www.cloudsec.com/tw | #CLOUDSEC

DDoS attack patterns across the

APJ cloud market

Samuel Chen CCIE#9607 Enterprise Security

Architect, Manager - APJ

#CLOUDSEC

DDoS attacks from Q1 2014 to Q1 2016

• Each dot represents an individual DDoS attack, and each interval covers a 10-fold increase in attack size. The boxes mark the interquartile range – the middle 50% of attacks.

#CLOUDSEC

DDoS Attack Median Packet Rate and IQR

While there were six DDoS attacks in Q1 that exceeded 30 Mpps, more than half of the attacks measured 1 Mpps or less.

The graph shows the packet rate for the middle 50% of DDoS attacks from Q1 2014 –Q1 2016

#CLOUDSEC

Compared to Q1 2015

• 125% Total DDoS attacks

• 142% Infrastructure layer attacks

• 35% Average attack duration

• 138% Total attacks > 100 Gbps

In Q1 2016, repeat DDoS attacks remained the norm, with an average of 29 attacks per targeted customer. One target suffered 283 attacks – an average of three times per day for the quarter.

#CLOUDSEC

Compared to Q4 2015

• 23% Total DDoS attacks

• 107% Repeat attacks per target

• 23% Infrastructure layer attacks

• 8% Average attack duration

• 280% Total attacks >100 Gbps

Largest attack: 289 Gbps

Most packets per second: 67 Mpps

In Q1 2016, stresser/booter-based botnets remained the source of the vast majority of DDoS attacks observed by Akamai. These tools rely heavily upon reflection techniques to fuel their traffic.

#CLOUDSEC

Types of DDoS Attacks &

Relative Distribution in Q1 2016

UDP Fragment, DNS, NTP and CHARGEN attack vectors made up almost 70% of the attacks.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

10 Most Frequent Attack Vectors

by Quarter TCP Anomaly attacks remain in the top 10 vectors, which first edged out ICMP attacks in Q4 2015.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Multi-Vector DDoS Attacks Are the Norm

Multi-vector attacks accounted for 59% of DDoS activity in Q1 2016, up from 56% in Q4 2015

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Reflection-Based DDoS Attacks,

Q1 2015-Q1 2016

SSDP, NTP, DNS, and CHARGEN have consistently been used as themost common reflection attack vectors, as shown on the left axis. The use of reflectionattacks has increased dramatically since Q1 2015, as shown on the right axis.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

DDoS Attack Frequency by Industry

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Average Number of DDoS Attacks

per Target

In Q1 2016 there were anaverage of 29 DDoS attacks per target, up from 24 last quarter. One target was hit with 283 attacks – averaging more than 3 attacks per day.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Top 10 Source Countries for DDoS

Attacks in Q1 2016

China was the top source of non-spoofed DDoS attacks in the first quarter, followed by the US.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Top 5 Source Countries for DDoS

Attacks, Q1 2015 – Q1 2016

China has been the top source country for DDoS attacks since Q1 2015, with the exception of Q3 2015, when the UK took the top spot.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Mega Attacks > 100 Gbps in Q1 2016

Nineteen attacks exceeded 100

Gbps in Q1 2016, with the largest

hitting the software and technology,

gaming and media-entertainment

sectors.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Mega Attacks > 30 Mpps in Q1 2016

Of the six attacks exceeding 30 Mpps in Q1 2016, the four largest targeted the software and technology sector.

Avoid data theft and downtime by extending the

security perimeter outside the data-center and

protect from increasing frequency, scale and sophistication of web attacks.

Spotlight:

Attack traffic distribution within scrubbing center locations, highlighted with Frankfurt absorbing the highest peak bandwidth of 104 Gbps.

Web Application Attack Analysis

9 Common Web Attack Vectors

• SQLi / SQL injection: User content is passed to an SQL statement without proper validation

• LFI / Local file inclusion: Gains unauthorized read access to local files on the web server

• RFI / Remote file inclusion: Abuse of the dynamic file include mechanism available in many programming languages to load remote malicious code into the victim web application

• PHPi / PHP injection: Injects PHP code that gets executed by the PHP interpreter

• CMDi / Command injection: Executes arbitrary shell commands on the target system

• JAVAi / Java injection: Abuses the Object Graph Navigation Language (OGNL), a Java expression language. Popular due to recent flaws in the Java-based Struts Framework, which uses OGNL extensively

• MFU / Malicious file upload (or unrestricted file

upload): Uploads unauthorized files to the

target application that may be used later to

gain full control over the system

• XSS / Cross-site scripting: Injects client-side

• code into web pages viewed by others whose

browsers execute the code within the security

context (or zone) of the hosting web site.

Reads, modifies and/or transmits data

accessible by the browser

• Shellshock / Disclosed in September 2014: A

• vulnerability in the Bash shell (the default shell

for Linux and mac OS X) that allows for

arbitrary command execution by a remote

attacker

#CLOUDSEC

Web Application Attack Vectors Over

HTTP, Q1 2016SQLi, LFI and XSS

were the most

prevalent attack

vectors. They were

used in more than

90% of the attacks

over HTTP.

#CLOUDSEC

Attacks Over HTTPS, Q1 2016

30% of the web applicationattacks observed in Q1 2016 were over encrypted (HTTPS) connections, an increase from only 11% the previous quarter.

#CLOUDSEC

Top 10 Source Countries for Web Application Attacks, Q1 2016

#CLOUDSEC

US-hosted web sites were targeted six times more often than the secondmost popular target country, Brazil.

Top 10 Target Countries for Web Application Attacks, Q1 2016

#CLOUDSEC

Web Application Attacks by Industry,

Q1 2016

As in previous quarters, the retail industry was most frequently targeted with web application attacks in Q1 2016.

#CLOUDSEC

Web Application Attack Triggers

by Industry, Q1 2016

94% of the attack triggers for web application attacks in Q1 2016 targeted just eight industries (shown in black).

#CLOUDSEC

SQLi and LFI Attack Triggers

by Target Industry, Q1 2016

#CLOUDSEC

Shellshock, XSS, and MFU Attack

Triggers by Industry

#CLOUDSEC

CMDI, PHPI, and RFI Attack Triggers

by Industry

#CLOUDSEC

24 Hour Bot Traffic Snapshot

Akamai Intelligent Platform™ Firewall Activity

#CLOUDSEC

Reflector Activity

• The location of leveraged Internet devices used in reflection-based DDoS

• attacks during Q1 2016 was concentrated in the US, Asia, and Europe.

#CLOUDSEC

Top 10 Reflection Sources by ASN

#CLOUDSEC

DDoS Reflection Sources

Cloud Security Resources

#CLOUDSEC

Q1 2016 Cloud Security Resources

• Scraper and Bot Series — When Good Bots Go Bad

• #OpKillingBay Expands Attacks

• BillGates Malware Used in DDoS Attacks

• Akamai Responds to Forwarding-Loop Issue

• IKE/IKEv2 Ripe for DDoS Abuse

• Akamai and the Glibc Vulnerability (CVE-2015-7547)

• Akamai and the DROWN Vulnerability

• DNSSEC Targeted in DNS Reflection, Amplification DDoS Attacks

• Akamai Customers Not Vulnerable to SLOTH

• How Web Applications Become SEO Pawns

Samuel Chen

CCIE#9607

Enterprise Security

Architect, Manager -

APJ