Threat Report

Volume I, Issue 5
Nov 14, 2014

License

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in
accordance with the Creative Commons Attribution-ShareAlike 4.0 International license.

Abstract
As a provider of distributed denial of service (DDoS) mitigation services, Black Lotus is in a unique
position to observe and collect real time data on the threats facing service providers and enterprises.
Many zero day threats are first seen on the Black Lotus network. These threats are summarized in our
quarterly report.
The data contained in this report covers DDoS attack data for the period June 30, 2014 to September 29,
2014.

15.2 Gbps, 6.1 Mpps

The largest attack mitigated on the Black Lotus network during the Q3 2014 reporting period, in terms of
gigabits per second (bit volume) and millions of packets per second (packet volume).

3.2 Gbps, 1.0 Mpps

The average attack mitigated on the Black Lotus network during the reporting period.

August 23, 2014

We observed the largest DDoS attacks on this date.

201,721
The number of confirmed DDoS attacks mitigated on the Black Lotus network during the reporting period.

940,789
The total number of confirmed DDoS attacks mitigated on the Black Lotus network in the first 3 quarters
in 2014.

Top 5 DDoS Attacks Sources By Country

1. China
2. United States of America
3. Russian Federation
4. Germany
5. Vietnam

DDoS Traffic
During the Q3 2014 reporting period, Black Lotus observed an average distributed denial of service (DDoS) attack size of
3.2 gigabits per second (Gbps) and 1 million packets per second (Mpps). While this figure is relatively low compared to
the bandwidth available to many service providers and enterprises, there are many that do not have the available
bandwidth, either because of the size of their networks or the prohibitively expensive cost of telecommunications services.
This average attack size has increased steadily by approximately 10 percent each consecutive quarter in 2014, indicating
that networks must maintain a DDoS mitigation defense capable of at least 5 Gbps to safely defend against the majority of
attacks in the current year. Many DDoS mitigation services and DDoS protected hosting providers, to include Black Lotus
and hosting services protected by Black Lotus, offer DDoS protection levels of 10 Gbps and up, which is sufficient for
many requirements; however, larger attacks continue to occur, which have the potential to cause service disruptions.
Figure 1 details the maximum attack size in terms of bit volume observed by Black Lotus during the reporting period.
Black Lotus observed 201,721 attacks, with the largest bit volume single attack of 15.2 Gbps occurring on September 3,
2014, and the largest packet volume single attack of 6.1 Mpps on Aug 29, 2014.
Attacks that are particularly large in bit volume continue to pose a problem for even the best-equipped networks. While
many service providers and enterprises are beginning to invest in robust DDoS mitigation infrastructures, they are
inherently limited to the capabilities of the equipment and the bandwidth available to the companies, which in many cases
is 10 Gbps, or less. For the past three calendar quarters, 184 of the 270 days attacks exceeded 10 Gbps, and during 97
of those high volume days, attacks were observed reaching more than 20 Gbps. In addition, the frequency of high packet
volume attacks is also alarming, with 218 of the 270 days where peak packet volume exceeded 1 Mpps. Network
operators must increase investment in DDoS defense or enlist the assistance of purpose-built DDoS mitigation services to
be able to mitigate these larger attacks without service interruption.
NTP DrDoS attacks peaked in early January and again in early February 2014 resulting in record breaking bit volumes, to
include a 421 Gbps attack mitigated by Black Lotus; however, traditional multi-vector attacks against servers and websites,
such as TCP SYN and HTTP GET attacks have resurfaced as the most frequent severe threat due to attackers inability to

find sufficient quantities of vulnerable NTP daemons upon which reflection attacks could be amplified. As a result, the
peak bit volume of the largest attack observed in Q3 2014 dropped 96 percent to 15.2 Gbps. Black Lotus expects that
attackers will use DrDoS attacks whenever possible, resorting to non-amplification attacks when there is not a sufficient
quantity of vulnerable systems to use in amplification.

A7ack Bit Volume by Date

16

Gigabits per second

14
12
10
8
6
4
2
0

Figure 1. Maximum bit volume per attack incident during Q3 2014

While DDoS attacks are frequently cited in terms of their bit volume, the packet volume of an attack can be particularly
devastating. Even if an attack does not exceed the bit capacity of a network or DDoS mitigation system, it can often
exceed the packet volume capabilities of the targeted network. For instance, one popular DDoS mitigation hardware
provider frequently sells 10 Gbps DDoS mitigation systems, which are only capable of mitigating 4 Mpps, where the line
rate capability of a 10 Gbps interface is actually ~15 Mpps. This can cause the mitigation equipment to saturate at 27
percent of the circuit capacity.

A7ack Packet Volume by Date

Millions of packets per second

7
6
5
4
3
2
1
0

Figure 2. Maximum packet volume per attack incident during Q3 2014

During the Q3 2014 reporting period, 147,096 (73 percent) of the 201,721 attacks observed were regarded as severe.
Once awareness spread concerning the NTP DrDoS vulnerability, these reflection attacks became substantially more
difficult to accomplish, and application layer attacks once again became the vector of choice for DDoS attackers.
Application layer attacks can pose a problem even for those protected by network based DDoS mitigation systems. Also
known as layer 7 attacks, and often combined with SYN floods to form multi-vector attacks, these exploit weaknesses and
inefficiencies in individual applications in order to cause resource depletion, resulting in an outage to the server. During
the current reporting period, 22,068 (15 percent) of severe attacks targeted servers and applications, most commonly
Web servers (HTTP) and domain name services (DNS), which are required to provide address resolution to customers.
Attacks on either can result in an outage to the site and are extremely difficult to mitigate without professional assistance.
In Q3 2014, the SYN flood attack remains the top category among all severe attacks and reached 49 percent.
ICMP FLOOD
4%

DDoS A@ack Types

ACK FLOOD
4%
TCP Flag misuse
9%

DNS Query FLOOD

3%

UDP FLOOD
13%

HTTP Get FLOOD

18%

SYN FLOOD
49%

Figure 3. DDoS attack types of all incidents by percentage

CriUcal Alerts

Thousands

DistribuUon of Severe DDoS A7acks

90
80
70
60
50
40
30
20
10
0
SYN FLOOD

TCP Flag
misuse

HTTP Get
FLOOD

UDP FLOOD ICMP FLOOD DNS Query ACK FLOOD IGMP FLOOD
FLOOD

TCP Flag
NULL

LAND FLOOD

Figure 4. Severe multi-vector attacks have increased from 17 percent in Q2 2014 to 73 percent in Q3 2014

Due to the extremely low frequency of NTP DrDoS attacks during the Q3 2014 reporting period, these incidents are now
aggregated under UDP floods.

2014 DDoS Attacks Summary:

Q1 2014

% Change
Q1-Q2

Q2 2014

% Change
Q2-Q3

Q3 2014

Largest attack (bits, Gbps)

421

-85.99%

59

-81.36%

15

Largest attack (packets, Mpps)

122

-76.23%

29

-82.76%

6.1

Average attack (bits, Gbps)

2.7

7.41%

2.9

10.34%

3.2

Average attack (packets, Mpps)

1.8

-22.22%

1.4

-28.57%

462621

-40.24%

276447

-27.03%

201721

Total attack volume

Severe attacks

20%

17%

Table 1. Summary of confirmed DDoS attacks mitigated on Black Lotus network in 2014

73%

Trends
Largest A7ack
450

140

400

120

350

Gbps

250

80

200

60

150

Mpps

100

300

40

100
20

50
0

0
Q1 2014

Q2 2014

Q3 2014

We continue to observe a reduction of the attack bit volume of individual attack in consecutive quarters. The peak attack
bit volume has dropped from 421 Gbps in Q1 to 59 Gbps in Q2 and 15.2 Gbps in Q3.

Gbps

Mpps

Average A7ack

0
Q1 2014

Q2 2014

Q3 2014

The average attack bit volume is increasing while the average attack packet volume is decreasing. This represents a
change of attack methods deployed by the perpetrators from large volumetric network based attacks to more complex,
multiple vectors attacks with both application layer attacks and SYN flood attacks blended together.

Total A7ack Volume

500,000
450,000
400,000
350,000
300,000
250,000
200,000
Q1 2014

Q2 2014

Q3 2014

The total number of attack incidents continue to decline, from 462,621 attacks in Q1 to 276,447 attacks in Q2 and 201,721
attacks in Q3.

Key Analysis

In Q3 2014, we observed the average attack bit volume is increasing while the average attack packet volume is
decreasing. This could be attributed to a change of attack methods deployed by the perpetrators from large
volumetric network based attacks to more complex multiple vectors attacks with application layer attacks and SYN
flood attacks blended together. DDoS attacks have significantly and continuously declined in peak size and total
incident count as NTP DrDoS attacks have largely subsided. This occurred due to better awareness in the security
community about the threat of vulnerable NTP daemons, prompting administrators to upgrade from vulnerable
versions and in some cases, prompting network operators to filter potentially malicious NTP traffic.
When more effective zero day attacks do not exist, attackers will often fall back to tried and true methods of
attacking systems, including SYN floods and application layer attacks, which are often launched in tandem. The
largest bit volume attack observed by Black Lotus was the result of a SYN flood against a Web server, largely
sourced from Chinese networks.
A significant drop in the total attack volume mitigated by Black Lotus for its customers can be attributed to the
proactive defense process instituted by the Black Lotus DDoS mitigation team on behalf of our customers. System
and network level vulnerabilities are identified and rectified as part of the initial customer turn-up process. DDoS
attack incidents against networks or servers protected by Black Lotus were often detected and mitigated during the
very beginning of these attacks, rendering them ineffective to cause any real disruption to our customers networks
or online services, hence discouraging any further incident targeting them.
Unlike NTP DrDoS attacks, SYN floods and application layer attacks against Web servers are very difficult to
mitigate using conventional network hardware as they target TCP/80, which is the same port required to serve
legitimate users.
These attacks are not as dangerous to providers of Internet infrastructure, since the bit and packet volumes are
much lower and within the capacity of many tier 1 networks; however, they continue to pose a serious threat to
service providers and enterprises that do not have significant excess capacity and DDoS mitigation solutions in
place.

Another factor that explains the decline in total incident volume is the difficulty of launching large volume SYN
floods compared to DrDoS.
In the Q1 2014 edition Black Lotus predicated 800 Gbps attacks on the horizon. This prediction is based on the
potential for a new zero day DrDoS attack to occur, similar to the NTP attacks earlier this year and remains a cause
for concern. Attackers will continue to look for new vulnerabilities in services that rely on the UDP protocol in an
effort to replicate the same success they found with NTP DrDoS.
The new up-and-coming countries of origin for DDoS attacks identified by the Black Lotus mitigation team are
Vietnam, India and Indonesia. While these countries dont have the large bandwidth necessary to launch massive
volumetric DDoS attacks, the large number of compromised end point devices, particularly smart mobile phones,
make these countries prime sources of newly created botnets.

Contact Us
To learn more about Black Lotus, DDoS attacks, and DDoS mitigation solutions, please contact:

Headquarters
Black Lotus Communications
1 Sansome St., Suite 1500
San Francisco, CA 94104

Sales
Support

sales@blacklotus.net
support@blacklotus.net

Emergency Response Center

Black Lotus Communications
900 N. Alameda St., Suite 220
Los Angeles, CA 90012

(866) 477-5554
(800) 789-1977