<img alt="" src="https://secure.leadforensics.com/89462.png" style="display:none;">
Threat Advisory_Banner-01.jpg

Threat Advisories

Nexusguard Q4 2015 Threat Report: DDoS Reflection Attacks

Nexusguard collects and measures real time data on threats facing enterprises. This report covers Q4 2015.

The data contained in this report is sourced from our external hybrid darknet, which Nexusguard and a community of organizations leading in DDoS and Internet cleanup efforts run and maintain. 

Download PDF

Methodology

As the global leader in distributed denial of service (DDoS) mitigation, Nexusguard observes and collects real time data on threats facing enterprise and service provider networks worldwide. The data contained in this report is sourced from our external hybrid darknet, which Nexusguard and a community of organizations leading in DDoS and Internet cleanup efforts run and maintain. 

A network of vulnerable, Internet-connected devices, or “honeypots,” comprises Nexusguard’s collaborative darknet, uniquely positioning it to measure global events that are unbiased by one set of customers or industries. Many zero day threats are first seen on the Nexusguard global research network. These threats are summarized in our quarterly report.

There have been many iterations of how Nexusguard has been reporting on our multi partnership honeynet project. Recently, Farsight Security has joined the multi-company group that supports the generation of this data. The primary sponsor is Nexusguard with A10 Networks, Farsight Security, and Cari.net participating as well. We have taken the approach of monitoring reflective DDoS attacks external to our networks, which gives us a completely neutral perspective of the scanning sources and attack destinations.

This is very important to note that we have not seen any DDoS mitigation service provider in our top 10 list.

picture_1.png

This last quarter has been an interesting one. It started out very typical with a few thousand events per day then skyrocketed to over thirty thousand events per day with attacks targeting Turkey with DNS attacks. This can be seen with Turkcell and Turkish Telecom both the number 1 and number 2 top targets of the quarter. In these attacks it appears that statements were being made. Not only were Turkish IPs being targeted with DDoS attacks, Turkish domains were used as the records begin reflected at the target. These domains had very low amplification factors. The top domain used was nic.tr, not an excellent choice with about a 2x amplification factor. The second highest count of domains used in these attacks was Turkey.com, which only has a 3.9x amplification factor. In theory, these attacks typically yield about 50x amplification factor.

Rank

AS

Fullname

Count

1

16135

TURKCELL-AS TURKCELL ILETISIM HIZMETLERI A.S.,TR

68296

2

9121

TTNET Turk Telekomunikasyon Anonim Sirketi,TR

42522

3

4134

CHINANET-BACKBONE No.31,Jin-rong Street,CN

5910

4

174

COGENT-174 - Cogent Communications,US

4361

5

6128

CABLE-NET-1 - Cablevision Systems Corp.,US

4150

6

12903

GARANTI-TECH Garanti Bilisim Teknolojisi ve Ticaret T.A.S.,TR

4064

7

37963

CNNIC-ALIBABA-CN-NET-AP Hangzhou Alibaba Advertising Co.,Ltd.,CN

3206

8

7922

COMCAST-7922 - Comcast Cable Communications, Inc.,US

3144

9

16212

LORAL-SKYNET-ASN Loral Skynet Network Services (Europe) Ltd,DE

2837

10

16276

OVH OVH SAS,FR

2350

 

picture_2.png

This quarter has seen a very large increase in DNS attacks. As seen above, these numbers have adjusted in this direction due to brutal attacks targeting Turkish IP addresses. Another interesting piece to note is the increase in diversity of attacks. This is due to new services being deployed to the projects honeypots. Interestingly enough, the majority is still held by the top three attack types: DNS, NTP and CHARGEN, respectively.

Rank

Method

Count

1

DNS

151216

2

NTP

53347

3

CHARGEN

11170

4

SSDP

282

5

RIP

59

6

Sentinal-5093

19

7

SNMP

7

8

Echo

1

9

Portmapper

1

  

3.png

Durations are monitored by day and are visualized in seconds. This is done because the data is analyzed daily and the attack tools generally are executed with a second-based timer. This be seen in the medians around the durations. Looking at CHARGEN, we can estimate the majority of attacks were using a 600 second timer, NTP used 300 seconds, and DNS 36,000 seconds. This can give us some insight into the what types of instructions are being executed. This is only a hypothesis and needs to be monitored over time.

4.png

Observed attacks against Turkey started November 13 and peaked December 27. Not only was nic.tr the highest queried domain for DNS attacks this quarter, but ns3.nic.tr. was the recipient of the most packets observed from our honeypots for dns attacks. The peak of these attacks may be related to rising tensions between Russia and Turkey. Russia is not an amateur when it comes to executing denial of service attacks in a response to political events.

Rank

Country

Count

1

TR

118783

2

US

31181

3

CN

17634

4

FR

5710

5

GB

4032

6

BR

3690

7

DE

3158

8

RU

3013

9

CA

2847

10

AT

2644

 

Geopolitical events consistently change the landscape of attacks. These events can happen in a heartbeat and do not require government sponsorship. Whether countries officially support or turn a blind eye to the attacker these types of campaigns happen regularly. No country is innocent for these types of attacks. For example Iran targeting financial institutions, Russia attacking Estonia or Georgia, and the US turning a blind eye to political activist, the Jester. 

All data used to generate this attack report as well as the project used to monitor the honeypots will be published to https://github.com/kingtuna/Hybrid-Darknet-Concept.

   

Subscribe to Quarterly Threat Reports

Nexusguard News