Nexusguard, a specialist in DDoS attack mitigation, produces a security threat report on a quarterly basis, based on the real-time data it collects year-round on threats facing businesses and service-provider networks around the globe.
Nexusguard recently released its Q4 2017 threat report, which had the following key findings:
- The total volume of DDoS attacks fell 12% year over year;
- Multi-vector, blended threats were the main attack strategy, comprising 56% of all recorded attacks. The highest number of combined attack vendors observed was nine; the majority of multi-vector attacks, however, only combined two vectors (33%) with 14% being made up of three vectors;
- The most frequent type of two-vector attack was UDP blended with TCP SYN to make up 20% of the total;
- UDP blended with NTP amplification, DNS amplification, DNS, HTTP flood with TCP SYN, respectively, were the next most popular kinds of multi-vector.
- UDP plays such a large role because it is easily generates packets and is fast and cheap. Its connectionless protocol letting it easily spoof IP addresses also makes it ideal for launching attacks via botnets;
- Single-vector attacks made up 44% of the overall number of attacks;
- The main three single attack vectors were DNS amplification (16%), UDP (15%), and IP fragmentation attacks (12%);
- DNS amplification attacks, in particular, soared, growing by 358% over the same period. Nexusguard likely attributed this to “exploits of a critical security flaw resulting from the response amplifying nature of DNSSEC-enabled DNS servers”. It is essential to implement good configuration from the outset in addition to basic server hardening on DNSSEC nameservers to prevent this spike in attack type continuing;
- 69% of attacks observed had a duration of fewer than ninety minutes while 31% lasted for over ninety minutes. Attacks got shorter over the year;
- Most shorter attacks took place during peak operation hours leading to service downtime for the impacted businesses;
- The majority of attacks (79%) were smaller than 10 Gbps, and 30% of these were under 1Gbps;
- The largest kinds of attack at 10 Gbps and above accounted for 21% of the total number of attacks;
- China was the leading source country for attacks, heading the table at 22%. The U.S. fell second at 14% with South Korea coming third at 6%.
The main focus of the Nexusguard Q4 2017 report was the huge spike in DNS amplification attacks, thought to be the result of abuse of DNSSEC security vulnerabilities.
Nexusguard warned that, “As more organizations adopt DNSSEC, it will likely spawn a new class of powerful botnets assembled from poorly configured DNSSEC-signed resolvers, providing attackers with more vectors to exploit than ever before”.
The company reminded readers to harden basic server security, adopt strong configuration practices from the outset and read the RFCs (Requests for Comments) to help develop best security practices. The full report can be downloaded here.