In a new report, NSFOCUS introduced the IP Chain-Gang concept, in which each chain-gang is controlled by a single threat actor or a group of related threat actors that exhibit similar behavior among the various attacks conducted by the same gang. The report analyzes the IP Chain-Gangs attack types, volume, size of events, gang activities and attack rates. NSFOCUS believes that this is the first time that DDoS attacks are studied as coordinated gang-activities.
In the NSFOCUS 2018 H1 Cybersecurity Insights report, we observed that “Recidivists are responsible for 40% of the attacks, most of which are botnet activities and DDoS attacks.” Since botnet activities and DDoS attacks are usually launched from multiple sources in a collaborative way, it’s not surprising to see that many of these recidivists are working together as a group in these attacks. We call these groups “IP Chain-Gangs.” Throughout this report, we identified “IP Chain-Gangs” and then studied their behaviors with the whole gang as the unit using DDoS attack data collected by NSFOCUS since 2017.
The logic behind this approach is that each IP Chain-Gang is presumably controlled by a single threat actor, or a group of related threat actors, and should therefore exhibit similar behaviors among the various attacks conducted by the same gang. By studying the historical behaviors of the gang, we hope to build a gang-profile that can help better describe how the threat actor(s) behind it operate, what their preferred attack methodologies and characteristics are, and how to build better defense against future attacks launched by them.
In this report, we introduce the IP Chain-Gang concept, and then focus on the statistical analysis of gang behaviors. Key findings in the Behavior Analysis of IP Chain-Gangs report include:
- Though only a tiny fraction (2 percent) of all the attackers, these gang members are responsible for a much larger portion (20 percent) of all of the attacks.
- Most of the gangs have less than 1,000 members, but NSFOCUS also sees one gang with more than 26,000 members.
- Reflection flood attacks are the dominant attack methods favored by the gangs, specifically in high-volume attacks due to their great amplification factor.
- Gangs typically do not operate at their full potential capacities. However, knowing their maximum attacking power is very important in planning the defense against them.
The top attacker source region is European countries. Asian countries, as well as countries in North America, also contributed a significant amount.
This report is the first in a series of the IP Chain-Gang topic. In future reports, we plan to examine how gang members have evolved and connected and how to apply that knowledge to build a more effective defense against them.
To discuss these findings more in depth in an interactive environment, NSFOCUS will be hosting a live webinar on Wednesday, February 6. You may register online, here: https://www.brighttalk.com/webcast/14201/348004
For more information, you can also visit our press release, here: https://nsfocusglobal.com/nsfocus-identifies-ip-chain-gangs-new-cybersecurity-insights-report/