Contents

• Key Observations                                                                                    
  
• Quarterly Focus
  
• DDoS Attacks the “Mongol Way”                                                                                                                             
  
• Junk Traffic Hijacking Legitimate Traffic                                                                                                                   
  
• Implications for ASN-level CSPs                                                                                                                                 
  
• Attack Vectors and Their Targets                                                                                                                    
  
• DDoS Activities
  
• Types of Attack Vectors                                                                                                                             
  
• Top 3 Attack Vectors                                                                                                                                                  
  
• Quantity of Attack Vectors                                                                                                                                            
  
• Attack Durations                                                                                                                                                            
  
• Attack Size Distribution                                                                                                                                                   
  
• Global Attack Source Distribution                                                                                                                                 
  
• APAC Attack Source Distribution                                                                                                                                
  
• Global Attack Sources by Autonomous System Number (ASN)                                                                           
  
• Conclusions                                                                                               
  
• Research & Methodology      
  

Quarterly Focus

DDoS Attacks the “Mongol Way”

As DDoS attack tactics evolve, Communication Service Providers1 (CSP) at the ASN level are facing a new challenge posed by diffused and stealthy volumetric attacks designed to evade detection. The new tactic resembles the way Mongol troops executed battles some 700 years ago. Like the Mongols, today’s perpetrators thoroughly study the  targeted landscape prior to  mounting their  attacks.

By conducting advance reconnaissance to covertly collect information attackers can identify mission-critical IP  prefixes. Whereas in  the  past, attackers tended to zero in  on a  small number of high-traffic IPs to cause congestion. This sophisticated tactic leads us to believe that such intelligence might be coming from insiders with knowledge of those IP prefixes that are most vulnerable to DDoS attacks.

Mongol military tactics enabled the  Mongol Empire to  conquer nearly all  of  continental Asia, the Middle East, and parts of eastern Europe during the 13th and 14th centuries. Highly agile and mobile, horse-riding Mongol soldiers were often sent on scouting  missions  to  gather  intelligence  about routes and  search for  terrain most suited to  their preferred  combat tactics.

Like Mongolian warriors that used human shields, today’s perpetrators also use subterfuge to distract and disrupt defenses. In Q3 we observed  attacks  where  perpetrators injected  small  bits and  pieces  of  junk into legitimate traffic as a disguise. Consequently, attack traffic in  the  space  of  each  IP  address  was small enough to bypass detection, but big  enough to  cripple the  targeted site or  even  an  entire CSP network once the  traffic converged.

Owing to the negligible size of the junk, typical security devices deployed by ASN-level CSPs are unable to detect and mitigate the traffic before it can cause any harm. This is so because detection thresholds are largely based on the volume of traffic heading to destination IPs.

How  is  the  “bit-and-piece” pattern different from  traditional network-layer volumetric attacks?

Bit-and-piece exploits the large attack surfaces of ASN-level CSPs, whereas traditional attacks zero in  on one or a few IPs that serve mission-critical services such as websites and mail servers and overwhelm     the target by sending voluminous amount of junk. Since the traffic spike is significant and the attack obvious, it’s relatively easy to detect abnormalities and mitigate traditional volumetric attacks. In most cases, ISPs with load-balancing capabilities will absorb much of the impact — albeit not 100% — of large volumetric attacks by the time they reach their destination.

Figure 1. Comparison between Normal Attack Traffic and Attack Traffic with Legitimate Traffic

In the example shown here, the orchestrated attacks generated only 33.2Mbps per destination IP — small enough to fly under the radar and be mistaken as  legitimate traffic delivered straight to  the  destination ASN.

In Q3, Nexusguard observed that some 159 ASNs or 527 Class C networks were targeted in a series of bit-and-piece attacks. The figures reveal that the campaign was significant and the attacks were far more sophisticated than typical network-layer attacks. After tracing advertising BGP routes, AS paths, and trace-routes, we  saw  that attackers targeted networks within the  same geo-location, attempting to  max out the physical limitations of transmission lines. In the  worst-case scenario  outlined in  the  summary below, the convergence of attack traffic spread across 38 IP  prefixes,  each  loaded  with 2.48Gbps  of attack traffic —  potent enough to  overwhelm a  10Gbps ISP line.

Table  1. Information about Attack Traffic  with “Bit  and  Piece”  Pattern      

Implications for ASN-level CSPs

Given the negligible size of malicious traffic, targeted ASN-level CSPs can easily miss large-scale DDoS attacks in the making. The diffused traffic is likely to be mistaken as legitimate and delivered straight to the destination ASN. Eventually the ASN will realize its high-traffic IP prefixes are under a multi-gigabyte   DDoS attack that is  significantly impacting its  physical transmission  lines.

Black-holing may be a solution. But black-holing all traffic to an entire IP prefix, especially a high-traffic      one, will affect large portions of legitimate traffic as  black-holing doesn’t  distinguish between legitimate and malicious traffic. All packets destined for black-holed IP prefixes are dropped, thus disconnecting its upstream networks. And  while upstream “clean  pipes” may  filter many noticeable attacks,  the bit-and-piece pattern typically goes unnoticed by upstream ISPs before they converge at the  target CSP.  In the end, the cumulative impact of junk traffic from diverse IPs creates a severe  bottleneck for DDoS mitigation appliances of the targeted CSP. To break the  bottleneck, the  destination  ASN  must share  the load in order to minimize the impact — for example by multi-casting with a scrubbing facility.

The best solution to mitigating ever-evolving DDoS attacks is an always-on cloud deployment.  Nexusguard’s global scrubbing centers can be deployed as an always-on solution to  mitigate attacks of any  size  or pattern on the  network edge before they reach  the CSP.

Attack Vectors and Their Targets

Source IP addresses show that ASN-level CSPs were the most popular target in  the  quarter, accounting for 65.5% of all attacks observed. With so many network assets, including those of their tenants, it’s no surprise that ASN-level CSPs are increasingly targeted — directly or indirectly — by DDoS attacks.

Figure 3. Distribution of Attacks on Different CSP-related Sectors

DDoS Activities

Types of Attack Vectors2

SSDP Amplification attacks were the most popular in the quarter, growing 639.84% QoQ and 121.68% YoY, despite the fact that total attack counts fell  measurably over  both periods. In  sharp contrast, UDP attacks  fell by 54.86% QoQ and 26.38% YoY and ICMB  fell  45.53% QoQ  and  10.16% YoY.  SSDP attacks  totaled 1,820 counts, UDP (1,538) ranked second, while the  third  and  fourth spots were  occupied by  ICMP (548) and TCP  SYN (274).

Because it is open and often unsecured, SSDP is  an  attractive and  vulnerable target. So  it’s  no  surprise that attackers abused the protocol to launch “bit-and-piece” DDoS attacks on some 527 Class C networks     of CSPs. While SSDP Amplification attacks were the most frequently used in the quarter,  Nexusguard believes that attackers will diversify attack vectors going forward.

Figure 4. Distribution of DDoS Attack Vectors

2. Attacks on network Layers 3 and 4 lasting for at least five minutes at a  size  equal  to  or  larger  than  100Mbps  were  counted  as volumetric attacks. Attacks targeting applications lasting for at least five minutes with at least 500 requests per sec were counted as      application attacks. Attack vector measures the  number  of  vectors  exploited  by  the  same  attack  on  the  same  destination  IP.  An attack is defined as one attack or more than one attacks that occurred within a time interval of five minutes in between. In the same attack, each attack vector is counted once no matter how many times it is targeted as long as the attacks occurred within a time          interval of five minutes in between.

Top 3 Attack Vectors

Quantity of Attack Vectors

Nexusguard defines an incident3 as a series of malicious traffic flows with varying degrees of intensity, regardless of the attack method or signature. A collective analysis of incidents rather than focusing on individual attacks allows us to see the big picture and identify new signatures.

The new “bit-and-piece” attacks we saw in Q3 were mainly abuses of the UDP Port used to generate small-sized SSDP attacks and spread them over a large  number  of  IPs. This  stealthy  technique  is designed to evade detection. We believe attackers will diversify into more attack vectors as they continue  to vary this new pattern.

A breakdown of attack vectors revealed that 78.31% of incidents targeted one vector, compared with  52.03% in the previous quarter. 21.69% targeted two vectors or more. Of all multi-vectors analyzed, those  that targeted two vectors accounted for  13.44%, while those targeting three  accounted for  5.39%. The most complex multi-vector attack targeted as many as ten vectors in a campaign.

Figure 5. Distribution of DDoS Attack Vectors

3. If more than one attack on the same destination IP are captured and if the time interval between the first and the second attacks is less than 24 hours, both of them will be counted as the same event. If both attacks abuse the same  vector,  this  event  will  be categorized as a single-vector attack. And if there are more than one attack vector, this event will be categorized as a multi-vector attack.

Multi-vector attacks utilize multiple, simultaneous vectors to maximize the disruption of CSP service availability. UDP was an integral ingredient in each of the top five combinations. The mixture of UDP and  DNS was the most popular type of blended attack. The combination of UDP, NTP Amplification, and ICMP ranked number two, while cocktails of UDP, DNS, ICMP, and NTP Amplification attacks were tied for third place.

Table  2. Top  Five  Multi-vector Attacks

Attack Durations4

About 62% of attacks were  shorter than 90  minutes, while some 38% lasted longer.  Only 0.59% were  longer than 1,200 minutes. The average duration was 184.23 minutes, while the longest attack lasted 2 days, 3 hours, and 13 minutes. Shorter, precise attacks enable attackers to maximize disruptions during peak times of online activity in a most cost-effective way.

Figure  6.  Distribution  of  Attack Durations

4.  Attack duration measures the timespan of a series of attacks on the same destination IP within a time interval of five minutes in between but regardless of the number of attack vectors. If no more  attack  occurs after  five  minutes, the  finish time  of the  last attack is considered to be the cut-off time. The “ceasefire breaks” between attacks are excluded from attack duration.

Attack Size Distribution5

The average attack size recorded in the quarter was 0.972Gbps. Smaller, new-style attacks (300.1Mbps maximum) were  distributed across many IP addresses. Accordingly,  most attacks were  concentrated in the  less than 10Gbps range  (91.61%) while those larger than 10Gbps accounted for  only 8.39% of the total. While it’s true that attacks smaller than 1Gbps are relatively insignificant to large CSP networks, the cumulative impact of bits and pieces of junk traffic distributed across multiple IP prefixes can be    substantial when the  traffic converges.

Figure  7.  Distribution  of Attack Sizes

5. Attack size measures the aggregate size of a series of attacks on the same destination IP within a time interval of five minutes in between but regardless of the number of attack vectors. The peak size of each attack within the same attack is counted in the aggregation. If no more attack occurs after five minutes, the aggregation stops.

Global Attack Source Distribution6

China clinched the lead with the largest number of global attack sources. The US followed while Vietnam     and Russia placed third and fourth, respectively. China now numbers more than 1B Internet users, nearly one-third of  the  worldwide total.

Table 3. Top 10 Global Attack Sources

6. Untraceable volumetric attacks transmitted with spoofed IP addresses such as TCP SYN, ICMP,  and DNS were not included in our sampling. Only traceable attacks like HTTP Flood with real source IP addresses were counted.

APAC Attack Source Distribution

As in the global distribution, China again ranked first. Vietnam followed while India and Thailand took third  and  fourth place, respectively.

Table 4. Top 10 Sources for APAC Attacks

Global Attack Sources by Autonomous System Number (ASN)

The US and China occupied the top three positions with Vietnam and France ranking fourth and fifth, respectively.

Table  5. Top Ten  ASN Attack Rankings

Conclusions

Owing to their large attack surface, ASN-level CSPs are highly exposed  to  DDoS  attacks.  In  the  third quarter we identified a sneaky, new tactic whereby attackers contaminated a diverse pool of IP addresses across hundreds of IP prefixes (at least 159 ASN, 527 Class C networks) with very small-sized junk traffic. As  a  consequence, both the  maximum and  average  attack sizes fell measurably YoY.

Like Mongol troops in the past, attackers conducted reconnaissance missions to map out the network landscape in advance and identify the mission-critical IP ranges of  targeted CSPs. They  then injected bits and pieces of junk into legitimate traffic, which easily bypassed detection because its size was well below detection thresholds.

As opposed to mitigating traffic to a small number of targeted IPs (the traditional volumetric attack method), mitigating broadly distributed, small-sized attack traffic is difficult at the CSP level. The convergence of polluted traffic that slips through the “clean pipes” of upstream ISPs forms a massive traffic flow that easily exceeds the capacity of mitigation devices, leading to high latency at best, or deadlock at worst. Black-holing all traffic to an entire IP prefix may be a way out, yet it is a costly one since black-holing will also block access to a wide range of legitimate services.

The  “bit-and-piece” attacks we observed in  the  quarter often leveraged open DNS  resolvers to launch what  is commonly known as DNS Amplification, whereby a destination IP (victim) receives only a small number     of responses in each well-organized campaign, leaving little or no trace. As such, we expect that it will continue to  be  difficult to  detect and  mitigate DNS  Amplification attacks carried out  in this manner.

Finally, the  ongoing evolution of DDoS methods suggests that CSPs need to enhance their network   security posture and find better ways to protect their critical infrastructure and  their tenants. The  continued discovery of new attack patterns should also alert enterprises to the importance of selecting DDoS-proof  service providers.

Research & Methodology

As a global leader in Distributed Denial of Service (DDoS) attack mitigation, Nexusguard observes and collects real-time data on threats facing service provider and enterprise networks worldwide. Threat intelligence is  gathered via attack data, research, publically available information, Honeypots, ISPs, and  logs recording traffic between attackers and their targets. The analysis conducted by our research team identifies vulnerabilities and measures attack trends worldwide to provide a comprehensive view of DDoS threats.

Attacks and hacking activities have a major impact  on  cybersecurity.  Because  of  the  comprehensive, global nature of our data sets and observations, Nexusguard is able to evaluate DDoS events in  a  manner that is not biased by any single set of customers or industries. Many zero-day threats are first seen on our  global research network. These threats, among others, are  summarized in  quarterly Threat Reports produced by  Nexusguard’s  research team:

• Tony Miu, Research Direction &  Security Data  Analysis
  
• Ricky Yeung, Data Mining &  Analysis
  
• Dominic Li, Data Analysis &  Content  Development
  
• immy  Chow, Technical Writing
  

原文链接：

https://www.nexusguard.com/threat-report-q3-2018

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)