Graphic of DDoS Evolution 2013-2014

April 20, 2014
We are all attempting to figure out the right investments in DDoS resistance and mitigation.  In the fog of hype and vendor pitches, it is difficult to get some perspective on what we need to be preparing for on this front.  Every hard data resource has exaggerated value in the current situation.
Incapsula recently released “2013-2014 DDoS Threat Landscape Report.”  Their findings outlined below are based on hundreds of attacks perpetrated against websites using Incapsula’s DDoS Mitigation service.  Using that data their report concludes (most quoted from their report):

Network (Layer 3 & 4) DDoS Attacks

  • Large SYN Floods account for 51.5% of all large-scale attacks
  • Almost one in every three attacks is above 20Gbps
  • 81% of attacks are multi-vector threats
  • Normal SYN flood & Large SYN flood combo is the most popular multi-vector attack (75%)
  • NTP reflection was the most common large-scale attack method in February 2014
2014: Emerging Trends
    • “Hit and Run” DDoS attacks: frequent short bursts of traffic, are specifically designed to exploit the weakness of services that were designed for manual triggering (e.g., GRE tunneling to DNS re-routing). Hit and Run attacks are now changing the face of anti-DDoS industry, pushing it towards “Always On” integrated solutions.
    • Multi-Vector Threats: 81% of all network attacks employed at least two different attack methods, with almost 39% using three or more different attack methods simultaneously.  Multi-vector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources.  Combinations of different offensive techniques are also often used to create “smokescreen” effects, where one attack is used to create noise, diverting attention from another attack vector. Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators.
    • Attack Type Facilitates Growth: Today large scale DDoS attacks (20Gbps and above) already account for almost 33% of all network DDoS events. There is no doubt that the increasing adoption of these techniques will facilitate the growth of future volumetric network DDoS attacks, which could in turn drive an increase in investment in networking resources.  During January and February of 2014 a significant increase in the number of NTP Amplification attacks was noted. In fact, this reached the point where, in February, NTP Amplification attacks became the most commonly used attack vector for large scale network DDoS attacks.
    • Weapn of Choice: attackers’ most common “weapons of choice”: i.e., large SYN floods, NTP Amplification and DNS Amplification
    • NTP DDoS is on the Rise

Application (Layer 7) DDoS Attacks

In the second half of 2013 Incapsula began to encounter a much more complex breed of DDoS offenders, including browser-based bots which were immune to generic filtering methods and could only be stopped by a combination of customized security rules and reputation-based heuristics.  (High volume is not essential)…even a rate of 50-100 requests/second would be enough to cripple most mid-sized websites, exceeding typical capacity margins.
  • DDoS bot traffic is up by 240%:  On average, Incapsula recorded over 12 million unique DDoS bot sessions on a weekly basis, which represents a 240% increase over the same period in 2013.
  • More than 25% of all Botnets are located in India, China and Iran
  • USA is ranked number 5 in the list of “Top 10” attacking countries
  • 29% of Botnets attack more than 50 targets a month — 7% attach more than 100 per month.
  • 29.9% of DDoS bots can hold cookies.  In the fourth quarter of 2013, Incapsula reported the first encounter with browser-based DDoS bots that were able to bypass both JavaScript and Cookie challenges – the two most common methods of bot filtering.  This trend continues in 2014.
  • 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots)
2014: Emerging Trends
    • Botnet Geo-Locations
    • “Shared Botnets”
    • Bots are Evolving
    • Common Spoofed User-Agents



2013-2014 DDoS Threat Landscape Report

The findings above are summarized in the graphic below from Incapsula
DDoS Graphic from Incapsula
DDoS Graphic from Incapsula

DDoS Campaign Requires New Thinking

April 22, 2013

Last week the al-Qassam Cyber-Fighters (AQCF) worked said on PasteBin that they were going to start on their 55th day of their distributed denial of service (DDoS) campaign against large U.S. based banks, Operation Ababil.  One of my co-workers outlined his reading of the situation: “each week they step up to bat, point to their target in the far reaches of the high outfield bleachers, and then knock the next pitch into the stands, exactly where they intended.”  They have been able to consistently direct, what were until recently, unthinkable volumes of attack traffic at their targets.  Bank website outages may be double or more what they were a year ago.  Some organizations are having a tougher time than others.  Threat intelligence sharing has not proven to be a great help in repelling these ongoing attacks.

These DDoS successes demonstrate the power of AQCF techniques.  Other cyber-crime organizations will learn from this approach and build out their own capabilities to support whatever business model fits their needs.  As a result, financial services need to re-think how we architect, deploy, and operate our Internet-enabled operations.

Widely distributed content delivery network resources, a broader array of cloud-enabled services, agile real-time system migration operational processes, backed up by multiple layers of network and application layer security defenses seem like the right places to start.  But it seems like that approach may only buy time.  This is a serious business challenge.  In the presence of an attacker who consistently delivers exactly what they announce, business as usual seems risk-inappropriate.  Invest your best and brightest, your most disruptive as well as your most mature human resources in this one.  For some financial services targets may choose to bank on hope — that DDoS will just “go away” or that someone else will invent DDoS-prevention services that turn out to be both cheap and easy.  Some may also lose this battle.

What do you think?


al-Qassam Cyber-Fighters on PasteBin:

Operation Ababil Phase 3 week 7:

Bank Website Attacks Reach New High – 249 Hours Offline in Past Six Weeks:

%d bloggers like this: