Professional Documents
Culture Documents
BlackLotusThreatReport Q3 2014
BlackLotusThreatReport Q3 2014
BlackLotusThreatReport Q3 2014
Volume I, Issue 5
Nov 14, 2014
License
This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in
accordance with the Creative Commons Attribution-ShareAlike 4.0 International license.
Abstract
As a provider of distributed denial of service (DDoS) mitigation services, Black Lotus is in a unique
position to observe and collect real time data on the threats facing service providers and enterprises.
Many zero day threats are first seen on the Black Lotus network. These threats are summarized in our
quarterly report.
The data contained in this report covers DDoS attack data for the period June 30, 2014 to September 29,
2014.
201,721
The number of confirmed DDoS attacks mitigated on the Black Lotus network during the reporting period.
940,789
The total number of confirmed DDoS attacks mitigated on the Black Lotus network in the first 3 quarters
in 2014.
DDoS Traffic
During the Q3 2014 reporting period, Black Lotus observed an average distributed denial of service (DDoS) attack size of
3.2 gigabits per second (Gbps) and 1 million packets per second (Mpps). While this figure is relatively low compared to
the bandwidth available to many service providers and enterprises, there are many that do not have the available
bandwidth, either because of the size of their networks or the prohibitively expensive cost of telecommunications services.
This average attack size has increased steadily by approximately 10 percent each consecutive quarter in 2014, indicating
that networks must maintain a DDoS mitigation defense capable of at least 5 Gbps to safely defend against the majority of
attacks in the current year. Many DDoS mitigation services and DDoS protected hosting providers, to include Black Lotus
and hosting services protected by Black Lotus, offer DDoS protection levels of 10 Gbps and up, which is sufficient for
many requirements; however, larger attacks continue to occur, which have the potential to cause service disruptions.
Figure 1 details the maximum attack size in terms of bit volume observed by Black Lotus during the reporting period.
Black Lotus observed 201,721 attacks, with the largest bit volume single attack of 15.2 Gbps occurring on September 3,
2014, and the largest packet volume single attack of 6.1 Mpps on Aug 29, 2014.
Attacks that are particularly large in bit volume continue to pose a problem for even the best-equipped networks. While
many service providers and enterprises are beginning to invest in robust DDoS mitigation infrastructures, they are
inherently limited to the capabilities of the equipment and the bandwidth available to the companies, which in many cases
is 10 Gbps, or less. For the past three calendar quarters, 184 of the 270 days attacks exceeded 10 Gbps, and during 97
of those high volume days, attacks were observed reaching more than 20 Gbps. In addition, the frequency of high packet
volume attacks is also alarming, with 218 of the 270 days where peak packet volume exceeded 1 Mpps. Network
operators must increase investment in DDoS defense or enlist the assistance of purpose-built DDoS mitigation services to
be able to mitigate these larger attacks without service interruption.
NTP DrDoS attacks peaked in early January and again in early February 2014 resulting in record breaking bit volumes, to
include a 421 Gbps attack mitigated by Black Lotus; however, traditional multi-vector attacks against servers and websites,
such as TCP SYN and HTTP GET attacks have resurfaced as the most frequent severe threat due to attackers inability to
find sufficient quantities of vulnerable NTP daemons upon which reflection attacks could be amplified. As a result, the
peak bit volume of the largest attack observed in Q3 2014 dropped 96 percent to 15.2 Gbps. Black Lotus expects that
attackers will use DrDoS attacks whenever possible, resorting to non-amplification attacks when there is not a sufficient
quantity of vulnerable systems to use in amplification.
14
12
10
8
6
4
2
0
Figure
1.
Maximum
bit
volume
per
attack
incident
during
Q3
2014
While DDoS attacks are frequently cited in terms of their bit volume, the packet volume of an attack can be particularly
devastating. Even if an attack does not exceed the bit capacity of a network or DDoS mitigation system, it can often
exceed the packet volume capabilities of the targeted network. For instance, one popular DDoS mitigation hardware
provider frequently sells 10 Gbps DDoS mitigation systems, which are only capable of mitigating 4 Mpps, where the line
rate capability of a 10 Gbps interface is actually ~15 Mpps. This can cause the mitigation equipment to saturate at 27
percent of the circuit capacity.
7
6
5
4
3
2
1
0
Figure
2.
Maximum
packet
volume
per
attack
incident
during
Q3
2014
During the Q3 2014 reporting period, 147,096 (73 percent) of the 201,721 attacks observed were regarded as severe.
Once awareness spread concerning the NTP DrDoS vulnerability, these reflection attacks became substantially more
difficult to accomplish, and application layer attacks once again became the vector of choice for DDoS attackers.
Application layer attacks can pose a problem even for those protected by network based DDoS mitigation systems. Also
known as layer 7 attacks, and often combined with SYN floods to form multi-vector attacks, these exploit weaknesses and
inefficiencies in individual applications in order to cause resource depletion, resulting in an outage to the server. During
the current reporting period, 22,068 (15 percent) of severe attacks targeted servers and applications, most commonly
Web servers (HTTP) and domain name services (DNS), which are required to provide address resolution to customers.
Attacks on either can result in an outage to the site and are extremely difficult to mitigate without professional assistance.
In Q3 2014, the SYN flood attack remains the top category among all severe attacks and reached 49 percent.
ICMP
FLOOD
4%
ACK
FLOOD
4%
TCP
Flag
misuse
9%
UDP
FLOOD
13%
SYN
FLOOD
49%
CriUcal Alerts
Thousands
TCP
Flag
misuse
HTTP
Get
FLOOD
UDP
FLOOD
ICMP
FLOOD
DNS
Query
ACK
FLOOD
IGMP
FLOOD
FLOOD
TCP
Flag
NULL
LAND FLOOD
Figure
4.
Severe
multi-vector
attacks
have
increased
from
17
percent
in
Q2
2014
to
73
percent
in
Q3
2014
Due to the extremely low frequency of NTP DrDoS attacks during the Q3 2014 reporting period, these incidents are now
aggregated under UDP floods.
% Change
Q1-Q2
Q2 2014
% Change
Q2-Q3
Q3 2014
421
-85.99%
59
-81.36%
15
122
-76.23%
29
-82.76%
6.1
2.7
7.41%
2.9
10.34%
3.2
1.8
-22.22%
1.4
-28.57%
462621
-40.24%
276447
-27.03%
201721
20%
17%
Table 1. Summary of confirmed DDoS attacks mitigated on Black Lotus network in 2014
73%
Trends
Largest
A7ack
450
140
400
120
350
Gbps
250
80
200
60
150
Mpps
100
300
40
100
20
50
0
0
Q1
2014
Q2 2014
Q3 2014
We continue to observe a reduction of the attack bit volume of individual attack in consecutive quarters. The peak attack
bit volume has dropped from 421 Gbps in Q1 to 59 Gbps in Q2 and 15.2 Gbps in Q3.
Gbps
Mpps
Average A7ack
0
Q1
2014
Q2 2014
Q3 2014
The average attack bit volume is increasing while the average attack packet volume is decreasing. This represents a
change of attack methods deployed by the perpetrators from large volumetric network based attacks to more complex,
multiple vectors attacks with both application layer attacks and SYN flood attacks blended together.
Q2 2014
Q3 2014
The total number of attack incidents continue to decline, from 462,621 attacks in Q1 to 276,447 attacks in Q2 and 201,721
attacks in Q3.
Key Analysis
In Q3 2014, we observed the average attack bit volume is increasing while the average attack packet volume is
decreasing. This could be attributed to a change of attack methods deployed by the perpetrators from large
volumetric network based attacks to more complex multiple vectors attacks with application layer attacks and SYN
flood attacks blended together. DDoS attacks have significantly and continuously declined in peak size and total
incident count as NTP DrDoS attacks have largely subsided. This occurred due to better awareness in the security
community about the threat of vulnerable NTP daemons, prompting administrators to upgrade from vulnerable
versions and in some cases, prompting network operators to filter potentially malicious NTP traffic.
When more effective zero day attacks do not exist, attackers will often fall back to tried and true methods of
attacking systems, including SYN floods and application layer attacks, which are often launched in tandem. The
largest bit volume attack observed by Black Lotus was the result of a SYN flood against a Web server, largely
sourced from Chinese networks.
A significant drop in the total attack volume mitigated by Black Lotus for its customers can be attributed to the
proactive defense process instituted by the Black Lotus DDoS mitigation team on behalf of our customers. System
and network level vulnerabilities are identified and rectified as part of the initial customer turn-up process. DDoS
attack incidents against networks or servers protected by Black Lotus were often detected and mitigated during the
very beginning of these attacks, rendering them ineffective to cause any real disruption to our customers networks
or online services, hence discouraging any further incident targeting them.
Unlike NTP DrDoS attacks, SYN floods and application layer attacks against Web servers are very difficult to
mitigate using conventional network hardware as they target TCP/80, which is the same port required to serve
legitimate users.
These attacks are not as dangerous to providers of Internet infrastructure, since the bit and packet volumes are
much lower and within the capacity of many tier 1 networks; however, they continue to pose a serious threat to
service providers and enterprises that do not have significant excess capacity and DDoS mitigation solutions in
place.
Another factor that explains the decline in total incident volume is the difficulty of launching large volume SYN
floods compared to DrDoS.
In the Q1 2014 edition Black Lotus predicated 800 Gbps attacks on the horizon. This prediction is based on the
potential for a new zero day DrDoS attack to occur, similar to the NTP attacks earlier this year and remains a cause
for concern. Attackers will continue to look for new vulnerabilities in services that rely on the UDP protocol in an
effort to replicate the same success they found with NTP DrDoS.
The new up-and-coming countries of origin for DDoS attacks identified by the Black Lotus mitigation team are
Vietnam, India and Indonesia. While these countries dont have the large bandwidth necessary to launch massive
volumetric DDoS attacks, the large number of compromised end point devices, particularly smart mobile phones,
make these countries prime sources of newly created botnets.
Contact Us
To learn more about Black Lotus, DDoS attacks, and DDoS mitigation solutions, please contact:
Headquarters
Black Lotus Communications
1 Sansome St., Suite 1500
San Francisco, CA 94104
Sales
Support
sales@blacklotus.net
support@blacklotus.net
(866) 477-5554
(800) 789-1977