<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-56W9VX" height="0" width="0" style="display:none;visibility:hidden">
Nexusguard Threat Advisories

Threat Advisories

Q2 2016 DDoS Threat Report

In Q2 2016, DNS attacks continue to be the new preferred attack vector as Russia becomes the top targeted country.

Access Report

Methodology

As the global leader in Distributed Denial of Service (DDoS) mitigation, Nexusguard observes and collects real-time data on threats facing enterprise and service-provider networks worldwide. The data contained in this report is sourced from our external hybrid darknet, which is run and maintained by Nexusguard and its associated community of leading anti-DDoS and Internet-cleansing organizations. 

A network of vulnerable, Internet-connected devices and honeypots comprises Nexusguard’s collaborative darknet, uniquely positioning it to measure global events in a manner that is not biased by any single set of customers or industries. Many zero-day threats are first seen on Nexusguard’s global research network. These threats are summarized in our quarterly reports.

Introduction

With an 83% increase in attacks over the previous quarter, Q2 2016 has been rather active. For starters, there was an all-out, relentless two-day assault on a Russian telecom targeting 51,630 IPs on the Starlink network (note the big spike in the diagram below). The information we currently have allows us to only speculate on the root cause. But we note that the attack took place at about the same time that Ukrainian hacktivists were seen bragging to the media about hacking into Russian video feeds and identifying Russian soldiers in eastern Ukraine. There’s plenty of data to back up this observation. The victims of the Starlink attack have been identified as various organizations inside of Russia, including an energy products company, a bank, a medical device manufacturer, a clinic, and the internal communications services of the Starlink network itself. 

Top_10_Reflective_DDoS_Attacks.png

Regarding network rankings: Due to so much activity on the Russian front, Starlink eclipsed last quarter’s leader — Hurricane Electric — to become the leading network of the attack pack in Q2. Starlink received 958% more attacks than Hurricane Electric’s 7034 in Q1. However, the infamous Autonomous System (AS) 4134 keeps its Number Two ranking with a 23% increase in Q2, while Alibaba knocked off Comcast from Number Three with a 75% increase over last quarter. Overall, Q2 saw motivated attackers with low to medium capabilities favoring website defacements and DDoS as their primary tools of disruption.

list_of_targets.png 

Attacks_by_Method.png

Regarding attack methodology: DNS continues its ascent as an attack vector, but NTP is still the leading method. Interestingly, though, DNS was the preferred method of attacks targeting Starlink. All in all, it appears that DNS and NTP are preferred for attacks targeted at individuals. We also hypothesize that DNS is becoming increasingly effective at taking down its targets. We believe this is related to the mysterious ACLs that we have observed moving across transit providers for port 123 packets exceeding 500 bytes in size. 

We saw no SNMP or IKE attacks in the quarter, as well as a decrease in SSDP attacks. However, the variety of methods continues to grow, with a 234% increase in RIP attacks and 1150% in MDNS.

Top Attack by types 

Attack_Durations_by_Day.png

Regarding attack duration: Q2 shows that the 300-second prediction made last quarter can be temporarily thrown out the window, with the exception being NTP. The 300-second benchmark may return in the future, but the quarter in question here saw a definitive increase in attack durations bumping the means on DNS and SSDP attacks. Another possibility is that the Starlink attacks were not executed by a DDoS-for-hire panel, but, rather, by a motivated attacker. Regardless, the majority of this quarter’s NTP attacks were executed from DDoS-for-hire panels. We will continue to monitor the situation going forward.

Attack_Events_by_Country.png

Conclusion

Regarding attack events: In first place, Russia saw the largest percentage of change in the quarter with an increase of 1992% — rather drastic considering Russia placed seventh in Q1 2016 with 3654 attacks. The US and China were in contention for the second spot in Q2. It was a good quarter for Brazil, which, although still in the Top 10, saw the number of attacks reduced by more than half. Albeit small, the US also saw a 5% reduction this quarter. All while China saw a 50% increase, keeping the country in second place for quantity of attacks in Q2 2016.

Country

Count

RU

76462

CN

28399

US

23738

FR

13953

GB

4334

DE

3526

CA

2773

HK

2392

BR

2318

AU

1809

 

All data used to generate this report as well as the project used to monitor the honeypots will be published at https://github.com/kingtuna/Hybrid-Darknet-Concept.

    

Subscribe to Quarterly Threat Reports