Shulou(Shulou.com)06/01 Report--

Pish him! IP gang attacks

2019 starts soon

A lot of people get into a fight with a new word.

What kind of "dish" is it?

See pleasing to the eye, a plate is the way I am not alone, children can be taught;

See not pleasing to the eye, dish a dish is repair repair, see you again hold hair thorn?

So there is such a group of zombies, they collude all the year round to "commit crimes," adhere to network attack activities, do you want to disk?

Based on the research tracking and data accumulation of multiple IP gang behaviors in the past two years, Green League Technology recently launched the "IP Gang Behavior Analysis" report. It is hoped that this report will more accurately describe the behavior of attackers, effectively defend against possible future attacks by these groups, and prevent problems before they occur.

1. What are the "attack methods" of the disk?

1. attack types

NTP reflection attacks are most commonly used in high-traffic attacks due to their excellent amplification performance. SYN Flood attack method is simple and widely used. These two attacks, together with UDP Flood and SSDP reflection attacks, constitute the most dominant attack types.

Figure 1 Attack type and total attack traffic

2. Single and Mixed Attacks

UDP flood is a common attack method in hybrid attacks. The figure below shows the attack methods used by a group, which mostly used only one attack method (92.8 per cent), and 75 per cent of mixed attacks used two attack methods and 4 per cent used four.

Figure 2. Combination of attack methods in a hybrid attack (a group of attackers)

Figure 3. Combination of attack methods in a hybrid attack (one attack group)

3. Reflect Attack Traffic and Events

Reflective attacks, especially high-traffic attacks, are the most popular attack methods for groups. NTP reflection attacks are a more powerful DDoS attack in terms of their ability to trigger larger traffic. From the perspective of the number of attacks, DNS reflection attacks accounted for a relatively large proportion, accounting for 57% of all reflection attacks.

Figure 4. Reflected attack traffic vs. number of attacks (for a particular attack group)

II. Peak traffic: the maximum "potential" of IP gang attacks

1. Overall distribution of peak flow

According to statistics, the peak traffic of most IP groups exceeds 2 Tbps. The peak traffic (Tbps) is a key parameter to measure the attack ability and malicious degree of a certain group, reflecting the maximum attack ability of the attack group to the target.

Figure 5 Peak traffic distribution of IP groups (by IP group)

2. Peak attack traffic for a single group

Groups often do not reach their full potential, and understanding the limits of their capabilities is important for planning defences. By comparing the two quarterly peaks of traffic for a particular group, we found that the maximum attack traffic peak of the group was many times higher than the daily attack traffic, and when its potential was fully unleashed, the destructive power was amazing.

Figure 6. Peak traffic trends for a single attack (for a particular attack group)

3. Ten attack groups

Green Alliance Technology counted the attack traffic from January to September 2018 and summarized the peak traffic fluctuations of the top ten IP groups. The maximum traffic peak and average traffic peak indicate the attack capability and attack duration of IP groups, reflecting the attack activity of these groups.

Figure 7. Peak traffic for the top ten attack groups

Where are the most victims and attackers?

To demonstrate attack activity outside China, we studied its geographic location using data collected by detectors deployed abroad. Among them, Europe has the most sources of attacks and suffers the most. Although we cannot determine the geographical location of the attackers behind this, we can identify hot spots for DDoS activity.

Figure 8 Distribution of attack source countries

Figure 9 Distribution of attack target countries

Four or three pictures teach you to identify different "IP gang models"

1. The biggest attack group

The graph below shows the overall picture of the largest attack groups we found. As can be seen from the graph, the group's targets and attacks are not many, but its attack peak is very high.

Figure 10 IP gang profile model (largest gang)

2. The most active attack group

The graph below shows the attack groups with the largest number of attacks and the largest number of victims. In fact, the group is small, but it can generate large attack traffic and traffic peaks. It can be seen that the gang is very aggressive.

Figure 11 IP gang profile model (most active attack groups)

3. The most trafficked attack group

The graph below shows the attack groups with the largest attack traffic and the highest peak traffic. However, the relatively small size of the attack group, the number of targets and attacks, can be inferred that members of the group may have a large bandwidth pipeline.

Figure 12 IP gang profile model (largest traffic gang)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.