In Q2 2016, we saw increased weaponization of ransomware within DDoS tools. Get deeper insights into the APAC region within Nexusguard's regionalized Q2 2016 DDoS Threat Report.
As the global leader in Distributed Denial of Service (DDoS) mitigation, Nexusguard observes and collects real-time data on threats facing enterprise and service-provider networks worldwide. The data contained in this report is sourced from our external hybrid darknet, which is run and maintained by Nexusguard and its associated community of leading anti-DDoS and Internet-cleansing organizations.
A network of vulnerable, Internet-connected devices and honeypots comprises Nexusguard’s collaborative darknet, uniquely positioning it to measure global events in a manner that is not biased by any single set of customers or industries. Many zero-day threats are first seen on Nexusguard’s global research network. These threats are summarized in our quarterly reports.
In Q2 2016, Nexusguard observed an 83% increase in attacks worldwide. In contrast, the APAC* region saw an increase of only 43% — just a bit over half the global total. The top target was in China, and it appears that the location of the attack can be attributed to the target’s having hosted malware at this location within the last two years. Over the course of about a month of constant attacks, the Chinese target was hit 41 times. This quarter also saw the increased weaponization of ransomware within DDoS tools as a new “fad” for propagating home infections. There were a few public attacks, such as the one targeting Pokemon GO that was reportedly launched by a new group, Poodle Corp. — a group strikingly similar to Lizard Squad. We assume that Poodle Corp. will launch more attacks to increase their visibility and position themselves as a DDoS-for-hire service.
* Australia • China• Hong Kong • Indonesia • Japan • Korea • Malaysia • Philippines • Singapore • Taiwan
Regarding network rankings: Chinanet and Alibaba, both Chinese, reigned supreme in attacks on their networks in Q2, coming in at numbers 1 and 2, respectively. As for non-Chinese networks, Telstra (Australia) dropped from 6th place to number 8 in the rankings, while Kixs (Korea) saw a small decrease in the number of attacks (6%), putting it in 10th place, down from the number 8 spot in Q1.
Regarding attack methodology: NTP attacks dominated in APAC, accounting for 90% of all attacks — a marked difference from the global distribution where NTP clocked in at only 46% of attacks worldwide. We believe this disparity is the result of the fact that APAC sees so few DNS amplification attacks. In the quarter, Chargen also ranked above DNS — a characteristic uniquely Asian — coming in at number 2. This is not as unusual as it may seem, as many Chargen servers are unintentionally turned on when Microsoft’s simple TCP services are enabled. Overall, APAC exhibits considerably less diversity in attack methodology than what is seen in the world at large.
Regarding attack duration: The data we observed in the quarter indicates that many attack tools are scripted and have set duration values. A good example: the DNS attacks bunched together in dark bands in the diagram above are clearly the result of specific time-set values. We also saw that SSDP attacks lasted almost double the mean in APAC versus globally. The same can be said of NTP attacks that had a mean time of 536 seconds in APAC vs. 337 globally this quarter. In short, NTP attacks are not only more popular in APAC, they also tend to last a lot longer.
Regarding attack events: China saw a 50% increase in attacks this quarter, which is higher than an overall increase of 43% in APAC in toto. The largest increase was seen in Hong Kong, where attacks rose an astonishing 57%. But there is some good news; a few countries did see a minor decrease, and when it comes to DDoS, a small decrease is better than nothing. With a 4% decrease in attacks, Japan was the quarter’s lucky winner.
All data used to generate this report as well as the project used to monitor the honeypots will be published at https://github.com/kingtuna/Hybrid-Darknet-Concept.