Q4 2014 Spotlight: Lizard Squad| Presentation

1
Q4 2014
2
spotlight TCP flag DDoS attacks

• A group claiming to be Lizard Squad has engaged
  in an ongoing attack campaign against an Akamai
  customer
• The attack vector and the events surrounding this
  attack campaign indicates the ongoing development
  of DDoS attack tools
• Although it was not a record-breaking attack, it
  was large peaking at 131 Gigabits per second
  (Gbps) and 44 Million packets per second (Mpps)
• An attack of this level would slow or cause an
  outage in most corporate infrastructures
• The attacks occurred in August and December 2014

2 / state of the internet / threat advisory
3
SYN with a side of everything

• The TCP-based attack was packed with TCP flags
• One packet exhibited the greatest number of
  simultaneous flags set of all the packets only
  an ACK flag was missing
• In the order in which they appear FSRPUEW, the
  flags included FIN, SYN, RST, PSH, URG, ECN, and
  CWR.
• Such a flag-filled packet is commonly called a
  Christmas tree packet

4
christmas tree packets

• Christmas tree packets are almost always
  suspicious
• They use more processing power than usual packets
• As a result, they are commonly used in denial of
  service attacks
• The TCP-based attack was packed with TCP flags,
  using all but one TCP flag
• Christmas tree packets are also used in
  reconnaissance to probe system response

4 / state of the internet / threat advisory
5
statistics for the three campaigns
3 / state of the internet / threat advisory
6
new attack tool?

• Some differences were present between the three
  attack campaigns
• The December attack executed like a SYN flood
• There was a significant increase in volume from
  earlier attacks
• The increased attack strength suggests new attack
  tool development
• The expansion and sophistication of the third
  attack may indicate new resources from the
  DDoS-for-hire underground

5 / state of the internet / threat advisory
7
third attack may have been a different attacker

• Although Lizard Squad claimed responsibility for
  the attacks, differences in the third attack
  campaign draw speculation of a new attacker
• The first two attack campaigns did not produce
  even half of the volume of the third attack
  campaign
• Although the first two attacks included a UDP
  flood, the third campaign did not make use of the
  UDP flood attack vector
• The third campaign targeted random hosts in a
  specific /24 network and made use of the extra
  data in the Reset cause field on the packets with
  the Reset flag set

6 / state of the internet / threat advisory
8
distribution by Akamai scrubbing center
7 / state of the internet / threat advisory
9
full security report
full security report

• Download the full Q4 2014 State of the Internet -
  Security Report
• The security report includes
• Analysis of DDoS attack trends
• Bandwidth (Gbps) and volume (Mpps) statistics
• Year-over-year and quarter-by-quarter analysis
• Application layer attacks
• Attack frequency, size and sources
• Where and when DDoSers strike
• Spotlight A multiple TCP Flag DDoS attack
• Malware Evolution from cross-platform to
  destruction
• Botnet profiling technique Web application
  attacks
• Performance mitigation Bots, spiders and scrapers

9 / state of the internet / threat advisory
10
about stateoftheinternet.com

• StateoftheInternet.com, brought to you by Akamai,
  
• serves as the home for content and information
  intended to provide an informed view into online
  connectivity and cybersecurity trends as well as
  related metrics, including Internet connection
  speeds, broadband adoption, mobile usage,
  outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find
  current and archived versions of Akamais State
  of the Internet (Connectivity and Security)
  reports, the companys data visualizations, and
  other resources designed to put context around
  the ever-changing Internet landscape.

10 / The State of the Internet / Security (Q4
2014)