kaspersky: 2018 q2 ddos attack report

Posted by tzul at 2020-03-07

The report mainly analyzes and summarizes the DDoS attack activities in Q2 2018, including DDoS type, attack persistence, geographic distribution changes of attack activities and times, and distribution of Botnet, etc. After the attack of DDoS amplification by memcached, hackers began to seek other ways of attack amplification, which was proved by the use of UPnP, UDP, NTP and other protocols. Fortunately, although there are traces of such attacks, real use in the field is still very rare.

In this quarter, China is in the leading position in terms of the number of attacks, the number of unique targets and the regional distribution density of the above factors; in terms of the number of attacks, Hong Kong ranked in the top three for the first time, with 17.13%.

Although the attack profit against cryptocurrency is large, in the future, e-Competition, streaming media and individual players will be the most attractive battlefield for attack power, which is also an effective means for businesses to defeat their competitors. Therefore, an affordable DDoS Defense solution for individuals will also become a market demand.

Threat overview

Key information points in Q2 2018: non-standard utilization of old vulnerabilities, new botnets, fierce competition for cryptocurrencies, high-end DDoS attacks or potential political motives, Slashdot effect, some immature attempts of activists and a few arrests.

Based on our understanding of the devastating consequences of DDoS attacks, we don't celebrate when predictions come true. Of course, our prediction in the last quarter's report does confirm that cyber criminals continue to seek new ways of non-standard amplification, and even before the panic based on memcached attack wave recedes, security experts have found amplification attacks that exploit another vulnerability - the universal plug and play (UPnP) protocol that began in 2001. The protocol allows garbage traffic to be sent from multiple ports instead of a single port, and can be switched randomly in case of blocking process. The researchers detected two related attacks on April 11 and 26, the first using UPnP to amplify DNS attacks and the second amplifying NTP attacks. In addition, Kaspersky's DDoS Defense team has detected an attack that exploits a vulnerability in the charge (character generator) protocol. This attack is relatively weak. The attacker uses the same protocol to amplify the flood to attack the supplier protonmail, because the executive director of the company made improper remarks.

The new botnet has brought more trouble to network security experts. One notable case is the botnet built by hackers using 50000 surveillance cameras in Japan. New variants of the malware hide-n-seek pose a serious threat, in a way the first known botnet virus to reboot an infected device. Although the botnet has not been used to launch DDoS attacks, experts do not exclude the possibility of adding this function in subsequent attacks, because there are not many choices for monetization of Botnet.

At present, one of the most popular monetization methods is still to attack cryptocurrency websites and exchanges, and DDoS attacks can not only be used to prevent the increase of competitors' investors, but also be a means to make a lot of money. The cryptocurrency verge is a case in point: in late May, a hacker attacked verge's mining pool and dug up 35 million xvg tokens worth $1.75 million in just a few hours. Verge has been hit twice in two months, but the last attack was not DDoS.

Not only that, on June 5, the network criminals also hacked out the bitfinex cryptocurrency trading platform, and a large wave of garbage traffic emerged after the system crash. Such multi-stage attacks are likely to destroy the credibility of the website. The DDoS attack on the online poker website America cardroom is also likely to be the result of its competitors, resulting in the interruption and final cancellation of the tournament held by the website. The attack is said to be a political protest against the avatars of Donald Trump and Kim Jong Un.

As always, most of the Media Buzz last quarter was about politically motivated DDoS attacks. In mid April, UK and US law enforcement agencies warned that Russian hackers (suspected of being sponsored by the Kremlin) had successfully invaded a large number of equipment in the US, EU and Australia, waiting for the opportunity to launch attacks in the future. However, a few days later, in late April, United Russia, the website of Russia's largest political party, was offline for two days due to DDoS attacks, and there was little public speculation about the behind the scenes.

The attack on DSB, the Danish railway company, was also alleged to have been politically motivated, resulting in about 15000 customers unable to purchase train tickets through the company's apps, ticketing machines, websites and stores, and the operators having to sell tickets manually. In this regard, it is believed that this is a continuation of the attacks on Swedish infrastructure last autumn.

At the end of the quarter, the focus was on elections in Mexico and attacks on the opposition website, which has a lot of black information about illegal activities of competitors. According to the victims, the attack began in the pre election debate, when party candidates showed viewers a poster with a website address. However, immediately after the event, there was a rumor that DDoS was not the culprit, but the Slashdot effect (referring to the phenomenon that the traffic of niche websites surged after a widely accepted website introduced another niche website). Reddit users also called it "the hug of death". This phenomenon has existed since the emergence of the Internet. At that time, bandwidth was the main problem, but so far, in the context of media hype, the impact of a large number of legitimate network traffic impact on minority websites still exists.

Kaspersky's DDoS Defense team also monitored the Slashdot effect early this summer. After the Russian president held a press conference, tens of thousands of HTTP get requests were received at the same time by a mainstream news media reporting on the matter. The assumed botnet size indicates that the new round of attacks involves IOT devices, but KDP experts found that all suspicious queries of the user agent HTTP header contain the substring "Xiaomi miuibrowser". In fact, it is Xiaomi mobile users who have installed browser applications who have received push notifications about the conference. It seems that many people are interested in and visit the links, which leads to excessive requests.

At the same time, law enforcement agencies have been working to prevent organized attacks: in late April, the European Criminal Police (Europol) prevented the successful closure of, the world's largest DDoS rental service. The website has more than 136000 users and has become the source of more than 4 million DDoS attacks in recent years. After the closure of the website, there are some conflicting trends in the security report: some companies have detected a significant decline in DDoS attack activities in Europe (although they have warned that the decline is only in a relatively short period of time), but other security vendors have pointed out that the number of attacks in all regions has increased, which may be that hackers try to create a new deadlock Corpse network and expansion of the old botnet compensation results.

Most importantly, some of the behind the scenes DDoS attacks were caught and convicted. German hacker zzboot was sentenced to 22 months' probation for attacking large companies in Germany and Britain and extorting ransom; Taipei hacker Chung was arrested on suspicion of attacking the Taiwan Bureau of investigation, the presidential palace, China Telecom and the central bank; on the other side of the Taiwan Strait, a black guest who claimed to be hacktivist was arrested in the United States for disturbing the work of Ohio police.

Another unimportant but novel arrest took place in the United States: an amateur hacker from Arizona was jailed and fined for posting a tweet in his name online by an acquaintance. Bitcoin Baron, an internet criminal with basic skills, has terrorized American towns for many years, attacked government agencies' websites and demanded ransom, and once seriously hindered emergency response services. He also tried to position himself as a cyberactivist, but his bad behavior ruined the reputation he might have had, especially when he tried to hack into the website of a children's Hospital and make it full of child pornography.

Quarterly trend

In the first half of 2018, compared with the same period in 2017, the average and maximum attack power decreased significantly, which is due to the seasonal decrease of attack behaviors observed at the beginning of the year. However, since last year, through the comparison of indicators in the first half of 2017 and the first half of 2018, we can clearly see the rising trend of attack power.

2017-2018 DDoS attack power change trend

One of the ways to increase the attack power is to enlarge the attack by the third party. As mentioned in the threat overview section, hackers are looking for ways to amplify DDoS attacks through new vulnerabilities (or forgotten holes) in popular software. Unfortunately, there have been successful cases. This time, the KDP team monitored and repelled an attack with a traffic of hundreds of Gbit / s, which exploited a vulnerability in the chargen protocol, a simple old protocol defined by RFC 864 in 1983.

Chargen protocol is mainly used for testing and measuring, and can listen to TCP and UDP sockets. In UDP mode, the chargen server can respond to any request for a packet with a string length of 0 to 512 random ASCII characters. Hackers use this mechanism to send requests to the chargen server with this vulnerability and replace the sending address with the victim's address. US-CERT estimates that the amplification factor is 358.8x, but the value is random because the response is randomly generated.

Although the protocol has a strong sense of age and a limited scope, many open chargen servers can be found on the Internet, mainly printers and copying devices. These softwares turn on network services by default.

As reported by KDP and other suppliers (such as Radware, nexusguard), UPD attacks using chargen vulnerabilities show that attacks using more convenient protocols (such as DNS or NTP) are weakening, because there are well-established schemes in the industry to combat such UDP flood attacks. However, this kind of simple and easy attack has become the weakness of cyber criminals, on the contrary, they hope that the modern security system can not resist those outdated attacks. Although efforts to find non-standard vulnerabilities will undoubtedly continue, there is a lack of supply sources for vulnerable servers (how often are old-fashioned copiers networked?) Therefore, chargen type amplification attack is unlikely to spread all over the world.

If the cyber criminals' attack methods become more complicated, they are equivalent to opening up new fields in the face of attacking targets. The DDoS attack against home users is simple, but not profitable. The attack against enterprises is profitable, but complex. Today's DDoS attacker planners have found the best compromise between the two -- making full use of the online game industry and streaming media. Let's take the growing popularity of electronic competitions as an example, from which winners can get tens of dollars to thousands of dollars. The biggest events are usually held in special venues, with special large screens and auditoriums, but the previous qualifying events were held at home. In this case, a well planned DDoS attack against a team can easily be eliminated from the championship in the early stage. The server used in the competition may also be the target of attack. The threat of interrupting the competition can easily persuade the competition organizers to pay a ransom for it. According to Kaspersky Lab's client data, DDoS attacks on E-sports players and websites that eventually lead to access denial are becoming more and more common.

Similarly, cyber criminals are trying to monetize video game streaming channels. Streaming professionals broadcast the current popular games live, and the audience will donate a small amount of money to show support. The more viewers there are, the higher the profits of streaming media will be. Top players can earn hundreds or thousands of dollars, which has become their basic profession. With the fierce competition in the e-Competition market, DDoS attacks disturb the live broadcast activities, which make it even worse, resulting in the loss of subscribers.

Like E-sports players, domestic streaming media players are also vulnerable to DDoS attacks, basically relying on Internet providers. At present, the only solution may be to establish a special platform to provide effective protection for it.

Quarterly summary

This quarter began during the outbreak of DDoS attacks, especially in mid April; in contrast, late May and early June were relatively quiet.

According to the number of attacks, China accounts for 59.03% of the total, followed by Hong Kong, 17.13%. At the same time, Hong Kong also ranks the third in terms of the number of unique targets, accounting for 12.88%, second only to China (52.36%) and the United States (17.75%).

These attacks are evenly distributed over a few days of the week, with the most popular and least popular being Tuesday and Thursday, respectively, but the differences are small.

The proportion of syn attacks surged to 80.2%, and UDP attacks ranked second with 10.6%.

The proportion of Linux botnet attacks increased significantly to 94.47% in all single family attacks.

Regional distribution of attacks

There are also some surprises in the new quarter. The number of attacks is still the leader in China (59.03%), which is almost unchanged from 59.42% in Q1. However, for the first time since the start of monitoring, Hong Kong ranked in the top three, rising from fourth place to second place: its share surged from 3.67% to 17.13%, an increase of nearly five times, successfully excluding the United States (12.46%) and North Korea (3.21%).

Another surprise in the geographical distribution is that Malaysia (1.30%) rose to the fifth place; Australia (1.17%) and Vietnam (0.50%) were in the top ten, while Japan, Germany and Russia, which had been hot before, fell out of the top ten; Britain (0.50%) and Canada (0.69%) were in the eighth and seventh places respectively.

In terms of the total number of attacks, the top ten (96.44%) in Q2 is also slightly better than the 95.44% in Q1.

Distribution of DDoS attack countries in Q1 and Q2 in 2018

The geographical distribution of the only target matches the distribution of the number of attacks: China accounts for 52.36%, up 5 percentage points from the previous quarter. Next came the United States (17.5%) and Hong Kong (12.88%), with Hong Kong replacing South Korea (4.76%) from fourth to third. Please note that the most popular attack target in Hong Kong is Microsoft's azure server. The UK (0.8%) fell from fourth to eighth.

The top 10 left Japan and Germany, but came fourth with Malaysia (2.27%) and fifth with Australia (1.93%). In terms of the overall number of unique attacks, the proportion of Q2 (95.09%) was slightly higher than that of Q1 (94.17%).

Distribution of the only DDoS attack target countries in Q1 and Q2 in 2018

Number of dynamic DDoS Attacks

The peak of Q2 activity in 2018 is in the middle of April: there are many attacks in the middle of this month, two of which are only a few days apart, namely April 11 (1163) and April 15 (1555). The freezing point of activity frequency in this quarter occurs in the later period and the end of the season, which are May 24 (13) and June 17 (16), respectively.

Q2 dynamic DDoS attack frequency curve in 2018

In Q2, 2018, it was originally the quietest Sunday for cyber criminals, becoming the second active day: the number of attacks on that day accounted for 14.99%, higher than 10.77% in the previous quarter. But the prime time for the number of attacks was Tuesday, accounting for 17.49% of the total, and then fell to 12.75% on Wednesday. In general, as shown in the figure below, the distribution of attacks in a few days of the week during April June is more average than the data at the beginning of the year.

Distribution of 2018 q1-q2 DDoS attacks by day in a week

Persistence and types of DDoS Attacks

The longest attack in Q2 lasted 258 hours (nearly 11 days), slightly shorter than the 297 hours (12.4 days) recorded in the previous quarter. The target of this attack is an IP address under the name of China Telecom.

In general, the proportion of attack duration was 0.12%, down 0.02%. Although the proportion of attack duration between 100-139 hours has hardly changed, the proportion of attack duration between 10-50 hours has almost doubled, from 8.28% to 16.27%; meanwhile, the proportion of attack duration between 5-10 hours has also increased by nearly half, from 10.73% to 14.01%. The proportion of short-term attack duration of 4 hours and below decreased significantly from 80.73% in January to 69.49% in March.

2018 q1-q2 DDoS attack duration (in hours) distribution

The proportion of all other types of DDoS attacks decreased; UDP attacks (10.6%) ranked second, while the proportion of TCP, HTTP and ICMP was smaller.

2018 Q2 DDoS attack type distribution

2018 Q2 correlation between windows and Linux based botnet attacks

Geographical distribution of Botnet

In Botnet, the top ten regions of C & C servers have changed a lot. The United States (44.75%) ranks the first, accounting for almost half of all C & C servers, while this data is only 29.32% in Q1. South Korea accounted for 11.05%, falling from the first place to the second place, with a drop of nearly 20 percentage points. China's share dropped significantly, from 8% to 5.52%. Italy, which replaced China, climbed to 8.84% from 6.83% in the previous quarter. This time, Hong Kong fell out of the top 10, but Vietnam was unexpectedly shortlisted in history, ranking seventh with 3.31%.

2018 Q2 botnet C & C server country distribution


In Q2 2018, cyber criminals continued to look for exploitable vulnerabilities in UDP transport protocol, so in the near future, we can hear other complex attack amplification methods.

Another point worth noting is the potential threat of using UPnP protocol to create botnets; fortunately, although it has been followed, it is still very rare in the wild.

Windows botnet activity has decreased, especially in yoyo, which has declined exponentially. In addition, nitol, drive and skill have also declined. At the same time, the number of attacks on Linux XOR botnets increased significantly, while the number of attacks on another notorious Linux Botnet, darkai, decreased slightly. Therefore, the most popular type of attack is SYN flooding.

Since the last quarter, the overall attack duration has not changed much, but the proportion of medium attack duration has increased, while the proportion of shorter attack duration has decreased. The overall attack strength is also increasing. For cyber criminals, the fastest target for money seems to be cryptocurrency, but we will soon see high-end attacks against e-games and small blackmail attacks against individual streaming media and players. Therefore, the market needs DDoS Defense protection that individuals can afford.

This article is compiled by arain and zhihuowa, with reference to the following links:

Another recruitment advertisement: a good line company in Shenzhen recruits talents in the safety circle, mainly engaged in safety and ecological construction, etc., and intends to talk about it privately: arainchen