Q3 2013 Global DDoS Attack Report
-
Upload
state-of-the-internet -
Category
Technology
-
view
471 -
download
2
Transcript of Q3 2013 Global DDoS Attack Report
![Page 1: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/1.jpg)
www.prolexic.com
Q3 2013 Attack Report
![Page 2: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/2.jpg)
2 CONFIDENTIAL
Types of DDoS attacks and their relative distribution in Q3 2013
ACK: 1.69%CHARGEN: 3.37%
FIN PUSH: 0.39%DNS: 8.94%
ICMP: 11.41% RESET: 1.94%
RIP: 0.13%
RP: 0.39%
SYN: 18.16% SYN PUSH: 0.13%
TCP Fragment: 0.65%UDP Floods: 14.66%
UDP Fragment: 14.66%
Infrastructure Layer: 76.52%
HTTP GET: 18.03%HEAD: 0.13%
HTTP POST: 3.37%
SSL POST: 0.26%
SSL GET: 0.78%PUSH: 0.91%
Application Layer: 23.48%
![Page 3: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/3.jpg)
3 CONFIDENTIAL
Attack vectors Q3 2013, Q2 2013 and Q3 2012
ACK
CHARGEN
FIN PUSH
DNS
ICMP
RESET
RIP
RP
SYN PUSH
SYN
TCP Fragment
UDP
UDP Fragment
IGMP
HTTP GET
HEAD
NTP
HTTP POST
PUSH
SSL GET
SSL POST
0% 5% 10% 15% 20% 25% 30% 35%
0.0143
0.0041
0.0492
0.1779
0.0286
0.0102
0.0041
0.2353
0.002
0.1963
0.09
0.002
0.135
0.002
0.0307
0.0102
0.0061
0.002
0.0053
0.0725
0.1515
0.0119
0.3122
0.0026
0.1041
0.087
0.2148
0.0013
0.025
0.0039
0.0053
0.0026
1.69%
3.37%
0.39%
8.94%
11.41%
1.94%
0.13%
0.39%
0.13%
18.16%
0.65%
14.66%
14.66%
18.03%
0.13%
3.37%
0.91%
0.78%
0.26%
Q3 2013Q2 2013Q3 2012
![Page 4: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/4.jpg)
4 CONFIDENTIAL
Per
cen
tag
e
1-Jul 8-Jul 15-Jul 22-Jul 29-Jul 5-Aug 12-Aug 19-Aug 26-Aug 2-Sep 9-Sep 16-Sep 23-Sep 30-Sep-50%
0%
50%
100%
150%
200%
250%
-7%
17%
118%
34%
84% 80%
43%
96%
190%
109%
-16%
82%
46% 43%
Time Day of Week
Changes in DDoS attacks per week Q3 2013 vs. Q3 2012
![Page 5: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/5.jpg)
5 CONFIDENTIAL
China62.26%
United States9.06%
Republic of Korea7.09%
Brazil4.46%
Russian Federation4.45%
India3.45%
Taiwan2.95%
Poland2.23%
Japan2.11% Italy
1.94%
Top ten source countries for DDoS attacks in Q3 2013
![Page 6: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/6.jpg)
6 CONFIDENTIALChina
USAIndia
BrazilRussia
Saudi ArabiaThailand
UKVietnam
Egypt
0% 10% 20% 30% 40% 50% 60% 70%
35.46%27.85%
7.81%5.23%5.07%
4.55%3.89%3.69%3.68%
2.77%
Q3 2013
Q2 2013
Q3 2012
ChinaMexicoRussiaKorea
FranceUSAItalyIranUK
Taiwan
0% 10% 20% 30% 40% 50% 60% 70%
39.08%27.32%
7.58%7.29%
6.50%4.12%
2.28%2.14%1.88%1.81%
ChinaUSA
KoreaBrazil
RussiaIndia
TaiwanPolandJapan
Italy
0% 10% 20% 30% 40% 50% 60% 70%
62.26%9.06%
7.09%4.46%4.45%
3.45%2.95%
2.23%2.11%1.94%
Top ten source countries for DDoS attacks in Q3 2013, Q2 2013 and Q3 2012
![Page 7: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/7.jpg)
7 CONFIDENTIAL Time
Q3
2013
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
2
4
6
8
10
12
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
2
4
6
8
10
12
Percentage
Q2
2013
Q3
2012
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 230
2
4
6
8
10
12
Attack campaign start time – Q3 2013, Q2 2013, Q3 2012
![Page 8: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/8.jpg)
8 CONFIDENTIAL
Border traffic and mitigation bits for a September 6 attack
![Page 9: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/9.jpg)
9 CONFIDENTIAL
Example of a DrDoS reflection attack
PACKET1Spoofed Source (Target)Destination (Victim)
PACKET2 ReflectedPacketSource (Victim)Destination (Target)Victim Victim Victim
Malicious ActorPrimary Target
![Page 10: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/10.jpg)
10 CONFIDENTIAL
cdos.c tool generating a CHARGEN packet with a size of 29 bytes
![Page 11: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/11.jpg)
11 CONFIDENTIAL
A Microsoft Windows 2000 server victim
![Page 12: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/12.jpg)
12 CONFIDENTIAL
Packet data of the amplified DrDoS traffic
![Page 13: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/13.jpg)
13 CONFIDENTIAL
Source regions of CHARGEN attacks against gambling industry customer
![Page 14: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/14.jpg)
14 CONFIDENTIAL
6.90%
11.40%
12.20%59.40%
KRNIC-ASBLOCK-AP KRNIC
CHINANET-SH-AP China Telecom (Group)
CHINANET-SCIDC-AS-AP CHINANET SiChuan Telecom Internet Data Center
ATT-INTERNET4 - AT&T Services, Inc.
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
LGDACOM LG DACOM Corporation
CHINA169-BACKBONE CNCGROUP China169 Backbone
HANARO-AS Hanaro Telecom Inc.
CHINANET-BACKBONE No.31,Jin-rong Street
Top 10 ASNs participating in the attack against the gambling industry customer
![Page 15: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/15.jpg)
15 CONFIDENTIAL
Bandwidth graphs during this CHARGEN attack
![Page 16: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/16.jpg)
16 CONFIDENTIAL
Pricing options for a stressor service
![Page 17: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/17.jpg)
17 CONFIDENTIAL
4.20%
5.50%
5.70%
7.70%
8.90%
9.90%10.90%
38.60%
CNNIC-ALIBABA-CN-NET-AP Hangzou Alibaba Advertising Co.,Ltd.
OCN NTT Communications Corporation
CABLE-NET-1 - Cablevision Systems Corp.
CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network
UUNET - MCI Communications Services, Inc. d/b/a Verizon Business
HANARO-AS Hanaro Telecom Inc.
CHINA169-BACKBONE CNCGROUP China169 Backbone
CMCS - Comcast Cable Communications, Inc.
LGDACOM LG DACOM Corporation
CHINANET-BACKBONE No.31,Jin-rong Street
Top 10 ASNs participating in the attack against the entertainment industry customer
![Page 18: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/18.jpg)
18 CONFIDENTIAL
Source regions of CHARGEN attacks against entertainment industry customer
![Page 19: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/19.jpg)
19 CONFIDENTIAL
Mitigation control for CHARGEN campaign against the entertainment industry customer
![Page 20: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/20.jpg)
20 CONFIDENTIAL
Screenshot of RAGE booter
![Page 21: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/21.jpg)
21 CONFIDENTIAL
Rage Booter API service panel
![Page 22: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/22.jpg)
22 CONFIDENTIAL
RAGE booter API service panel
![Page 23: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/23.jpg)
23 CONFIDENTIAL
Stressor panel with CHARGEN features
![Page 24: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/24.jpg)
24 CONFIDENTIAL
Screenshot of advert selling a reflection IP list
![Page 25: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/25.jpg)
25 CONFIDENTIAL
A forum for selling DrDoS scanners
![Page 26: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/26.jpg)
26 CONFIDENTIAL
The attack console interface of the cdos.c DrDoS toolkit
![Page 27: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/27.jpg)
27 CONFIDENTIAL
Forum chatter about leaked tool market saturation
![Page 28: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/28.jpg)
28 CONFIDENTIAL
Forum selling CHARGEN scanner tool
![Page 29: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/29.jpg)
29 CONFIDENTIAL
Linux
Unix
Windows
Other
99.3%
99 percent of servers participating in a CHARGEN reflection attack ran a Microsoft Windows server operating system
![Page 30: Q3 2013 Global DDoS Attack Report](https://reader033.fdocuments.in/reader033/viewer/2022060107/554c02b6b4c9053f078b4edc/html5/thumbnails/30.jpg)
30 CONFIDENTIAL
CHARGEN has been turned off