2018-07-04
DDoS攻击已经不再只是少数行业内的大公司需要担心的事情了,每个企业都面临这种威胁。
DDoS攻击的实际数量和平均规模(带宽)每个季度都会以很大的变化,有时甚至以月为单位发生变化。
从Akamai Technologies《2017年第二季度互联网/安全状态报告》来看,经过连续三个季度的下降后,2017年第二季度的DDoS攻击比上个季度增长了28%。同时,第二季度没有看到超过100Gbps的DDoS攻击。
相比之下,就在上个季度,Verisign报道称至少有一个攻击达到了120Gbps,平均攻击规模比上一年高26%。
数字本身不应该决定缓解策略:更重要的是了解DDoS攻击已成为大多数组织面临的威胁。攻击者比以前更加坚定,拥有更多的资源。DDoS攻击规模不必是数Gbps就能导致网络崩溃。
结合了容量、应用级和协议级元素的多向量DDoS攻击已成为主要威胁。攻击者可以一次使用一个向量来启动这些攻击,或者同时使用所有向量以混淆目标。
据报道称,2016年多向量DDoS攻击增加了322%;而在2015年,UDP、TCP和ICMP是最受欢迎的攻击向量。早在2016年第一季度,诸如Akamai的公司报告称,多向量DDoS攻击占其减灾工作的60%以上。
研究人士说:“这些攻击很难防御,并且通常非常有效,因此颇受欢迎。”
事实上,Verisign在今年第一季度发现的最大DDoS攻击是多向量攻击,峰值带宽为120Gbps,每秒大约传输9000万个数据包。该攻击主要由TCP SYN和TCP RST流量洪泛攻击组成,持续了两周,并在15小时的时间内持续发送60Gbps的流量。
据称Arbor最新的全球基础设施安全报告指出,67%的受访者报告了多向量DDoS攻击,比去年高56%。
Imperva研究团队负责人Avishay Zawoznik说,网络层攻击(也称容量耗尽DDoS攻击)仍然是最常见的攻击类型。
这些攻击的特点是高带宽或每秒数据包数量,以受害者网络管道的带宽容量或受害者网络设备的路由容量为目标。Zawoznik说,容量耗尽攻击的常见例子包括SYN、ACK、UDP和ICMP洪泛攻击。
他说:“在过去的几个月中,我们最常看到的DDoS攻击是TCP攻击、NTP放大攻击和多向量攻击。”显然,攻击带宽、每秒数据包数量或每秒请求数量越大,容量耗尽攻击导致的伤害就越大。
Akamai上个季度帮助客户处理了4051个DDoS攻击,其中99%是容量耗尽攻击。80%以上针对游戏行业的公司。埃及IP地址数量最多,占全球总数的38%。
虽然网络层DDoS攻击仍然很常见,但应用级攻击正在迅速增加。
应用级DDoS攻击使用一系列看似合法的请求来轰炸业务应用程序,直到应用程序无法响应。与容量耗尽攻击相反,应用程序攻击的流量低得多,并以每秒请求量(RPS)进行测量。典型的攻击针对的是HTTP和DNS服务,现在越来越多地针对HTTPS服务。
Imperva《2017年第一季度全球威胁全景报告》显示,网络层DDoS攻击连续四个季度下降,而应用层攻击每周达到近1100次。
最大规模的攻击达到17600 RPS,高于Imperva在2016年处理的最大的应用层攻击。“这些攻击旨在消耗服务器、web服务器和数据库等的计算资源。”Zawoznik说。他说,典型的攻击包括针对目标应用程序的HTTP GET,POST和PUSH请求洪泛。
据称,DNS攻击占去年所有报告的应用层攻击的81%,超越HTTP成为最受欢迎的攻击类型。
事实是,绝大多数DDoS攻击(即使是容量耗尽攻击)都涉及相对较低的流量。
事实上,在2017年第一季度Corero Network Security为其客户处理的DDoS攻击中,80%规模不到1Gbps。
从2016年第四季度到2017年第一季度,98%的攻击都低于10Gbps。在2017年第一季度Corero为客户处理的DDoS攻击中,71%不超过10分钟。
在大多数情况下,这种攻击不足以瘫痪网站,但是也会导致严重的安全问题。
小型DDoS攻击经常用于窃取数据并掩盖数据泄露。Corero表示,许多情况下,威胁源使用这些攻击来映射受害者的网络,安装恶意软件,作为勒索攻击的前身。虽说小型DDoS攻击可能不会导致网络瘫痪,但是会导致服务质量降级和拥塞问题。
目前有很多执行DDoS攻击的工具,导致威胁源能够持续攻击受害者。
例如,Akamai报告说,在2017年第二季度,受害者平均遭受了32次DDoS攻击。一家游戏公司每天平均遭受6次攻击,共遭受了558次攻击。Corero表示,其客户今年第一季度每月平均遭受124次DDoS攻击,比2016年第四季度增加了9%。
相关报告中说:“在宏观层面上,DDoS攻击越来越短,但也更加复杂和持久。”
公司遇到的所有攻击中,超过90%不超过30分钟。近75%的Imperva客户多次受到攻击,说明威胁源的持续性增加。19%被攻击了10次以上。
近年来,存在漏洞的移动和物联网设备大量扩散,为攻击者提供了创建大规模僵尸网络来执行DDoS攻击的机会。
Marai是这类僵尸网络的代表,不过其它僵尸网络也在崛起。最近的例子是WireX,该僵尸网络由受感染的Android设备构建,针对多个行业的目标执行应用层DDoS攻击。本月,多个安全厂商的研究人员对该僵尸网络进行了分析。其中最大的攻击涉及分布在100个国家的超过7万个感染节点。
相关报告中指出:“大规模僵尸网络驱动的DDoS攻击变得越来越普遍。它们已经足够强大,能够破坏本该安全的公司网络。”
《7 Things to Know About Today's DDoS Attacks》
Jai Vijayan
8/30/2017
DDoS attacks are no longer something that just big companies in a few industries need to worry about. They have become a threat to every business.
The actual number of DDoS attacks and their average size in terms of peak bandwidth and other measures tend to vary quite a bit on quarter-by-quarter, and sometimes even on a monthly, basis.
Take the Q2 2017 State of the Internet/Security Report from Akamai Technologies, which shows that DDoS attacks in the second quarter of this year increased by 28% compared to the previous quarter - after three straight quarters of decline. At the same time, Akamai didn't see any DDoS attack exceed 100Gbps in size during Q2.
In contrast, just last quarter Verisign reported at least one attack that topped 120Gbps, and an average peak-attack size that was 26% higher than the previous year.
Numbers alone shouldn't dictate mitigation strategies: it's more important to understand that DDoS attacks have become a threat to most organizations. Attackers have become more persistent than before and have more resources available to them. A DDoS attack does not have to be multiple gigabits-per-second in order to overwhelm your pipeline.
"The barrier to entry has been obliterated by new tools and attack services that enable anyone with an Internet connection and a grievance to launch an attack," says Kevin Whalen, a senior director of marketing at Arbor Networks. Any business can become a target for a real or perceived reason, he says.
Multi-vector DDoS attacks that combine volumetric, application-level, and protocol-level elements have become a major threat. Attackers can launch these attacks using one vector at a time, or using all vectors concurrently in order to confuse targets.
Neustar reported a 322% increase in multi-vector DDoS attacks in 2016, compared to 2015 when UDP, TCP, and ICMP were the most popular attack vectors. As far back as the first quarter of 2016, companies such as Akamai were reporting more than 60% of their mitigation efforts as involving multi-vector DDoS attacks.
"These attacks are popular because they are difficult to defend against and are often highly effective," Whalen says.
In fact, the largest DDoS attack that Verisign observed in the first quarter of this year was a multi-vector attack with a peak bandwidth of 120Gbps and some 90 million packets per second. The attack, which consisted largely of TCP SYN and TCP RST traffic floods, persisted on a daily basis for two weeks and sent a sustained 60Gbps of traffic in one 15-hour stretch.
Whalen says 67% of the respondents in Arbor's latest Worldwide Infrastructure Security Report reported multi-vector DDoS attacks, up from 56% last year.
Network-layer attacks or co-called volumetric DDoS attacks, continue to be the most common, says Avishay Zawoznik, research team leader at Imperva.
These attacks are characterized by high bandwidth or packets-per-second rates and target the bandwidth capacity of the victim's network pipes or the routing capacity of the victim's network devices. Common examples of volumetric attacks include SYN, ACK, UDP, and ICMP floods, Zawoznik says.
"In the last few months, the DDoS attacks we saw most were TCP attacks, NTP amplification attacks and multi-vector ones," he says. Obviously, the larger the attack either in terms of bandwidth, packets-per-second or requests per second, the higher the damage that volumetric attacks can cause he says.
Of the 4,051 DDoS attacks in total that Akamai helped its customers handle last quarter, some 99% were volumetric attacks. Of this, more than 80% were directed at companies in the gaming industry. Egypt had the highest number of unique IP addresses used in volumetric DDoS attacks accounting for 38% of the worldwide total.
While network-layer DDoS attacks continue to be common, application-level attacks are rapidly rising.
Application-level DDoS attacks bombard business applications with a stream of seemingly legitimate requests until the applications are unable to respond. In contrast to volumetric attacks, application attacks have much lower traffic volume and are measured in requests per second (RPS). Typical attacks target HTTP and DNS services and increasingly, HTTPS as well.
Imperva's Global Threat landscape Report for Q1 2017 showed network-layer DDoS assaults decreasing for the fourth straight quarter, while application layer attacks reached an all time high of nearly 1,100 per week.
The largest of these attacks peaked at some 176,00 RPS, which was larger than the biggest application-layer attack that Imperva mitigated in all of 2016. "These attacks are aimed at consuming the computing resources of servers, Web servers, databases, etc.," says Zawoznik. Typical attacks involve floods of HTTP GET, POST, and PUSH requests directed at the target application, he says.
According to Arbor, DNS attacks accounted for 81% of all reported application-layer attacks last year and replaced HTTP as the most targeted service.
The reality is that the vast majority of DDoS attacks — even the volumetric ones — involve relatively low traffic volumes.
In fact, 80% of the DDoS attacks that Corero Network Security mitigated for its customers in the first quarter of 2017 were less than 1Gbps in volume.
Between Q4 2016 and Q1 2017, a stunning 98% of all attacks were less than 10Gbps. In the first quarter of this year, some 71% of the DDoS attacks that Corero handled for customers lasted 10 minutes or less.
In most cases, such attacks are not big enough to cripple a website. But they can cause serious security problems all the same.
Small DDoS attacks are often used as a subterfuge for data theft and to mask data breaches. In many cases, threat actors use these attacks to map a victim's network, to install malware, and as a precursor to a ransomware attack, according to Corero. And while a small DDoS attack may not saturate your network, it can cause service degradation and congestion issues.
The easy availability of tools for launching DDoS attacks appear to have made threat actors more persistent than ever in going after victims.
Akamai, for instance, reported seeing targets hit with an average of 32 unique DDoS attacks in Q2 2017. One gaming company was attacked an average of six times a day and 558 times in total. Corero says its customers experienced an average of 124 DDoS attacks per month in the first quarter of this year, up 9% from Q4 2016.
"On a macro level DDoS assaults grew shorter, but also more complex and persistent," Imperva said in its report.
More than 9 in 10 of all attacks that the company encountered lasted under 30 minutes, even as the number of repeat assaults on victims grew sharply. Nearly 75 of Imperva's customers were attacked on multiple occasions, highlighting the persistency with which threat actors have begun going after victims. And 19% were hit 10 times or more.
The proliferation of vulnerable mobile and IoT devices in recent years has given attackers new opportunities for assembling massive botnets for launching DDoS attacks.
Mirai, of course, remains the poster child for such botnets. But others have begun as well. The most recent example is WireX, a botnet built from compromised Android devices. The botnet, which was dismantled this month by a group of security vendors, was to launch application-layer DDoS attacks at targets in multiple industries. The biggest of these involved over 70,000 infected nodes spread across 100 countries.
"Massive botnet-driven DDoS attacks have become more common," Corero noted in its report. "[They] have been large enough to bring even an otherwise “secure” corporate network to its knees."
附件:
《7 Things to Know About Today's DDoS Attack》--原文.pdf
《7 Things to Know About Today's DDoS Attack》--译文.pdf
微信公众号