2019 Cybersecurity Insights -10

julho 10, 2020 | Mina Hao

Second Largest Gang by the Number of Attack Sources

The second largest gang in terms of the number of attack sources generated the largest traffic. This gang had 23,000 recidivists and favored volumetric SYN flood attacks. According to historical attack records, 99.54% of recidivists had resorted to this kind of attack. This gang stayed active from January to October and was at its busiest in May.

Figure 5-14 shows the monthly quantity trend of attack sources and attack targets of this gang. We can see that this gang remained active from January to October, having more attack sources in January, April, May, and June. On average, 6000 active attack sources launched attacks against seven targets each month.

Figure 5-15 shows the activity distribution of the second largest gang, with the x-axis indicating the date (by day) and the y-axis indicating IP addresses of attack targets. A red spot indicates that this gang hits an IP address on a specific date. The size of a red spot represents the number of members involved in attacks against this target. The more intensive and greater the red spots are on a specific date, the more active the gang is, that is, frequently performing DDoS attacks in a coordinated way. According to statistics, up to 8639 attack sources hit one target at the same time one day, the record high in a single day in 2019.

Figure 5-16 shows the attack type distribution of the second largest gang. We can see that this gang mainly resorted to SYN flood attacks.

Peak traffic (Gbps) is a key indicator to measure a gang’s attack ability and degree of maliciousness. Therefore, knowing the gang’s upper capability limit is of great importance to defense planning. From the gang’s peak traffic trend in 2019 shown in Figure 5-17, we can see that this gang frequently generated over 100 Gbps traffic, with superlarge traffic reaching over 300 Gbps on May 19 and 30 and June 11 and even hitting 780 Gbps on August 15 in 2019. This fully explains that gang has robust attack capabilities and deserves our ongoing attention.

