DDoS Attack Trends on CloudFlare NetworkSept 2014

Elenitsa Staykova

Marketing, CloudFlare

DDoS Attack Trends on CloudFlare Network – Sept 2014CloudFlare - Experts in DDoS Mitigation:

• Stopped 300BN + security threats on a network of 2MM+

websites

• Visibility into 100MM + IPs provides CloudFlare effective

security intelligence

• Sees and mitigates more attacks than any other security

provider

The Evolving Landscape of DDoS Attacks

ATTACK TYPE TREND

• Volumetric Layer 3 / 4

• DNS Infrastructure

• HTTPS application

• Origin: 100s of countries

More sophisticated DDoS mitigation and larger surface area to block volumetric attacks has forced hackers to change tactics. New DNS infrastructure and HTTP layer 7 attack signatures that mimic human-like behavior are increasing in frequency.

DNS amplification Up to 300 Gbps

NTP reflection Up to 400+ Gbps

(35% up from DNS ampl.)

DNS infrastructure100s Gbps

HTTP Application100s Gbps

Sop

his

ticati

on

2013

2014

DNS / NTP Amplification attack

Attackers pretending to be your server make tiny requests to thousands of DNS or NTP servers. Those servers return huge responses to your server, knocking it offline.

Exhausts network connection

DNS / NTP Amplification attackAttackers, pretending to be your server, make tiny requests to thousands of DNS or NTP servers. The servers return huge responses, which are absorbed by CloudFlare.

DNS Infrastructure attack Attackers use millions of compromised machines to overwhelm DNS servers with requests for a single website, making it impossible for real users to access that site.

Exhausts CPU

DNS Infrastructure attack

Attackers target the CloudFlare DNS servers, but their requests are distributed over our entire network and blocked by our WAF.

Layer 7 attacks Attackers use millions of compromised machines to launch a sophisticated attack that mimics real users and overloads the slow points in your web property.

Exhausts CPU

Layer 7 attacks

A highly advanced attack that mimics real users is detected and blocked by CloudFlare before it can overload the slow parts of your software.

IP challenged and “grey listed” in a matter of seconds.

CloudFlare effectively mitigates the new attack signatures

The latest attack trends are increasingly

sophisticated and human-like

• Attacks crawl many resources on website looking

for vulnerabilities [which is different from prior attack

tactics of flooding pipes with requests]

• Hackers utilize diverse strategies to attack URIs,

which makes it hard to write single page rule

• Attacks that impersonate valid user agent strings,

e.g. Google and Baidu, in order to bypass security

checks

• Botnets slowly crawling login / admin pages,

mimicking human behavior, in order to go

undetected

CloudFlare uniquely positioned to successfully

mitigate these attacks

• CloudFlare sees more attacks than any other

security provider

• Visibility into hundreds of millions of IPs provides

CloudFlare with effective security intelligence

• CloudFlare employs a data-driven security layer

with real-time feedback and dynamic reputation

scoring to protect over 2MM websites on our

network

• CloudFlare continually updates our WAF to

incorporate rules to protect against the latest attack

signatures

Additional information

To learn more about CloudFlare DDoS attack mitigation:

• Introducing the BPF tools to mitigate L7 attacks

• Technical details behind 400 Gbps NTP amplification DDoS att

ack

• Understanding and mitigating NTP-based DDoS attacks

Contact us:

• enterprise@cloudflare.com

• +1 888 99 FLARE (US)

• +44 20 37134479 (UK)