The years go by, the threat remains: DDoS attacks observed by OVH in 2017

DDoS attacks made the headlines several times in 2016. There was that record attack on one of our customers in September 2016, then the one targeting the blog of investigative journalist Brian Krebs. In 2017, DDoS attacks weren’t in the media spotlight quite as often. But that doesn’t mean that they have stopped. On the contrary, our 2017 figures show just how much distributed denial of service attacks remain a major concern for all internet companies, from cloud providers like OVH to internet service providers (ISPs). The attacks are getting more and more sophisticated in their methods, and the threat that comes with the Internet of Things (IoT) has not gone away. Far from it.

Increase in attacks and their distribution over time

Let’s start with a few general points. In 2017, the OVH VAC detected an average of 1,800 DDoS attacks per day, or around 50,000 per month. The quietest day was the 16th of March 2017, with “only” 981 attacks. With 7,415 attacks, the 4th of October was the opposite – the most hectic day of the year. Incidentally, the 4th of October is the date on which Belgium obtained independence (in 1830), but there is no logical correlation.

Figure 1 shows how the general trend in terms of the number of attacks detected is gradually on the rise (R2 = 0.05613). There are several possible explanations for this. We should not underestimate the fact that our detection systems are improving over time and are better able to detect attacks. That’s the good news. But it is clear that the number of attacks is also rising. That’s less good news.

A closer look at Figure 1 shows that some months see more attacks than others. This is interesting to note, but it is still too early in our analysis to draw any conclusions.

When you look closely at the distribution of attacks by day and time (Figure 2), you see that most attacks occur in the evening (universal time), mainly between 7 pm and 9 pm UTC.

This uneven distribution of attacks is a big challenge for the VAC team, as it means we have to be able to absorb a surge of attacks in a very short timeframe. To make things more difficult, the start of the evening is the most critical period for most gaming and e-commerce platforms, which see their greatest number of users at this time of day. It is therefore during these hours that the bandwidth is most under strain, as it is channelling both legitimate traffic and the illegitimate traffic generated by attacks that the VAC has to mitigate. Any congestion could have a significant impact on service quality for all customers.

In 2017, around 60,000 distinct IP addresses at OVH were targeted by at least one DDoS attack.

Figure 3 represents the number of distinct IP addresses that were the victim of at least one attack, for each month of the year. This chart contrasts with Figure 1 (number of attacks detected per month). Apart from June, the number of distinct IP addresses targeted stayed relatively constant from month to month at around 9,000 IP addresses. Even so, the trend shows a noticeable rise (R2 = 0.01282).

The difference in shape between Figure 1 and Figure 3 implies that some IP addresses are targeted more than others. Figure 4 appears to confirm this hypothesis.

This graph aggregates IP addresses by volume of attacks per month. We can see that most targeted IP addresses receive between one and five attacks per month (a median average of two). Over one year, the targeted IP addresses received an average of 13 attacks. Note that 30 of them received more than 1,000 attacks over the year (4,317 for the most attacked IP address).

E-gaming and e-commerce: the types of service most targeted by DDoS attacks

By focusing on the targeted IP addresses and looking at the information we have about the users of the services linked to these addresses, we have been able to identify the most targeted types of activity.

The first observation is that all nationalities are subject to these attacks. It is no surprise that online gaming services are the most attacked, headed up by servers for the Minecraft game. For the last few years, we have been observing the rivalries between game server administrators, who are engaged in full-on cyberwar.

While the motives sometimes appear frivolous, it seems to be primarily about money. The biggest game servers generate significant revenue, which motivates administrators to attack each other in an attempt to degrade their competitors' service quality and persuade gamers to switch to them. Talk about cut-throat competition!

We should take into account that OVH offers gaming-specific protection against DDoS attacks, which has attracted many users from this sector and means they are probably overrepresented in the statistics. Thanks to the strength of our protection mechanisms, the attackers’ attempts to target game servers hosted at OVH are pretty futile – but they’re not useless from the point of view of our R&D engineers. By dissecting the attacks, our engineers are able to continuously improve the detection algorithms. And that definitely benefits all OVH customers.

In second place are e-commerce platforms. It is surprising how different in size the targeted platforms can be. They range from the biggest online stores to those with relatively little traffic. In these cases, it is usually not about rivalry, but extortion. The idea is pretty simple. After the first attack, the attacker sends an email to their target demanding that they send money in the form of an electronic currency (such as Bitcoin or Monero) in order to stop the attacks. Most of the time, the threats are not carried out. We recommend never giving in to a threat and paying up. This just encourages the criminal activity without guaranteeing that you won’t be attacked again. The only solution is to use a hosting provider capable of handling the attacks. This will scare off the assailants and they will focus their efforts on easier prey.

There are various other types of targeted activities, but they don’t seem to follow any particular pattern. From innovative startups to public authorities, or even information sites such as media and blogs, it seems that anyone can be the target of a DDoS attack from one day to the other. The reasons are difficult to generalise.It might be rivalry between competitors, disputes between a particular service and the one chosen by the user, or the desire to censor information in the media (for more on this topic, see this article by American journalist Brian Krebs:The Democratization of Censorship). And that’s just the start of it.

Evolutions in the intensity and type of attacks

We have not detected any attacks breaking the record of one terabyte per second on our network in 2017. However, we have invested in the capacity of our VAC and our backbone in order to be able to manage this type of attack. We know it will happen sooner or later, because the means of carrying it out still exist – in particular botnets (networks of compromised hardware), which we will return to later.

When we start to analyse the attack vectors shown in Figure 6 and focus on the fourth layer of the OSI model, we are not surprised to find SYN Flood at the top of the UDP protocol, along with amplification attacks. Exploiting weaknesses in the UDP protocol represents more than half of the attacks on our network (UDP + amplification + DNS + ntp). The choice of UDP and SYN Flood vectors is not random. These offer the possibility of concealing the attacker’s identity by creating packets with spoof source IP addresses. This technique also applies to attacks by amplification. It is a technique commonly used by “booters”, DDoS sales platforms that generally use a network of machines to conceal their true IP addresses. Most DDoS attacks that we have detected have been sent from these platforms, with “botnets” representing a much smaller proportion.

Even if these layer 4 attack vectors remain unchanged, we have noticed a small change in the types of attack. Figure 7 shows the average number of packets per second and average bandwidth of the attacks each month. While the bandwidth remains fairly stable from month to month (around 700 Mbps per attack), we can see significant variations in the amount of packets sent. The peak in October, with nearly 1 Mpps, is especially striking.

Looking at the statistics of the most significant attacks in 2017 (Figure 8), we can clearly correlate each of the peaks with the appearance of a new botnet made up of connected objects (IoT) or compromised routers. Even though we previously emphasised that most attacks are launched via “booters”, that doesn’t change the fact that the most powerful attacks are carried out with the help of “botnets”. Of particular importance are those of the Mirai family (i.e. those that use snippets of code from Mirai, whose creator published it at the end of 2016).

We can also identify an evolution in the attackers’ strategies. You can clearly see that the size of the largest attacks in terms of bandwidth rests under 200 Gbps – in other words, below those of previous years. The attackers have probably realised that we have plentiful excess bandwidth and there was no point trying to saturate our connections. Fun fact: of the 13 Tbps of capacity in OVH’s global network, we only really use 3.5 Tbps on average. So instead of this, they increasingly attack the capacity of our network equipment and mitigation systems to handle a large number of packets, by generating attacks with a weak bandwidth but many more packets. Basically, instead of sending packets of 1,480 bytes that could generate significant traffic, the attackers will send very small packets of less than 100 bytes.

You can clearly see in Figure 8 that over the months, the number of pps has done nothing but rise. This adaptation shows that we are faced with attackers who are flexible, and continuously seeking to improve their techniques to get around our defences. That is why we always need to stay a step ahead of them.

Attacks based on layer 4 of the OSI model are generally the most formidable in terms of bandwidth and/or packets per second. Nevertheless, we should not ignore attacks with vectors based on level 7 (application), like HTTP Flood.

An initial observation is that level 7 attacks are clearly on the rise, with the appearance of new vectors like SSH Flood and SMTP Flood. The HTTP Flood attack is without doubt the most exploited level 7 vector, making up two thirds of the level 7 attacks observed. These attacks won’t have the same impact on the target. In this case, it is not about saturating the network infrastructure, but about saturating the application (for example an Apache service) by flooding it with requests. These attacks are generally a little more difficult to detect, as a large number of variables come into play: the capacity of the targeted server (a VPS won’t be able to handle as many requests as a dedicated server with a dual processor), but also how the service is configured and optimised against the attack. Detection cannot therefore be based on identical thresholds for all our customers.

This is the key challenge that our teams are working on, as these level 7 attacks could well explode in the next few months. In contrast to level 4 attacks, we have noticed that level 7 attacks have mainly been launched from botnets, whether IoT botnets or regular ones. In particular, we have observed fresh growth in the use of “ [url="https://isc.sans.edu/forums/diary/Wordpress+Pingback+DDoS+Attacks/17801" target="_blank"]WordPress Pingbacks[/url] ”, a default functionality that enables reflective attacks to be carried out.

Focus on Reaper and Satori botnets

We can see from the graphs in Figure 8 that the end of 2017 was relatively intense in terms of attacks. September and October saw many attacks between 80 and 100 Gbps and 60 and 90 Mpps. We have been able to attribute some of these attacks to the Reaper botnet, which managed to infect a huge number of systems in a very short time. As mentioned, we can see that the attackers in this case tried to maximise the number of packets per second rather than saturate the bandwidth. Rest assured though, that the VAC had no trouble at all fighting off their evil tricks.

The Satori botnet, which is gaining fame in the cybersecurity world, kicked off its vicious career in November.On 24th November 2017, we figured out just what it was capable of: an attack of “only” 160 Gbps managed to generate more than 250 Mpps. In the history of the VAC, this is the first time we have recorded such a volume. It is an excellent opportunity to analyse in detail how the different elements involved in the mitigation behaved. The VAC was able to mitigate the attack, but more importantly, the data we collected has allowed us to identify possible improvements and optimise our mitigation algorithms.

IoT: the phantom menace

After talking about Reaper and Satori, how can we not talk about IoT botnets to round off this article? In September 2016, the world discovered Mirai, following an attack aimed at one of our customers, which attained a record of one terabyte per second. To put this in context, it would fill up a 2 TB hard drive in 16 seconds. This botnet was exploiting design weaknesses on the part of manufacturers of connected objects in the IoT. In particular, it was able to compromise cameras and run malicious software to transform them into zombie-machines, obeying the orders of their master.

The threat to the internet arising from the IoT is not limited to Mirai. Many malicious software programs before Mirai have used the same principle. Among them are Aidra (2008), Tsunami (2010), MrBlack (2014) or even LizKebab/Gafgyt/QBOT (2014). Since this attack on our network, we have been paying even closer attention to these botnets. Among other things, we want to better understand their structure, their propagation mechanisms and the developments in the number of compromised devices able to be mobilised to carry out an attack.

This methodical observation means that we now have a much more accurate idea of the state of this threat, helping us to take the necessary measures when it moves from risk to reality. Last November, our detection tools identified various attempts by the Satori botnet to enslave yet more connected objects.
To keep an eye on botnets under creation or actively being used, we have been making use of so-called honeypots. This refers to Winnie the Pooh, the fictional bear who keeps ending up in sticky situations after being unable to resist the sight or smell of a pot of honey. We use these honeypots as bait, placing them around the internet and making them deliberately vulnerable to hacking attempts – which we can then analyse regularly to figure out how they work.

Figure 9 shows the type of activity around our honeypots in 2017. If we take these curves and add the periods of activity of the biggest botnets of 2017, like Hajime, Reaper and Satori, we see that the activity around the honeypots noticeably increased during these times.

Figure 9 also shows that activity was fairly high in the first quarter of 2017, particularly as a result of Hajime, which continuously scanned the entire internet. After this, activity slowed down considerably from April, before gaining some momentum again in September. These trends reflect the fact that Mirai has lost its shine for the “script kiddies” – teenagers with weak technical skills, but big ambitions in terms of cybercrime. Unluckily for them, creating a botnet with the help of Mirai or one of its variants is not something just anyone can come along and do. And to reach the required critical mass of compromised objects within the botnet, you need some R&D to update the infection vectors of devices, i.e. old vectors that exploited weaknesses that were able to be corrected over time. So the “script kiddies” have turned their attention to more realistic projects: QBOT. We will have the opportunity to return to this later, but for now, QBOT represents around 80% of active IoT botnets. Attackers with more technical skill have continued to use Mirai and improved it by implementing, among other things, exploitation of new vulnerabilities in the objects.

Looking at Figure 10 allows us to clearly visualise the implementation of new vulnerabilities and oversights in the infection algorithms. Each time a new exploitation method is implemented, a huge number of devices are quickly compromised, thereby causing abnormally high activity (peaks) around our honeypots. When we identify the geolocation of the infected devices, we clearly see that a different country stands out on each one of those peaks.

Here’s why: the most exploited vulnerabilities relate to routers (especially home routers). Targeting routers as a priority guarantees a certain revenue, since ISPs distribute their services en masse to subscribers and thereby flood a country or geographical area with a single router model. If it happens to have a vulnerability, exploiting this can allow a single infection algorithm to compromise several thousand devices in a very short time. And since a compromised device starts scanning the internet in search of more vulnerable devices, this generates a sudden spike in abnormal activity in a particular country, which is picked up by our honeypots, as seen in Figure 10.

As a reminder, a botnet is a collection of infected devices – known as zombies – connected to a command and control server (C&C server). This server controls them remotely by communicating the actions they should carry out (for example, attack an IP address). Our honeypots allow us to trace back to the C&C servers in order to estimate how many of them there are. Figure 10 shows the number of C&C servers that our systems detected during 2017. Note that although we are detecting more and more of them, we shouldn’t jump to conclusions. We are improving our detection systems every month, meaning that we can detect botnets today that wouldn’t have shown up on our radars yesterday. We don’t yet have enough historical data to determine whether or not there really is an upward trend.

In contrast, what is striking is the fact we mentioned earlier: that Mirai has mostly been abandoned in favour of QBOT. In the first quarter of 2017, Mirai botnets represented nearly 30% of all our detections. By the last quarter, that number had dropped to less than 10%. The other botnets identified were overwhelmingly QBOT. However, as the head of Google’s anti-abuse team Elie Bursztein notes on his blog, the architecture of Mirai botnets has evolved over the months. Instead of having a single big botnet, the botnet owners now prefer to have several smaller ones. This offers them greater resilience in the event that the botnets are partially broken up, but it also facilitates the sale of botnet “services”. Generally, the price for using a botnet is determined by the number of bots mobilised. That explains why it is common to see several C&C servers with different IP addresses sending exactly the same command to their bots at the same time.

When we look more closely at the attack vectors adopted by the users of these botnets, whatever network they are targeting, we notice a close similarity with previous observations of attacks received on the OVH network. Figure 12 shows UDP at the lead with 46%, followed by SYN Flood (20%) and, at the application layer, HTTP Flood (19%).

Above all, it is useful to observe the ports targeted by these pirates. Figure 13 shows the seven most commonly attacked ports, regardless of which network is targeted. We notice that port 80 (HTTP) is the most targeted, whether via attacks using the TCP protocol or those using the UDP port, although the difference is meaningless (HTTP is based on TCP).

The other ports are much more interesting, as they help us to create a user profile for these botnets. As we saw earlier, the video game sector is a dog-eat-dog world where competition pushes administrators into carrying out hardcore cyberwar. But it looks like a fairly large proportion of botnet users are simply bad players who try to disrupt their opponents by attacking their Xbox Live ports directly while they are playing.

Using these figures, we tried to see whether other networks were experiencing the same types of attack as OVH from IoT botnets. We chose three other internet companies for this study: a major American ISP, a large CDN provider and a hosting provider offering the same sort of services as OVH. The results took our breath away:

• The major American ISP is above all targeted by DDoS attacks aimed at Xbox Live, PlayStation and anything else that has any sort of relation whatsoever to gaming services;

• The CDN provider experiences mostly level 7 attacks like HTTP Flood, which is pretty logical given their activity;

• The hosting provider receives attacks that are quite similar to those received by OVH.

For anyone still in doubt, this is proof that DDoS attacks are not only targeted at the large hosting providers. All internet companies, large or small, are exposed to this threat in one way or another, depending on their activity. In truth, the only difference is in the tools the various companies have to protect their users, and their ability to anticipate tomorrow’s DDoS attacks by watching closely how the tactics are evolving.

What to take away

This analysis has allowed us to identify three striking facts:

• Evolution in the types of attack: their intensity in terms of the number of packets has changed a lot more than their bandwidth;

• Clear increase in attacks aimed at the application layer (layer 7);

• Structuring of IoT botnets proving – if proof is still needed – that cybercriminals intend to rely on vulnerabilities in connected objects to sustain their “business”.

These evolutions reflect how attackers are continuously adapting their techniques to get around the defences deployed by companies like OVH.

It is impossible to create a generic profile of a victim of a DDoS attack – the targets are too varied. Nevertheless, two activities stand out as being particularly exposed: the world of online video gaming (led by Minecraft and Teamspeak servers), as well as e-commerce platforms of any size.

In many cases, the attackers are motivated by money: either directly by extorting money under threat, or indirectly by harming one of their competitors to try to win back customers. These practices are not restricted to online gaming, by the way: anti-DDoS software publishers have even been known to launch attacks... in order to then market their protection solutions to their victims!

In 2018, we will closely monitor the trends described in this analysis to see whether they are confirmed. But don’t panic: whatever happens, our anti-DDoS technologies are there to protect you.