Observed Spike in DDoS Attacks Targeting Hong Kong
Each week ASERT produces a weekly threat intelligence bulletin for Arbor customers. In addition to providing insights into the week’s security news and reviewing ASERT’s threat research activities, we also summarize the weeks DDoS attack data as reported by over 330 global Internet Service Providers that share anonymized traffic statistics and DDoS event data.
Here’s a snippet of the DDoS statistics from the week ending March 23rd:
Normally, week after week, you can count on the U.S. being the top destination country for DDoS attacks. However, recently we observed a bit of an anomaly. For the two weeks ending April 6th and April 13th, Hong Kong was the top destination country for attacks greater than 10 Gbps in size:
Security folks love anomalies so we decided to look at DDoS attacks targeting Hong Kong for the past month to see if anything stood out from a DDoS attack perspective.
Attack Frequency and Size
As illustrated in the chart below, it is clear that between April 1st and April 8th, Hong Kong received more than its normal share of DDoS attacks peaking out at 909 reported attacks on April 3rd.
The following table lists the average number of attacks per day for the graphed periods prior to April 1st and after April 8th:
In short, the first 8 days in April saw a 67% increase in the number of attacks compared to “normal” (where normal, in this case, is defined by attack data from the prior 29 days and the following 6 days).
The following table illustrates that the average attack size did not significantly deviate during the April 1st through April 8th timeframe.
In fact, the average attack size between April 1st and April 8th slightly decreased compared to the prior 29 days. However, since there were a lot more of these attacks, we observe the following cumulative daily attack bandwidth whereupon Hong Kong took on a peak aggregate 5.841 Tbps of attack traffic on April 2nd:
UDP-based reflection/amplification attacks and TCP SYN attacks both featured prominently in the April 1st through April 8th attacks targeting Hong Kong. Of the 6,827 total attacks reported, 40% (2,723) provided a protocol and source port. Of these, 32% (876) contained an NTP reflection/amplification component (i.e. from UDP/123); 17% (455) contained an SSDP reflection/amplification component (i.e. from UDP/1900), 7% (184) contained a DNS reflection/amplification component, and 32% (879) contained a TCP SYN component:
It should be noted that most of the reported attacks consisted of more than one attack type. For example, only 101 (12%) of the 876 attacks that contained an NTP reflection/amplification component contained only an NTP reflection component. In other words, the attacks were “blended”.
On the receiving end, TCP/80, UDP/80, or both were reported as a destination port in 49% of the attacks where destination ports were provided.
Source Country Breakdown
The following table lists the top 3 reported source countries for attacks that were sourced solely from a single country:
Of course, geo-location needs to be taken in appropriate context, particularly for spoofed attacks such as UDP-based reflection/amplification attacks. In the case of a UDP reflection/amplification attack, the attacker can be geographically situated anywhere and simply bounces (reflects) the attack off of poorly configured NTP, DNS, SSDP, etc. servers that can also be located anywhere. The following graphic illustrates this concept. In this case, an attacker in the U.S. launches a DDoS attack against a victim in Hong Kong using NTP servers located in China. All the victim in Hong Kong sees is traffic coming from China:
We need to keep in mind that the Internet is global and attackers will use any globally available resources to attack.
Fifteen percent (1028) of the 6,827 reported attacks targeting Hong Kong between April 1st and April 8th contained destination IP addresses that were not anonymized. Of those, 330 were unique. Although it is a small sample, it allows us to gain some insight into the target of these attacks.
Following is a Maltego graph visualizing the relationship between the 330 unique target IPs and their corresponding ASs without revealing actual IP Addresses or ASNs:
As illustrated, the targeted IP Addresses are highly scattered across 52 different ASN’s.
Following is a Maltego graph associating the target IP addresses with domains known to have resolved to those IPs at some point during the April 1st through 8th timeframe based on pDNS information from PassiveTotal.
Again, the targets are highly scattered encompassing over 500 different domains so we looked at the domains for target IP addresses that were hosting only one domain. There were 94 such cases. Of those it was possible to roughly classify half as follows:
While the online gambling sites were all casino-game oriented, the online gaming sites included lottery as well as other sites that involved a financial component based on game performance.
We know that, at a country level, Hong Kong saw a substantial and sustained increase in the number of DDoS attacks during the first 8 days of April 2017. The average attack size did not increase, just the number of attacks per day increased. We know that the attacks were largely blended in nature with UDP reflection/amplification attacks and TCP SYN attacks featuring prominently. Although China is the top source country for the attacks, the reflection/amplification attacks could have been triggered from anywhere.
Based on a small sample (15%) of attacks where the destination IP addresses were not anonymized, we believe the attacks were aimed at multiple organizations given that they spanned hundreds of unique IP’s across 52 different ASN’s either directly or indirectly affecting over 500 different domains. Based on an analysis of a small number of single-tenant attacks, the threat actor appears to have intended to target online gambling/gaming sites during this time period. Although geopolitical motivation is often associated with country-level activity, the emergence of multiple, different gambling/gaming targets leads us to believe that DDoS extortion is the most likely motivation. As is often the case with DDoS attacks, this can result in collateral damage for co-located sites or sites that just happen to be in the cross-fire such as the two hospitals referenced above.
Additionally, anomalies such as this where specific geographies or industry verticals suddenly become targeted after long periods of relative silence exemplify why companies should always utilize best practices for protecting their infrastructure, should maintain diligence, and should have trained staff that regularly conduct DDoS war games. Prepared organizations that leverage an Intelligent DDoS Mitigation System (IDMS) such as Arbor TMS or APS should have no problem mitigating these types of attacks.