www.prolexic.

com
Attack Spotlight: Q1s Record-setting DDoS Attack
Overview
In Q1 2014, Prolexic successfully mitigated the largest
Distributed Denial of Service (DDoS) attack campaign
to ever cross its network
The attackers used a combination of Network Time
Protocol (NTP) reflection and Domain Name Service
(DNS) reflection as the main attack vectors
Variations of the POST flood attack were also used
The attack exceeded 10 hours in duration and was
directed at a European Internet media company
This campaign peaked at more than 200 Gbps and
53.5 Mpps




DDos techniques involved

PLXsert identified the latest NTP and DNS
reflection attack tools, as well as popular DDoS
toolkit known as Drive, in the attack
The NTP and DNS protocols are susceptible to
abuse by malicious actors, producing highly
amplified results
Drive, a DIRT Jumper variant, utilizes a traditional
botnet architecture achieved through malware
infection
Validated attack vectors
POST1 & POST2 floods, which target Layer 7
(application layer)
DNS reflection, which targets Layer 3 & Layer 4
(infrastructure layer)
NTP monlist reflection, which targets Layer 3
and Layer 4

Validated attack vectors (cont)
DNS ANY request flood and NTP reflection attack
signatures were detected during the campaign
An application layer attack (Layer 7) generated
multiple HTTP (POST) requests with several
different signatures, attempting to evade DDoS
mitigation technologies
The POST flood Layer 7 attacks appeared to match
those generated by the DIRT Jumper Drive
malware



Analysis of associated malware
The Drive variant associated with this campaign
supports nine attack vectors:
GET
POST1
POST2
IP
IP2
UDP
request
timeout
thread

CONFIDENTIAL
Analysis of sourced traffic
The majority of DNS reflectors were from the
United States, as well as Russia and Brazil
The principal sources of the application attacks
were identified as Turkey, Iran and Argentina
PLXsert verifies the majority of sources from these
countries match CPE device signatures







Attack traffic at Prolexic scrubbing centers

Q1 2014 Global Attack Report
Download the Q1 2014 Global DDoS Attack Report
The Q1 2014 report covers:
Analysis of recent DDoS attack trends
Breakdown of average Gbps/Mpps statistics
Year-over-year and quarter-by-quarter analysis
Types and frequency of application layer attacks
Types and frequency of infrastructure attacks
Trends in attack frequency, size and sources
Where and when DDoSers launch attacks
Case study and analysis


CONFIDENTIAL
About Prolexic
Prolexic Technologies, now part of Akamai, has
successfully stopped DDoS attacks for more than a
decade
Our global DDoS mitigation network and 24/7
security operations center (SOC) can stop even the
largest attacks that exceed the capabilities of other
DDoS mitigation service providers