UDP FLOODS
Figure 4: Types of DDoS Attacks in Q3 2017
Largest Volumetric Attack and Highest Intensity Flood AttackThe largest volumetric DDoS attack observed by Verisign in Q3 2017 was a multi-vector attack that peaked at approximately 2.5 Gbps and around 1 Mpps for one hour. The attack consisted of a wide range of attack vectors including TCP SYN and TCP RST floods; DNS, ICMP and Chargen Amplification attacks, and invalid packets. The different attack vectors required continuous monitoring and changing of countermeasures to effectively mitigate.
The highest intensity packet flood in the quarter, consisting of a TCP SYN and UDP floods mixed with invalid packets, peaked at approximately 2.3 Mpps and around 1 Gbps. That attack lasted approximately two and a half hours.
VERISIGN DDoS TRENDS REPORT | Q3 2017 8
.76 Gbps
Average attack size:
1.38 Gbps
Average attack size:
VERISIGN DDoS TRENDS REPORT | Q3 2017 9
Mitigations on Behalf of Verisign Customers by Industry for Q3 2017**
45%of mitigations
IT Services/Cloud/SaaS
15%of mitigations
Media and Entertainment/Content
.52 Gbps
Average attack size:
Energy
15%of mitigations
.63 Gbps
Average attack size:
Financial
20%of mitigations
Figure 5: Peak DDoS Attack Size by Industry from Q4 2016 to Q3 2017
Financial Media &Entertainment
E-Commerce/Online
IT Services/Cloud/SaaS
Q3 2017Q4 2016 Q1 2017 Q2 2017
0
50
100
150
Gbps
Telecommunications& Other
Public Sector
Peak DDoS Attack Size by Industry (Q3 2017)
Average attack size:
5%of mitigations
E-Commerce and Online Advertising
.61 Gbps
VERISIGN DDoS TRENDS REPORT | Q3 2017 10
1 2016 Ponemon Institute Cost of a Data Breach Study, https://securityintelligence.com/media/2016-cost-data-breach-study/, retrieved Oct. 2, 2017
FEATURE ARTICLECOMPREHENSIVE NETWORK PROTECTION – INBOUND AND OUTBOUND Verisign DDoS Trends Reports throughout 2017 have reported a decline in the size and number of DDoS attacks. This trend does not necessarily mean, however, that DDoS attacks are going away or that companies should be complacent. Now is a good time for organizations to review all aspects of their network and application security solutions to protect themselves against DDoS attacks or future security threats.
According to the 2016 Ponemon Institute Cost of a Data Breach Study, the average consolidated cost of a data breach is $4 million.1 Organizations usually have a strategy in place to deal with DDoS attacks hitting their network and applications, but what happens if an internal user on their own network pulls in malware via an inadvertent outbound request?
Today’s One-Way View – Inbound Only
Cloud-based DDoS protection services focus on monitoring inbound internet traffic to a customer’s critical IP network. The technology typically uses signature analysis, misuse detection and dynamic profiling. Signature analysis and misuse detection look for deviations that may indicate a DDoS attack. Dynamic profiling establishes normal traffic patterns and identifies deviations, which then trigger alerts for further investigation. For example, traffic levels reaching or exceeding predefined thresholds could indicate a DDoS attack. So, when a wave of volumetric or malformed traffic hits the customer’s network, an alert is raised for investigation.
DDoS monitoring solutions only provide visibility into the inbound traffic. What about outbound traffic sent from your network? While variations in outbound traffic patterns can happen for many reasons, they can also indicate that compromised endpoints are participating in a botnet, exfiltrating data or being used for other malicious purpose. How do organizations know if an internal user is participating in a botnet or communicating with a command-and-control server or other malware? How do they know if data is being exfiltrated? Monitoring outbound DNS traffic can help.
VERISIGN DDoS TRENDS REPORT | Q3 2017 11
How to Monitor Outbound Traffic
Gaining visibility into outbound DNS requests can be challenging. Firewall administrators tend to not look at DNS request logs due to the volume, but knowing what is sent out on your network is the first step to preventing communication with malicious end points.
Deploying security technology such as DNS firewall, email filtering and other security solutions, and keeping them up to date, is a good place to start. No technology offers 100 percent network protection; organizations need to implement a layered approach to security that includes both technology and user education.
As attackers grow increasingly adept at creating “smarter” malware to circumvent individual protections, it becomes more important to layer these and other security controls, including measures at the DNS level. For more information, read our white paper, Framework for Resilient DNS Security.
Verisign’s Security Services offer cloud-based DDoS protection and DNS solutions to protect your organization’s online services from today’s security threats. To learn more about Verisign Security Services, visit https://www.verisign.com/en_US/security-services/index.xhtml.
TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.
About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net top-level domains and two of the internet’s root servers, as well as performs the root zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include Distributed Denial of Service Protection and Managed DNS. To learn more about what it means to be Powered by Verisign, visit Verisign.com.
*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in “AS IS” condition. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.
** The attaks reported by industry in this report are solely a reflection of the Verisign DDoS Protection Service customer base.
Verisign Public VRSN_DDoS_TR_Q3-17_Axians_201712
Verisign.com© 2017 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.