At 17:00 of May 20, NSFOCUS SOC detected an abnormal traffic alert in the global monitoring center, the IP addresses of a customer from Hong Kong were under attack and the maximum attack peak reached 634.6 Gbps. This had been the largest of all attacks targeting NSFOCUS’s customers by the
time this report was written. According to IP gang intelligence from the NSFOCUS Threat Intelligence (“NTI”), large quantities of source IP addresses involved in the attack were controlled by the IP gang IPGang01 we have continuously monitored. We will elaborate on it in the following “attack gangs” chapter.
Gang attacks refer to the large-scale attacks with high similarity in attack resources, attack techniques and attack goals. Unlike common attack events initiated by individual attackers, gang attacks usually pursue economic profit or information breach. Gang analysis can offer significant insight into DDoS events and help us take actions in advance.
In the first half of 2020, we monitored 15 IP gangs. Comparison of the features of various gangs is shown in the following figure, which is arranged in reverse order of the number of members from top to bottom. A typical example is IPGang01, which was described in detail in the following part.
As the largest gang within our monitoring scope, IPGang01 contains 217,000 attack sources and As the largest gang within our monitoring scope, IPGang01 contains 217,000 attack sources and 130,000 monthly active resources. Active days in the first half of 2020 amounted to 164 days. During this period, 58,000 attacks were launched against 1366 targets, generating 13,000 Tb of traffic in total. Distribution of attack features is shown in the following chart.
In March, the gang was the most active and launched 60% of the attack events. In May, attack lethality was the strongest. The above-mentioned attack with the maximum peak of 636 Gbps on May 20 was initiated by the gang. In this attack, SYN floods contributed 33.82% of traffic.