In Q3, despite a 40% overall decline in reflective attacks, the emergence of the Mirai toolkit during the quarter is definitely a significant moment in DDoS history.
As the global leader in Distributed Denial of Service (DDoS) mitigation, Nexusguard observes and collects real-time data on threats facing enterprise and service-provider networks worldwide. The data contained in this report is sourced from our external hybrid Darknet, which is run and maintained by Nexusguard and its associated community of leading anti-DDoS and Internet-cleansing organizations.
A network of vulnerable, Internet-connected devices and honeypots comprises Nexusguard’s collaborative Darknet, uniquely positioning it to measure global events in a manner that is not biased by any single set of customers or industries. Many zero-day threats are first seen on Nexusguard’s global research network. These threats are summarized in our quarterly reports.
In Q2 2016, Nexusguard observed an 83% increase in attacks in the APAC region. In Q3, despite a big increase in media coverage of major DDoS events, we saw a 40% overall decline in reflective attacks. The emergence of the Mirai toolkit during the quarter is definitely a significant moment in DDoS history, and is surely behind the recent uptick in media attention. Unlike previous tools released on the Low Orbit Ion Cannon (LOIC), Mirai, as noted by key mitigation and DNS service providers, is truly a force to be reckoned with. As a side note: last quarter we foretold an increase in home infections via weaponized DDoS tools. And, voilà, here in Q3 we have a slew of IoT devices infected by Mirai. (To avoid being compromised, owners of IoT devices should protect all devices within their network with strong passwords. Doing so will help ensure that they do not become implicated in DDoS attacks on other organizations, and, thus protect their own organization’s reputation.)
Regarding network rankings: Even though it saw a 40% decrease, Chinanet continued to lead the attack pack in Q3. In the second spot, Alibaba saw a 29% decrease in attacks. With 45 attacks pointed at one IP on its network, Alibaba was also the network that received the most attacks directed at a single target. In upcoming quarters we expect Alibaba to be the number one target for DDoS attacks in China.
Regarding attack methodology: Q3 2016 said goodbye to UnrealTournament- and Sentinel-based attacks, although the number of attacks for both services was pretty small to begin with. Just as in Q2, NTP continued to reign supreme as the go-to tool for Q3 DDoS attacks in Asia. During the quarter NTP accounted for 90% of all reflective attacks — well above the global average of 66%. Chargen — NTP’s nearest “competitor” — accounted for only 6% of attacks. Even though NTP is on the rise, we feel it may be approaching its ceiling, and accordingly, we expect to see a more diversified array of attack methodologies in Q4.
Regarding attack duration: Last quarter SSDP attacks lasted longer in Asia than in the US. In contrast, Q3 saw SSDP attacks become considerably shorter in APAC. NTP attacks were a bit longer than those observed globally, but still less than the 300-second mean. These findings are in line with last quarter, as we continued to see NTP as the predominant attack method in Q3.
Regarding attack events: While China saw a 50% increase in attacks in Q2, it received 33% fewer attacks this quarter. In Q3, three APAC countries — China, Australia, and Hong Kong — made the Top 10 in worldwide attacks. Hong Kong saw a small 4% increase, while Australia saw the largest increase with 40% over last quarter. All other APAC countries remained fairly stable except for Korea which saw a 40% decrease in attacks during the third quarter of 2016.
All data used to generate this report as well as the project used to monitor the honeypots will be published at https://github.com/kingtuna/Hybrid-Darknet-Concept.