5.3.2 Attack Type Distribution
In 2018, the most frequent attacks seen814 were SYN flood, UDP flood, ACK flood, HTTP flood and HTTPS flood attacks, which altogether accounted for 96% of all DDoS attacks. In contrast, reflection attackers contributed to no more than 3% of attacks. Compared with 2017, the year 2018 witnessed a 80% decrease in the number of reflection attacks, but a 73% increase in other attacks. This is because of effective governance measures taken against reflectors.
ACK flood attacks generated 42.6% of the total attack traffic. Certain sectors (like gaming) have large number of users and sessions as well as long-lived connections which make them easy targets of ACK attacks characterized by large packets.
SYN flood attacks still stood out among all types of DDoS attacks. This is a method where an attacker, by exploiting defects in the TCP protocol, sends a large number of TCP connection requests to exhaust resources of a target. This method is seldom used independently, but rather used with SYN floods to overwhelm hosts and firewalls that need to perform large numbers of calculations to determine whether the ACK packets are legitimate. This will deplete resources of the target and cause a denial of service attack.
UDP floods are traffic-based DDoS attacks that are always active on the internet. Usually, an attacker floods DNS servers, RADIUS authentication servers and streaming media servers with many small UDP packets. As a simple protocol, UDP makes it extremely easy to generate large amounts of traffic with few resources. Also, UDP floods do not require setup of connections, thus becoming the attack method of choice.
HTTP floods and HTTPS floods are application layer attacks launched against web servers. An attacker launches these types of attack by simulating a legitimate user accessing websites. This may cause serious chain effects. When a client keeps sending requests while performing frequent database operations, not only will the web front-end respond slowly, but the backend server program will also be indirectly affected. In the worst case scenario, backend services, such as the database, may stop responding or crash, and even related hosts, such as the log storage server and image server, may be compromised.
Of all DDoS attacks seen in 2018, 13% used a combination of multiple attack methods. By flexibly combining several methods to adapt to different environments of target systems, attackers could
initiate large amounts of traffic as well as exploiting vulnerabilities in different protocols & systems, bringing attack capabilities fully into play. Conversely, defenders found it very costly to effectively analyze, respond to, and mitigate such distributed attacks.
In 2018, the number of reflection attacks experienced a sharp drop, accounting for only 3% of the total DDoS attacks, but related traffic took up 10% of total DDoS traffic. Due to the destructive power of the amplification effect, reflection attacks are still a threat that cannot be ignored.
In terms of the attack count, NTP reflection attacks topped the list, accounting for 60% of all reflection attacks. In terms of the attack traffic, SSDP reflection attacks generated 42% of traffic.
The number of active reflectors dropped by 60% in 2018. Specifically, the number of SSDP reflectors decreased significantly while DNS reflectors increased slightly. Obviously, authorities’ cracking down on attack sources, especially SSDP reflectors, has had a great impact.
To be continued.
14 Here, we break down multi-vector attacks into respective types.