Neustar® Insights

2011 DDoS Attacks:

Top 10 Trends & Truths

What New Dangers Emerged?

How Are Attackers Shifting Tactics?
What Risks Should You Expect In 2012?
Neustar’s experts provide the answers to these questions and more.
Get the facts and be better prepared for the threats ahead.
Introduction
The Internet powers almost every aspect of business operations today, from websites, email
and ecommerce payments to behind-the-scenes data exchanges. During a distributed denial of
service (DDoS) attack, the entire enterprise is at risk. Besides crippling sales and productivity
and severing ties to suppliers and partners, DDoS attacks fuel doubts about a company’s
stability. Blogs light up in minutes, becoming part of the Web’s permanent record. The damage
to brand equity can be lasting and incalculable.

This report examines the major DDoS trends of 2011 and what to expect in 2012. Drawing on
Neustar’s decade of experience in DDoS mitigation, plus the unique Internet views our
enterprise services afford, this report seeks to separate truth from industry myth. 2011 was an
eventful year across the DDoS landscape. The insights that follow are meant to help you better
prepare for 2012.

What exactly is a DDoS attack? According to the U.S. Department of

Homeland Security’s Computer Emergency Readiness Team (US-
CERT), it’s when an attacker attempts to prevent legitimate users from
accessing a computer resource, normally by overwhelming it with
malicious traffic. By targeting a company’s Internet-connected
infrastructure—its websites, portals, email, databases and more— an
attack can block end users from doing business as usual.

In one common scenario, an attacker floods a network connection with tens of gigabits of traffic,
creating bottlenecks in firewalls, routers or even the connection itself. When the next request for
service tries to come or go, the network connection is clogged. The request is denied.
Communication stops.

Another frequent scenario: an attacker floods a target with hundreds of thousands of requests
per second. When the receiving server attempts to process them, it quickly becomes
overwhelmed and shuts down. Upon the next request, the server is nowhere to be found.

The first DDoS attacks occurred in the late 1990s. By 2000, ecommerce sites were targeted and
the business world quickly took notice. It is now widely agreed that attacks occur thousands of
times each day and are increasing every year. The damage is considerable and more
widespread than many realize. While the obvious harm is immediate—site outages and lost
revenues—companies also suffer irreversible effects such as lost customers, negative publicity
and tarnished reputations. When customers, partners and shareholders hear you were knocked
offline, your brand takes a hit. Research firm Yankee Group estimates that an average mid-size
enterprise ($10 million in annual revenue) would lose over $150,000 from just one successful
DDoS attack. For a large ecommerce company, losses over 24 hours could number in the
millions.

Of course, the business world hasn’t taken all this lying down. Leaders in managing and
protecting Internet infrastructure have developed powerful technologies to block DDoS attacks.
Over 10 years ago, Neustar® began leading the way.

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 2

Neustar: Deep Experience and Unique Views of the DDoS Landscape
In helping businesses stay connected, Neustar is known for providing “the technology behind
the technology.” We started with routing and addressing services to telecommunications carriers
throughout North America and the world. Today, Neustar’s wide-ranging services help make
online business possible: managed DNS, Web performance management, IP intelligence,
security threat monitoring and DDoS mitigation. Listed on the New York Stock Exchange
(NYSE: NSR), the company is approaching a billion dollars in annual revenues.

Within the world of DDoS protection, Neustar occupies a unique position. Because our full set of
services goes far beyond DDoS defense, we have views of the Internet unlike any in the
industry. Combined with our 10+ years of DDoS mitigation experience, this lets us aggregate
data no other organization has.

Our data sources include:

The diverse equipment we use to mitigate DDoS attacks. By using best-of-

breed hardware from Arbor® Networks, Citrix ®Systems, Juniper® Networks,
RioRey®, Cisco Systems® and Hewlett Packard®—and by deploying their devices
throughout our global mitigation platform—we are able to mine and analyze data in
unique ways.

Neustar’s global DNS platform. This source is invaluable, given that most
attacks target DNS as the first step. In fact, DNS often becomes the attack target
itself. Neustar operates at all levels of the domain name system, providing
authoritative and recursive services to companies of all sizes.

Close relationships with leading Internet security research firms. We

supplement our internal information with data from objective third parties. These
firms provide us with advanced information on cyber gang activities, plus
command-and-control data on botnets, the networks of infected computers that
give attacks amplified force.

Direct contact with national and international government agencies helps our
customers coordinate investigations during and after attacks. These agencies rely
on our extensive IP intelligence databases and share data with us to provide
deeper insights into attackers’ activities.

Neustar’s expertise includes our 24/7, on-site Security Operations Center, a team with over 100
years of combined DDoS experience. In the adjoining arena of security threat monitoring, our
NeuSentry service alerts businesses to compromised computer systems, route hijacks and
other dangers.

In short, the depth of our data and expertise provide the foundation of this report.

Trend #1: Attacks Are Growing in Number—Though the Motives Are

Debatable
Neustar agrees with industry reports that DDoS attacks are more frequent, with growth
assessments as high as 45%. We also concur that a major culprit is low-cost, freely distributed
DDoS attack technologies. Tools such as the low orbit ion cannon (LOIC), a favorite piece of
attack software, let anyone with a computer unleash a deadly barrage. For as low as $67 a day

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 3

you can even rent a botnet. According to InformationWeek, there are now over 50 popular
DDoS tools—and the number is growing fast.

However, we don’t support the contention that

“hacktivism”—the use of cyber-attacks to make
a political or social statement—is now the main
motive behind DDoS attacks. The most
infamous hacktivists, the cyber-gang
Anonymous, has hit governments worldwide
and companies like Visa® and MasterCard®.
While such attacks grab headlines—which is
exactly their purpose—Neustar finds the bulk of
attacks still stem from other sources, namely
extortionists, cut-throat competitors and others
who strike for profit. Industry experts agree that
many of these attacks go unreported. After all, no one wants to go public when their systems
have been assaulted. Customers flee, sales drop and stock prices follow suit.

Perhaps most media-reported attacks are the work of hacktivists. But those who take aim at
your bottom line—in the form of a ransom note threatening your website or a competitor lunging
for market share—are still launching the majority of overall attacks.

Trend #2: Sophisticated Attacks Are on the Rise—but So Are Old-School

Tactics
In the past, DDoS attacks mainly targeted the network layer. In 2011, we saw a notable
increase in attacks at the application level as well. These hit Internet-facing applications versus
perimeter equipment and network connections; the idea is to exploit weaknesses and sap
server resources instead of the network connection. Often going unnoticed, this tactic can be
quite effective. For example, using the LOIC tool an attacker can zero in on your website’s login
page, overpowering back-end databases with costly CPU queries. The result can be the same
as from a larger attack—an outage.

With that mind, brute force network-level attacks haven’t gone away.
As noted earlier, the overall number of attacks continues to rise
aggressively. Yes, more and more are complex, but many are still
primitive. Along with attacks on applications and multi-vector attacks,
simpler tactics like UDP flood attacks are doing their part to keep
businesses on their toes. In fact, attackers are increasingly using a
blend of tactics, mixing both network and application strikes. They
seek blind spots in the security architecture, probing relentlessly to try
and take you offline.

Our take-away: now more than ever, effective mitigation means diverse mitigation technologies,
along with experienced staff who know how to deploy and tune them. In other words, you need
to be ready for anything. In 2012 you’ll see another mix of subtly changing tactics and full-frontal
assaults.

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 4

Trend #3: While Some Types of Attacks Are Down in Size, the Overall
Danger Is Growing
In 2011, the largest reported attacks were smaller than the largest in 2010, which saw a few
upward of 100Gbps (100,000 megabits per second). However, no one should breathe easier.
Network-bandwidth attacks of 10Gbps or more were still 15% of all DDoS incidents Neustar
mitigated. More than one out of 10 attacks came with hurricane strength, enough to overwhelm
bandwidth and quickly cause an outage.

Equally as disturbing, high packets-per-second (PPS)

attacks grew in popularity. Instead of exhausting
bandwidth, these drain processing power. To illustrate,
DDoS attacks using UDP packets tend to be smaller in
size (DNS UDP packets, for instance, are typically limited
to 512 bytes). While such attacks take up modest
bandwidth, the sheer number of packets can crash your
CPU as it attempts to process the blitzkrieg of requests.

We agree with experts who claim that only cloud-based

DDoS solutions offer a comprehensive defense. Cloud
solutions provide the bandwidth (as measured in Gbps) to
absorb today’s massive network layer attacks, plus the technology diversity and processing
power to handle application-layer and high packets-per-second strikes. Remember, all on-
premise hardware, even the best, has its limits. At some point, the sheer volume of traffic will
clog your network connections—before on-premise perimeter equipment even gets involved.

Trend #4: Attacks Are Global in Origin, But Often Hard to Trace
Which countries generate the most attacks? The short list would include China, Ukraine, India
and the United States, though reports vary. However, things aren’t always what they seem.
Thanks to a rise in spoofed IP addresses—those with IP packets whose sources have been
forged—you can’t always be sure where the trouble starts. Without advanced IP technologies, it
can be difficult to know an attacker’s actual location. In truth, tracing an attack’s origin doesn’t
always contribute substantially to mitigation.

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 5

Trend #5: Firewalls & IDS/IPS Devices Are Part of the Problem, Not the
Solution
Certain security tools hinder, not help, during DDoS attacks. Neustar
finds that deploying firewalls or intrusion detection and prevention
systems (IDS/IPS) in front of servers—without a mitigation solution in
place—aids the wrong cause. They can quickly become bottlenecks,
helping achieve the attacker’s goal of slowing or shutting you down.
According to a recent report by the Computer Security Division of the
National Institute of Standards and Technology (NIST), “IDPS sensors
are susceptible to various types of attacks. Attackers can generate
unusually large volumes of traffic, such as distributed denial of service
(DDoS) attacks, and anomalous activity (e.g., unusually fragmented packets) to attempt to
exhaust resources or cause it to crash.” Erected to defend servers with large volumes of
inbound packets, these barriers themselves end up being points of failure.

It’s also important to realize that firewalls won’t repel application-level attacks. To block an
attack on a website, for example, a firewall must shut down all HTTP & HTTPS traffic, therefore
causing an outage. One problem: firewalls reside too far down the data path. During a DDoS
attack, they can’t protect the access link from the ISP to your edge router, leaving these
components exposed. Firewalls also lack sufficient anomaly detection. When attackers use valid
protocols, firewalls don’t see the ruse. Finally, firewalls don’t do inspection on a packet-by-
packet basis to distinguish good traffic from bad. It’s easy for attackers to generate traffic that
conforms to a firewall’s policy rules yet elbows legitimate traffic out of the way. During DDoS
attacks, firewalls go down faster than the servers they’re meant to protect.

Trend #6: For Many, DNS Continues to Be the Weakest Link

Approximately 10% of all DDoS attacks target DNS. In Neustar’s
experience, many organizations lack adequate protection, despite
knowing that if their DNS fails the consequences can be disastrous.
Everything relying on an Internet connection (websites, email, FTP
sites, etc.) will go down as well. If your DNS servers are located on-
premise, sharing a network connection with all your other devices
and servers, a DDoS attack translates to a complete outage. If
you’re on the shared DNS platform of a registrar or hosting
company, your risk is just as large. To protect their other customers
these vendors will black hole you, turning off service until they
decide the danger is over.

To make matters worse, DNS-based attacks are among the hardest

to repel. Most organizations are not equipped to block them, a
potential problem since these attacks are growing in popularity.

Trend #7: Websites & DNS Are Not the Only DDoS Targets
With so many technologies available to launch DDoS attacks, there’s a tool for every target.
Neustar is not only seeing attacks on websites and DNS but also on less defended Internet
infrastructure. This includes email servers, APIs, default configurations like SNMP and even
VoIP. Imagine no phone service, thanks to a congested Internet connection. Or losing sales
because customers couldn’t connect to your API. In protecting against DDoS attacks, you must
consider everything connected to the Internet and use a solution that covers all points of
exposure.

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 6

Trend #8: Most DDoS Protection Solutions Can’t Handle IPv6 Traffic
Remember World IPv6 Day? If you don’t, you’re not alone. It came and it
went last year and plenty of companies still aren’t capable of handling IPv6
traffic. (IPv6 is the new version of the Internet Protocol and as such a
source of available IP addresses. It supplements its predecessor, IPv4.)
Even worse, most DDoS mitigation solutions haven’t made the upgrade
either. While attacks that utilize IPv6 still aren’t a mainstream tactic, they
did start cropping up in 2011. With IPv6 sure to gain steady if slow
acceptance, you’d be wise to make sure your DDoS solution (and DNS) are ready.

Trend #9: While Relatively Rare, Attacks on Encrypted Traffic Can Spell
Trouble
Less than 5% of the DDoS attacks Neustar tends to see involve encrypted traffic on the
application layer (typically HTTPS-based traffic on port 443). However, traffic is encrypted for a
reason—it’s highly valuable—so you must be ready to protect it. Such attacks are harder to
mount, which explains why they’re used so sparingly. They generally target the encrypted
traffic’s port with GET Flood or POST Flood traffic, which is usually handled by rate limiting or
null-routing. The best practice, though, is to perform deep packet inspection at the application
level. This process of opening, inspecting and closing packets is complex, but neglecting it can
leave your business vulnerable.

Trend #10: Mobile Is Emerging as Part of the Battleground

Last September, Damballa® Labs reported that thousands of
compromised Android devices were linked to criminal botnets.
During one two-week stretch, 20,000 devices were involved, an eye-
opening milestone. When you think about it, though, this shouldn’t
come as a surprise. Mobile device infrastructure is expanding fast,
essentially creating a second-tier wireless Internet. Speeds are
increasing too as 4G services roll out.

As noted by TechCrunch, mobile operators have become

“accidental ISPs”. In a few short years, they’ve transformed their
businesses from voice carriers into providers of mobile data and
video experiences. Unfortunately, mobile-device security hasn’t kept
pace. Mobile devices are not only susceptible to malware infections,
but can also be used by the bad guys to download free attack tools.
That’s right, you can launch a DDoS attack from most smart phones
or tablets. Bottom line: mobile devices are starting to magnify the
threat.

Conclusions
DDoS attacks and the threats they pose evolved rapidly in 2011. Attacks continued to grow in
number, fueled not only by hacktivism but those seeking financial gain. Many attacks became
more sophisticated, though many remained basic. An increasing number mixed old and new
tactics, attacking at both the network and application layers. While the largest attacks of 2011
were smaller than in 2010, they were still large enough to cause downtime and PR nightmares.
Moreover, smaller, more targeted attacks continued to wreak havoc, making a strong case for
quality over quantity. While certain countries surely accounted for more than their share of

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 7

attacks, spoofing makes it difficult to pin down attack origins. Firewalls, DNS and mobile posed
vulnerabilities, as did solutions that couldn’t handle IPv6 or encryption.

Looking ahead, 2012 will be another challenging year. Attack tools will evolve. So will attack
methodologies. The only thing that won’t change is the importance of the Internet to businesses.
DDoS attacks will continue to be a when, not an if.

Neustar SiteProtect: Keeping Businesses Safe from DDoS

To combat the dangers of DDoS, Neustar offers SiteProtect, a cloud-based, on-demand DDoS
mitigation service. Activated through DNS or BGP redirection, SiteProtect scrubs away
malicious traffic in the cloud, letting valid traffic flow to your infrastructure. To do this, SiteProtect
relies on a large global mitigation network, featuring 15 IP Anycasted scrubbing centers.

Using diverse equipment from leading mitigation vendors, SiteProtect is designed to stop
numerous types of attacks, including those involving the application layer, IPv6 and encrypted
traffic. Technology diversity sets it apart from other mitigation solutions. By drawing on each
vendor’s strengths, SiteProtect can stop the sort of multi-faceted assaults that are evolving
rapidly and redefining the DDoS landscape.

Backed by Neustar’s 24/7 Security Operations Center—fully manned on-site by highly

experienced experts—SiteProtect supplies the assurance businesses need. While it’s best to
prepare in advance, Neustar can emergency-provision SiteProtect should your business
suddenly come under a DDoS attack. Learn more at http://www.ultradns.com.

About Neustar®
Neustar, Inc. is a trusted, neutral provider of real-time information and analysis to the Internet,
telecommunications, entertainment, advertising and marketing industries. Neustar applies its
advanced, secure technologies in routing, addressing and authentication to its customers’ data
to help them identify new revenue opportunities, network efficiencies, cyber security and fraud
preventions measures. More information is available at http://www.neustar.biz.

+1-888-367-4812

[email protected]

www.UltraDNS.com

@UltraDNS

2012 Neustar, Inc.

All rights reserved.

Neustar® Insights: 2011 DDoS Attacks: Top 10 Trends & Truths 8