DDoS Attackers Choose Reflection, Not Infection | Global DDoS Attack Report | Prolexic
•
1 j'aime•323 vues
http://bit.ly/1ia4WPi | In Q1 2014, DDoS attackers relied less upon traditional botnet infection in favor of reflection and amplification techniques. Instead of using a network of zombie computers, the newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. These techniques were responsible for a record-setting DDoS attack. Learn more about this DDoS threat in the full Q1 2014 DDoS attack report, available for a free download at http://bit.ly/1ia4WPi.
![Q1 2014 Global Attack Report: Q1’s Record-Setting DDoS Attack
Selected excerpts
In Q1 2014, Prolexic successfully mitigated its largest confirmed DDoS attack campaign against a
Prolexic customer. The malicious actors used a powerful combination of Network Time Protocol
(NTP) reflection and Domain Name System (DNS) reflection as the main attack vectors, which also
included variations of the POST flood attack, a Layer 7 application attack vector. The attack
exceeded 10 hours in duration and was directed at a European Internet media company.
PLXsert [Prolexic's Security Engineering and Research Team] successfully identified the tools used
in this campaign. These tools included the latest NTP and DNS reflection attack tools, as well as a
popular DDoS toolkit known as Drive, which is a Dirt Jumper variant that utilizes a traditional
botnet architecture achieved through malware infection.
As described in PLXSert threat advisories and a series of Distributed Reflection Denial of Service
(DrDoS) white papers, the NTP and DNS protocols are susceptible to abuse by malicious actors. By
abusing features of the protocols, attackers produce amplified responses – much larger packet
sizes than the originating requests. In addition, these two protocols are based on User Datagram
Protocol (UDP), which makes them susceptible to spoofing, allowing attackers to hide the source
of the requests. Using these amplification and reflection techniques, this campaign peaked at more
than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second).
Validated attack vectors used in this campaign
Malicious actors typically mix and match attack vectors to inflict the greatest possible damage on
their targets. The particular mix of attack vectors in this campaign was dangerous.
Three main attack vectors were observed in this campaign:
● DNS reflection, which targets Layer 3 and Layer 4
● NTP monlist reflection, which targets Layer 3 and Layer 4
● Drive POST1 and POST2 floods, which target Layer 7
Top source countries for each attack type
● DNS reflection attacks: The majority of DNS reflectors were from the United States,
followed by Russia and Brazil. The next countries in the top ten sources of DNS attack were
Indonesia, Turkey, China, Netherlands, Australia, Canada and Germany.
● NTP reflection attacks: The NTP reflection sources came from countries. The three source
countries with largest number of reflector servers used within this DDoS attack were South
Korea, Russia and the Ukraine. The rest of top countries represented were the United
States, China, Japan, Romania, Germany, Netherlands and Great Britain.](https://image.slidesharecdn.com/ddosattackerschoosereflectionnotinfectionglobalddosattackreportprolexic-140619232037-phpapp01/85/DDoS-Attackers-Choose-Reflection-Not-Infection-Global-DDoS-Attack-Report-Prolexic-1-320.jpg?cb=1403220283)
Recommandé
Contenu connexe
Dernier
Dernier (20)
En vedette
En vedette (20)
DDoS Attackers Choose Reflection, Not Infection | Global DDoS Attack Report | Prolexic
- 1. Q1 2014 Global Attack Report: Q1’s Record-Setting DDoS Attack Selected excerpts In Q1 2014, Prolexic successfully mitigated its largest confirmed DDoS attack campaign against a Prolexic customer. The malicious actors used a powerful combination of Network Time Protocol (NTP) reflection and Domain Name System (DNS) reflection as the main attack vectors, which also included variations of the POST flood attack, a Layer 7 application attack vector. The attack exceeded 10 hours in duration and was directed at a European Internet media company. PLXsert [Prolexic's Security Engineering and Research Team] successfully identified the tools used in this campaign. These tools included the latest NTP and DNS reflection attack tools, as well as a popular DDoS toolkit known as Drive, which is a Dirt Jumper variant that utilizes a traditional botnet architecture achieved through malware infection. As described in PLXSert threat advisories and a series of Distributed Reflection Denial of Service (DrDoS) white papers, the NTP and DNS protocols are susceptible to abuse by malicious actors. By abusing features of the protocols, attackers produce amplified responses – much larger packet sizes than the originating requests. In addition, these two protocols are based on User Datagram Protocol (UDP), which makes them susceptible to spoofing, allowing attackers to hide the source of the requests. Using these amplification and reflection techniques, this campaign peaked at more than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second). Validated attack vectors used in this campaign Malicious actors typically mix and match attack vectors to inflict the greatest possible damage on their targets. The particular mix of attack vectors in this campaign was dangerous. Three main attack vectors were observed in this campaign: ● DNS reflection, which targets Layer 3 and Layer 4 ● NTP monlist reflection, which targets Layer 3 and Layer 4 ● Drive POST1 and POST2 floods, which target Layer 7 Top source countries for each attack type ● DNS reflection attacks: The majority of DNS reflectors were from the United States, followed by Russia and Brazil. The next countries in the top ten sources of DNS attack were Indonesia, Turkey, China, Netherlands, Australia, Canada and Germany. ● NTP reflection attacks: The NTP reflection sources came from countries. The three source countries with largest number of reflector servers used within this DDoS attack were South Korea, Russia and the Ukraine. The rest of top countries represented were the United States, China, Japan, Romania, Germany, Netherlands and Great Britain.
- 2. ● POST attacks from the Drive Toolkit: The principal sources of the application layer attack type within this campaign were identified as the countries of Turkey, Iran and Argentina, as shown in Figure 26. The remaining top ten countries were identified as Brazil, Mexico, Venezuela, Russia, Spain, India and Poland. PLXsert was able verify that the majority of sources from these countries match CPE device signatures. This suggests the source of the Dirt Jumper Drive attack traffic was compromised Microsoft Windows-based computers behind home cable/DSL connections. Get the full Q1 2014 Global Attack Report with all the details Each quarter Prolexic produces a quarterly DDoS attack report. As the world's leading DDoS mitigation provider, Prolexic is ideally positioned to collect valuable data on the origins, tactics, types and targets of DDoS attacks and identify emerging trends. Download the Q1 2014 Global Attack Report at www.prolexic.com/attackreports for: ● Global DDoS attack trends ● Year-over-year and quarter-by-quarter comparisons ● Types of attacks used ● Network protocols at risk for abuse by attackers ● Industries targeted ● Details about real attacks mitigated by Prolexic The more you know about DDoS attacks, the better you can protect your network against cyber- crime. Download the free Q1 2014 Global Attack Report today. About Prolexic Prolexic, now part of Akamai, offers DDoS protection solutions that leverage proprietary DDoS filtering techniques and the world’s largest cloud-based DDoS mitigation network. To learn more about how Prolexic solutions stop DDoS attacks and protect business, please visit www.prolexic.com.