DDoS Attack Type Analysis
Proportions of Different Attack Types
In 2019, most frequently seen attacks were UDP floods, SYN floods, and ACK floods, which together accounted for 82% of all DDoS attacks. By contrast, reflection attacks took up only 10%. Compared with 2018, reflection attacks rose slightly in number, but remained small in proportion.
UDP floods, SYN floods, and ACK floods still dominated DDoS attacks. By contrast, the proportion of HTTP flood attacks decreased to 0.1% from 8.3% in 2018.
Of all DDoS attacks, 12.5% used a combination of multiple attack methods. By flexibly combining several methods to adapt to different environments of target systems, attackers can initiate large
amounts of traffic and exploit vulnerabilities in different protocols and systems, thus bringing their capabilities into full play. On the other side of the fence, defenders find it rather costly to effectively analyze, respond to, and mitigate such distributed attacks involving various protocols and leveraging various resources. Another thing to note about multi-vector attacks is that they stood out from super-sized attacks in 2019, second only to SYN attacks. For details, see section 3.2.2 Distribution of Attack Types by Consumed Bandwidth.
Typical case:
In August 2019, a customer of Cloud DPS in the gaming industry experienced persistent highvolume DDoS attacks in one month, including more than 20 attacks that peaked above 200 Gbps. The maximum peak size hit 388.5 Gbps. After Cloud DPS filtered out attack traffic, the normal traffic was only 110.6 Mbps, taking up less than 0.1% of the total traffic.
The attacks were focused on the customer’s two network segments, with the following characteristics:
One network segment was mainly under attack of various UDP floods, including common UDP floods and distributed reflective denial-of-service (DRDoS) attacks that have been prevalent in recent years such as NTP reflection, SSDP reflection, and SNMP reflection attacks. DRDoS attacks are often conducted via large quantities of source IP addresses worldwide to generate over 200 Gbps traffic in scores of minutes to about one hour. In a reflection attack, source ports, with obvious signatures, can be blocked with simple protection rules. What is put to the test is not detection algorithms, but the coverage of the cleaning equipment room, the stability of cleaning lines, and the performance of cleaning devices.
The other network segment was subject to empty connection attacks that peaked at only around 100 Gbps, but were capable of bypassing conventional TCP protection algorithms. By capturing and analyzing packets, security experts discovered the pattern of these attacks: A zombie sends a TCP connection request to the server, which responds as expected. After the TCP three-way handshake is complete, the zombie immediately sends FIN and RST packets to re-initiate the connection, thereby consuming server resources. This type of attacks puts to the test the defense operations service provider’s response speed, promptness of dynamic policy adjustment, and security experience.
Distribution of Attack Types by Consumed Bandwidth
In 2019, SYN flood attacks overtook UDP flood attacks to contribute the largest proportion of volumetric attacks.
The following figure shows the distribution of super-sized attacks (> 300 Gbps) in 2019. Obviously, SYN floods took the largest slice of the pie, followed by multi-vector attacks that stood at 32%. This posed a great challenge to the performance of cleaning devices, the stability of cleaning lines, and the effectiveness of defense operations.
Reflection Attacks
In 2019, the number of reflection attacks took up 10% of the total DDoS attacks, but related traffic accounted for 18% of the total DDoS traffic. Due to their amplification effect, reflection attacks are still a hazard that cannot be ignored. Besides, continuous attention should also be paid to emerging reflection attack types. According to the in-depth analysis of WS-Discovery reflection attacks by NSFOCUS Security Labs in the latter half of 2019, there were about 910,000 IP addresses around the world that had the WSD service publicly accessible, thus exposing themselves to the risk of DDoS attacks (the reflection factor could be as high as 500). Of all these devices, 80%, or 730,000, were video surveillance devices.
In terms of the attack count, NTP reflection and SSDP reflection attacks dominated reflection attacks, together accounting for 84%. In terms of the attack traffic, NTP reflection attacks stood out, contributing 65% of all reflection attack traffic.
To be continued.