There were no “common” DDoS attacks in 2015. The ones studied by Radware researchers were often volumetric; however, sophisticated, combined attacks such as Proton Mail were also fought by the Radware Emergency Response Team (ERT). The combined attacks they experienced involved UDP floods, SYN floods, DNS reflection, ICMP floods and TCP out-of-sequence floods.
The generation of a large volume of traffic indicates a clear purpose by attackers to cause a denial of service attack to the targeted victim by any means. “Booters” and “Stressers” are DDoS services available on the web or dark-net and they can make attacks accessible to an attacker without the attacker having to build a botnet or buy one. These services use multi-vector attacks to exhaust as many defense mechanism as they can and the decreasing cost of these services is also making it much more affordable to bring down websites.
1. The most common attack in 2015 was the combined attack.
ProtonMail experienced one of the biggest combined attacks recorded this year. Struck with multiple methods, the attack lasted on and off for two days and at its peak, it reached 80 Gbps of traffic.
2. We were introduced to the massive 40Gbps Root DNS attack on Turkish servers executed by Anonymous.
This was only the third time that root servers have been targeted in a significant sustained attack. The most significant, back in 2007, saw a botnet containing roughly 5,000 computers swamp four root servers with traffic, taking down two of them for several hours in two waves of attacks.
3. The DNS Reflection DDoS attack became more common.
The third most common DDoS attack in 2015 as recorded by the Radware ERT was this type of attack that can produce a large volume of traffic in a short period. The attacker sends spoofed specially-crafted queries to open recursive servers to result in a very large response.
4. Another frequent attack that Radware ERT faced in 2015 was the UDP Fragmentation attack.
This attack is executed against a target server in an attempt to consume resources, such as bandwidth and CPU. In some cases, the result of a “DNS amplification” attack will be fragmented UDP packets. DNS protocol uses UDP packets on port 53 and because of the amplification; the server has to fragment the packets. In 2015 Radware’s ERT analysts recorded many UDP fragmentation attacks against several of our customers in the financial services sector.
5. The most familiar DDoS attack seen was the SYN flood attack.
Although it is very likely to be detected and mitigated, attackers keep using this method for DDoS. These attacks quickly consume the resources of a target server or its intermediate communications equipment. This kind of attack also indicates the use of “Booters” or “Stressers” because often that is the first attack option these services use.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Snir Karat is an information security expert for the Radware Emergency Response Team with vast experience in information technology, network analysis, and application security risks. He specializes in network and application security for Radware’s premium customers. Prior to working at Radware, Mr. Karat was an information security consultant at EY and a manager of CISO services for various industries where he handled penetration tests and incident response.