Verisign Distribution Denial of Service Trends, observed attack trends of January - March, the first quarter of 2017. These trends include attack statistics, behavioural trends and future outlook.
Compiled on the basis of observations and insights about attack frequency and size obtained from mitigations on behalf of customers from Verisign DDOS Protection Services and insights from iDefense Security Intelligence Services.
Verisign observed the following key trends in Q1 2017:
DDoS attacks remains complex and unpredictable, and vary widely in terms of volume, speed and complexity. To combat these attacks, it is becoming increasingly important to constantly monitor attacks for changes in order to optimize the mitigation strategy. Verisign saw a 23 percent decrease in the number of attacks in Q1 2017; however, the average peak attack size increased 26 percent compared to the previous quarter. Attackers also launched sustained and repeated attacks against their targets. In fact, Verisign observed that almost 50 percent of customers who experienced DDoS attacks in Q1 2017 were targeted multiple times during the quarter. Every quarter since the first quarter of 2016 has had average attack peak sizes of over 10 GBPS.
Multi-Vector DDoS Attacks are the Norm. Verisign observed DDoS attacks targeting victim networks at multiple network layers and attack types changing over the course of DDoS events, thus requiring continuous
monitoring to optimize the mitigation strategy. 57 % of DDoS attacks in Q1 2017 utilized at least two different attack types. UDP flood attacks continue to lead in Q1 2017, making up 46 percent of total attacks in the quarter. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) and Simple Service Discovery Protocol (SSDP) reflection attacks. While UDP-based attacks continued to dominate the types of attacks deployed, the number of TCP-based attacks increased. TCP floods, largely consisting of TCP SYN and TCP RST floods, were the second most common attack vector, making up 33 percent of attack types in the quarter.
Largest Volumetric Attack and Highest Intensity Flood
The largest volumetric and highest intensity DDoS attack observed by Verisign in Q1 2017 was a multi-vector attack that peaked over 120 Gbps and around 90 Mpps. This attack sent a flood of traffic to the targeted network in excess of 60 Gbps for more than 15 hours. The attackers were very persistent in their attempts to disrupt the victim’s network by sending attack traffic on a daily basis for over two weeks. The attack consisted primarily of TCP SYN and TCP RST floods of varying packet sizes and employed one of the signatures associated with the MiraiIoT botnet. The event also included UDP floods and IP fragments which increased the volume of the attack.
At approximately 90 Mpps, the speed of the attack was the fastest pps rate observed in Q1 2017. SYN flood attacks at such high pps rates can be disruptive and require a highly scalable cloud-based service that can quickly and effectively defend against such attacks
Attacks against Financial Sector Increases
The financial sector continues to be a constant target for DDoS attacks. In Q1 2017, Verisign’s financial sector customers experienced the second highest number of DDoS attacks (28 percent) of any industry sector within Verisign’s customer base (a large increase from only 7 percent during the prior quarter). IT Services/Cloud remained the sector with the largest number of DDoS attacks in Q1 2017.
Combining technology and the human element to mitigate DDoS attacks
In Q1 2017, Verisign observed that 57%t of DDoS attacks against its customer base utilized multiple attack vectors. As DDoS attacks increase in complexity and size, combating them becomes more challenging. In response, organizations not only need the right technology capable of meeting this growing threat, but also the right human element. Technical staff with DDoS expertise working in tandem with technology is highly beneficial in keeping networks and infrastructures available during an attack.
The Technology
Various on-premise firewalls and dedicated DDoS appliances are intended to preemptively stop malicious traffic before it reaches a network. The appliances can be configured with countermeasures or rules to block traffic to certain ports or traffic in a non-compliant format. When configured properly, the associated malicious traffic will be effectively blocked and dropped before it reaches the intended servers. These appliances are adept at handling simple attacks such as SYN floods and UDP floods, allowing some of the processes including detection to mitigation to be automated. However, in order to fine tune attack countermeasures and respond to changing attack tactics, it is important to have the right people working behind the scenes to most effectively combat a wide variety of attacks.
The Human Element
Attackers are using multiple tactics and adapting them midstream to impact their designated target. For example, Verisign observed that many Layer 7 attacks are regularly mixed in with Layer 3/Layer 4 DDoS flooding attacks. Volumetric flood attacks are easier to defend against than Layer 7 DDoS attacks, which pose a different challenge because it is difficult to distinguish legitimate human traffic from bot traffic. In such cases, a highly trained DDoS team with years of experience and expertise is needed to continuously monitor and adapt a mitigation approach to effectively differentiate bot versus human traffic.