2013 Botnets and DDoS

Attacks Report
1
Report Overview

Expert Perspectives
In the first half of 2013, global botnets remained small, local, and specialized in comparison to the previous year.

The standard botnet detection techniques are based on identification of communication packet features and behaviors. New
security techniques are being developed along this basis. They help immediately indicate threats and make it possible to block
malicious traffic. These new security techniques include detection of Fast-Flux malicious domain requests, next-generation
honeynets and sandboxes, DDoS attack tracking, and cloud-based IP reputation databases for C&C and botnet hosts.

According to network attack statistics, botnet-based DDoS attacks account for the majority of network attacks, and
application-targeted DDoS attacks are increasing common but in more difficult to detect forms.

The increase in smart terminal use and rapid development of mobile applications mean more DDoS attacks are launched by
simulating mobile network features for fixed network traffic on botnets.

Hotspot Events
In March 2013, The Spamhaus Project, an international anti-spam organization based in Europe, was hit by heavy DDoS
attack traffic, peaking at up to 300 Gbit/s. It was later determined that the attack was launched using DNS reflection across
a large number DNS servers over Internet. This attack was a wakeup call for the online security community. If the large
number of open DNS servers on Internet remain online but are consistently unmanaged, they could lead to an Internet
security crisis in the near future. The Anycast-based cloud washing solution was used to defend against the heavy DDoS
attack traffic, effectively controlling the attack. The arrival of anti-DDoS Managed Security Services Providers (MSSPs)
brought with them additional means of defending against DDoS attacks. In the future, Internet Service Providers (ISPs) will
most likely deploy washing systems globally to provide powerful anti-DDoS SaaS services.

Botnet Conditions
According to a Huawei Cloud Security Center survey, botnets in China and USA account for 30.3% and 26.2% of the global
botnets, respectively. Among the botnet controllers, 42.2% are located in USA, 3.8% in China, 9.1% in Germany, 7% in
France, and 5.8% in the UK.

1 2013 Botnets and DDoS Attacks Report

In China, the top five botnet controllers are Boer_Family, Gh0st_Family, Yoddos_Family, Xyligan_Family, and IMDDoS.

There are a large variety of botnet-exploiting DDoS tools online, many of which simulate the access behaviors of normal
service clients while changing attack packet features. The per-feature filtering technique does not perform well during DDoS
attacks. In response, security service providers have had to develop more effective defense techniques like behavior analysis,
session monitoring, and IP reputation.

With the proliferation of mobile applications and the rapid growth of global 3G and 4G mobile networks, the number of
malicious mobile samples are increasing quickly resulting in the advent of mobile botnets.

Fast-Flux uses changing DNS service as a C&C proxy to conceal C&C servers behind proxy botnet hosts. Thus, Fast-Flux is
widely used on the majority of botnets.

DDoS Attack Conditions

Hackers launch DDoS attacks for different reasons including political motivations, industrial espionage, to commit financial
crime, and as a form of blackmail.

According to a Huawei Cloud Security Center survey, application-targeted DDoS attacks are increasing to such an extent
that they account for 89.11% DDoS attacks. In China, DDoS attacks primarily hit major cities, such as Beijing, Shanghai, and
Shenzhen, accounting for 81.42% of all DDoS attacks in China. One of the reasons why DDoS attacks focus on these three
cities is because they have the major Internet Data Centers (IDCs) carrying popular Internet services.

IDCs have been consistently hit with DDoS attacks. The top three targets of DDoS attacks on IDCs are e-commerce, online
gaming, and DNS services. DNS service attacks may crash essential Internet architecture and cause the widest impact on
Internet services. Among the major web attack targets, the top three are e-commerce, online gaming, and online financial
services. DDoS attacks target an IDC's network layer threaten network infrastructure components, such as firewalls, IPSs,
and load balancing devices. Application-targeted DDoS attacks cause threats to online services. Counteracting frequent
DDoS attacks requires higher IDC O&M expenditures while reduced bandwidth availability degrades user experience.

Trend Forecast
Huawei Cloud Security Center predicts in the coming years there will be an increase in mobile botnets, larger point-to-point
botnets, and more widespread use of evasion techniques like Fast-Flux.

The proliferation of Internet services and cloud computing will be accompanied by more frequent DDoS attacks on cloud
IDCs. These DDoS attacks may narrow down to light traffic application-targeted attacks and other low-speed attacks as a
means of lowering attack costs, concealing attack sources, and evading security devices without diminishing attack severity.

The spike in global LTE construction considerably increases mobile network bandwidth and there is a corresponding increase
in the number applications developed for smart mobile terminals. Application backdoors and rooted or jailbroken terminals
will be leveraged as a part of mobile botnets. DDoS attacks targeting mobile applications will become a new form of DDoS
attack. Therefore security device providers will need to develop more effective defense techniques like botnet IP reputation
and security reputation clouds that start from the source to defend against DDoS attacks.

Multi-core network security devices may unevenly distribute traffic to their multiple cores. This shortcoming may be exploited to
launch a new type of DDoS attack. Therefore, security device providers must face a new challenge on multi-core network security
device interfaces. These interfaces will need to be capable of line-rate forwarding as well as dynamic attack traffic filtering.

In the coming years, IPv4 will continue its transition to IPv6. IPv4 and IPv6 hybrid attacks will be a new type of DDoS
attacks, targeting IPv4-to-IPv6 conversion gateways. In the mean time, attacks will continue to exploit newly discovered IPv6
vulnerabilities.

2013 Botnets and DDoS Attacks Report 2

2
Expert Perspectives

Network crimes cost little to perpetrate, but may bring significant rewards. This is why many expert-level hackers are
committing such crimes by controlling botnets. Hackers have continuously evolved their methods to evade detection by
network security devices. For example, traditional IRC control servers can be transformed into HTTP-based web control
servers. This transformation makes it more difficult to monitor botnets through networks. The most common web-type
botnet tools are Darkness, BlackEnergy, SkyEye, Zeus, IMDDoS, Illusion, and Pentest. When communicating, these tools use
SSL encryption or other channel techniques to void the traditional mode match detection. Fast-Flux may be used for domain
name access to establish dynamic mapping between domain names and IP addresses. This approach evades IP-domain
name match detection. In addition, botnet control programs update quickly and may fail to be detected by signature-
recorded antivirus or anti-botnet programs.

With improved hardware performance and more powerful OSs, such as Android, IOS, and Windows Mobile, smart mobile
terminals are more PC-like, with similar capabilities and subsequent security vulnerabilities. Botnet variants proliferate to
attack mobile terminals. For example, ZitMo is a Zeus botnet variant on Android. A complete black market industry chain
has grown up around mobile botnets.

Network governance demands network security devices be capable of DDoS attack tracking and detecting malicious Fast-
Flux DNS requests, botnet communication packet features and behaviors, and botnet program updates, downloads,
and spreads. Such devices will establish IP reputation databases for C&C hosts and botnet hosts to filter malicious traffic.
Network governance also requires cloud-based global botnet monitoring and analysis. In other words, cloud centers that
monitor global botnet variants, and collect and shares IP reputation across the world in real time.

Among botnet detection techniques, the most effective would be to detect and filter Fast-Flux DNS requests, which indicate
Fast-Flux-controlled botnets account for the most part. DNS buffer servers function as the first gate for Internet connection, and
Fast-Flux DNS request detection rapidly detects botnets. In addition, network security devices only need to be deployed ahead
of DNS buffer servers, making this deployment requires the least expense compared with other solutions. If the network security
devices also incorporate global cloud-based botnet IP reputation monitoring, the botnet detection rate would be even higher.

Most importantly, botnet governance is a global responsibility, and requires cooperation among network security-related
organizations to track botnet sources, shut down the botnet source servers or C&C servers, and investigate botnet producers
for prosecution.

DDoS attacks account for the majority of network attacks - they are easy to launch, cause significant damage, are difficult to
track. Most financial crimes on networks are associated with DDoS attacks. From 2012 to mid-2013, several banks in South
Korea, USA, Brazil, and Hong Kong were hit by DDoS attacks, among which the DDoS attack on the Bank of America (BOC),
the traffic generated peaked at 70 Gbit/s. Hackers launch DDoS attacks on banks for several reasons. For example, crashing
the banking system to make a political statement, or blackmailing the bank with the threat of a crash. Additionally, a DDoS
attack can be used to obscure activities such as the theft of valuable financial information. When there is heavy DDoS attack
traffic, web-protected security devices have insufficient processing capabilities to defend against it, and hackers use this
opportunity to invade the system.

3 2013 Botnets and DDoS Attacks Report

As growing number of Internet applications are carried over HTTP, HTTP-targeted DDoS attacks will occur more frequently
and without notice. The attack methods have changed from HTTP GET flood, to slow attacks like HTTP slow header/POST
flood, and HTTP retransmissions, and SSL-encapsulated flow attacks like SSL-DoS/DDoS, HTTP slow header/POST flood, and
HTTP retransmissions. In addition, DNS is an ideal target because it is easily susceptible to attack and is critical to Internet
architecture . DDoS attacks targeting DNS authorization servers have increased significantly, indicating a target shift from
online service servers to domain name resolution servers used by those online services.

The means of executing DDoS attacks have changed little in 2013 compared to the previous year. In 2013, DDoS attacks
are mainly targeting mobile network applications and occur frequently. Though DDoS attacks on mobile applications and
fixed network applications are relatively similar, network security service providers have more to address in terms of mobile
terminals because they face the dual task of maintaining normal mobile terminal access while effectively defending against
DDoS attacks.

2013 Botnets and DDoS Attacks Report 4

3
Typical Events

3.1 Attack Events

In March 2013, The Spamhaus Project, an international anti-spam organization based in London and Geneva, was hit by
heavy DDoS attack traffic, peaking at up to 300 Gbit/s. Spamhaus maintains a huge blacklist of likely spammers, which is
used by colleges, research institutions, Internet service providers, military, and businesses. CyberBunker, a service hosting
company in the Netherlands, was allegedly behind the DDoS attacks on Spamhaus, in retaliation for its inclusion in the
blacklist.

3.2 Event Analysis

On March 18, 2013, the Spamhaus website was hit by a DDoS attack, with the attack traffic quickly rising to 75 Gbit/
s disabling the website from service. On March 27, the attack traffic peaked at 300 Gbit/s, the highest ever recorded. The
ultra-heavy attack traffic was aggregated into the top carriers' networks in Europe, congesting networks across Europe.
In defense against the attack, ISPs attempted to block the attack using blacklist filtering but were unsuccessful. Then
Spamhaus turned to CloudFlare, a professional website protection and DDoS traffic washing company, for help. Finally,
CloudFlare mitigated the attack using the Anycast technique. Specifically, it used Anycast's shortest path selection technique
to distribute the Spamhaus-destined traffic to over 20 independent DDoS traffic washing centers around the world, each of
which filtered attack traffic on its own and then forwarded the clean traffic to the Spamhaus data center.

s
er
rv
Se
S
DN
en
Op

Victim

Attacker

DNS reflection attack

5 2013 Botnets and DDoS Attacks Report

As there were a large number of open DNS servers online, the attacker duplicated attack traffic 100 times using DNS
reflection. Specifically, the attacker sent a request to resolve the ripe.net domain name to over 30,000 DNS servers and
disguised the source IP address as the Spamhaus IP address. The DNS request packet was 36 bytes long while the reply
packet was approximately 3000 bytes long. Then the open DNS servers reflected the traffic to generate 100 duplicates.
Attackers could launch a 300 Gbit/s attack by controlling only one botnet capable of generating 3 Gbit/s traffic. During
the attack process, each DNS server sent only 10 Mbps traffic, which was too subtle to be detected by the DNS service
monitoring system. In fact, there are a large number of open DNS servers on Internet, far more than 30,000. If these open
DNS servers stay online but remain unmanaged, many such DNS attacks may occur in the future, probably on a larger scale.

3.3 Impact of Events

This attack created awareness of the significant danger unmanaged open DNS servers on Internet pose to Internet
security. If they remain unmanaged, more, larger-scale DDoS attacks will follow. The DDoS attack targeting The Spamhaus
Project affected Internet access across all of Europe. From this perspective, network security is not merely an enterprise's
responsibility, but a responsibility of whole world's.

When repelling the attack, CloudFlare, the DDoS attack traffic washing company, effectively defended against the attack
using the Anycast-based cloud washing technique. The effectiveness of this technique may set the precedent for of a
solution to large-scale DDoS attacks. Indeed, the Internet requires CloudFlare-like MSSPs for effective defense, as the
security defense systems deployed at network egresses alone are insufficient against ultra-heavy DDoS attack traffic. In the
predictable future, Internet service providers (ISPs) may deploy washing systems globally to provide powerful anti-DDoS SaaS
services to their customers.

2013 Botnets and DDoS Attacks Report 6

4
Botnets

4.1 Botnet Conditions

Analysis on malicious code captured from around the world shows that the botnet, as one of the biggest and most
easily spread threats, is becoming more specialized. The transmission methods, anti-detection techniques, and means of
concealment have botnets more difficult to detect and prevent. In addition to DDoS attacks and identity theft, botnet are
more often used to steal bank account information, spread spam, and even implement APT attacks. Botnets make use of
encryption and P2P protocols to evade traditional pattern matching-based detection techniques. Integration with worms
and cross-dissemination between zombies accelerate the spread of botnets.

As a hidden C&C server and as a technique to prolong the botnet lifecycle, Fast-Flux has fast become a standard feature for
most botnets. With this technique, botnet makers have redoubled the challenge to the Internet security industry.

With the growth of 3G/4G networks worldwide, mobile broadband speeds continue to increase, and the bandwidth
bottlenecks of mobile intelligent terminals are consistently being pushed through. Compared with traditional PCs, mobile
intelligent terminals are typically online at all times. From an attacker's perspective, this condition is ideal for using mobile
intelligent terminals to initiate a variety of network attacks. This form of attack effect is similar to those using data center
servers. (Currently, most network attacks originate from data center servers). The rapid development of mobile intelligent
terminals is fertile ground for the evolution of botnets. Examples of mobile botnets include ZitMo, used to bypass online
banking security and Android.DDoS.1.origin used to send spam messages and initiate DDoS attacks.

According to Huawei cloud security center statistics, botnets are small-scale and specialized globally, targeting at a part
instead of the whole. Botnets with less than 1000 hosts are common since they are easily controlled.

Botnet Distribution
12000 11346

10000 11346 <1K

8000 1208 1K-5K
804 5K-20K
6000
465 20K-50K
4000 456 50K-100K

2000 1208 132 >100K

804 465 456 132
0
Data source: Huawei Cloud Security Center

According to Huawei cloud security center statistics, the global distribution of botnet hosts in China and the U.S. are
30.3% and 28.2%, respectively, much higher than that of other countries. Most botnet controllers are located in the U.S.,
occupying 42.2% of the total number and followed by Germany (9.1%), France (7%), Britain (5.8%), and China (3.8%).

7 2013 Botnets and DDoS Attacks Report

 Global Botnet Control Server Distribution

Data source: Huawei Cloud Security Center

In China, most zombie hosts are located in Guangdong, Beijing, and Zhejiang in descending order, and most botnet
controllers are located in Taiwan.

Zombie Host Distribution in China

Data source: Huawei Cloud Security Center

The five controllers, Boer_Family, Gh0st_Family, Yoddos_Family, Xyligan_Family, and IMDDOS, control most zombie hosts in
China.

Top 5 Controllers/Controlled
16000
14590
14000
12000
10000
Controlled
8000 7241
6085 Controller
6000
3678
4000
2000 1210
122 137 53 549 29
0
Boer_Family Gh0st_Family Yoddos_Family Xyligan_Family IMDDOS
Data source: Huawei Cloud Security Center

2013 Botnets and DDoS Attacks Report 8

 4.2 DDoS Zombie Tools
The zombie tools popular in mainland China for DDoS attacks are Zombie Puppet, Storm, Madman, and Traversal Challenge
Collapsar (CC); their overseas counterparts are LOIC, HOIC, HttpDosTool, Slowhttptest, and Thc-ssl-dos.

Among the zombie tools used in China, Zombie Puppet first appeared in 2006, mainly used to launch bogus source-
based network layer attacks. It has developed to support a variety of popular DDoS attacks, including the most commonly
launched CC attacks.

LOIC is a DDoS attack tool aiming at web applications. It sends TCP, UDP, and HTTP packets to launch attacks on target
websites. The hacker organization Anonymous used this tool to attack Facebook on January 28, 2012.

Another DDoS attack tool, HOIC, is dedicated to HTTP GET flood attacks. An attacker can set the HTTP application fields,
such as the URL, User-Agent, and Referer, in the attack script.

Developed by OWASP, HttpDosTool is an HTTP slow attack tool used to carry out Slow Post and Slow Header attacks. By
continuously sending incomplete Post or Header requests, the attack consumes web server resources. Currently, this attack
tool supports only HTTP.

9 2013 Botnets and DDoS Attacks Report

Similar to HttpDosTool, SlowHTTPTest is another HTTP slow attack tool supporting HTTP and HTTPS. HTTP slow attack
packets encrypted by SSL are more covert, and difficult to detect.

Released by the famous German hacker group The Hacker's Choice, Thc-ssl-dos carries out new forms of DoS/DDoS attacks
on SSL servers. Such attacks make use of the fact that the overhead generated by the SSL encryption algorithm on an SSL
server is 15 times of that on the client, consuming SSL server CPU resources. The hacker organization stated that they only
require an ordinary computer and a DSL connection to breach an SSL server. To breach a large server cluster, they only
require 20 computers and 120 Kbps network bandwidth. This type of attack is and extremely "cost-effective" means of
causing significant damage.

The signatures of attack packets sent by these attack tools are free to change. Some tools are even able to randomly change
packet contents, rendering signature database-based attack detection measures much less effective. To avoid such attacks,
security device providers have to use more powerful security methods, such as source authentication, behavior analysis,
session monitoring, and IP reputation. To detect attack packets encrypted using SSL, carriers must deploy security devices
behind SSL accelerators to monitor decrypted packets or add SSL decryption to their security solutions. Essentially, DDoS
attacks use fewer resources to cause more difficulties.

4.3 Mobile Botnets

According to a report released by the IT market research firm Canalys, in 2011, total global shipments of smart phones
has surpassed PC shipments, indicating that PCs no longer dominate the Internet access terminal market. According to a
report released by the China Internet Network Information Center (CNNIC), by the end of June 2012, approximately 66% of
Chinese Internet users use a mobile phone to access the Internet. Mobile phones rank No.1 in the Internet access terminal
market in terms of quantity, surpassing desktop computers for the first time. With the arrival of the mobile Internet era,
the number of malicious mobile Internet programs is dramatically increasing. According to Kaspersky monitoring results,
by the end of 2012, approximately 70,000 malicious mobile Internet programs had been discovered, among which about
35,000 were found in 2012. A total of approximately 12,418,000 mobile Internet malware samples had been captured,
among which about 6,147,000 were captured in 2012, indicating rapid growth in the number of mobile malware samples.
Most malicious programs steal private information, consume account balance, push unwanted advertisements, and
perpetrate fraud. Botnets with complex network interconnections are beginning to emerge, for example ZitMo and Android.
DDoS.1.origin. It is estimated that more advanced mobile botnet threats will significantly increase over the next five years.

ZitMo aims to bypass online banking security. The Zeus Trojan horse is installed on a PC to launch attacks while ZitMo
botnets are spread across platforms. ZitMo botnets have been detected on the Symbian, Windows Mobile, BlackBerry, and
Android platforms. ZitMo forwards short messages containing mTAN codes (online banking verification codes) to attackers,
so that the attackers can intrude into victims' bank accounts to illegally manipulate their accounts. Even though ZitMo
is only spyware that forwards short messages, it works together with the Zeus Trojan horse to bypass the mTAN security
features used to secure online banking.

Android.DDoS.1.origin, which was detected at the end of 2012, is also a typical mobile botnet malware sample. It pretends
to be the Google Play Store, starts the APP Store in the system to confuse users, and starts a service on the back end.
This service starts a thread to periodically send heartbeat packets to the control end and waits for its commands and then
performs malicious behavior according to these commands, including intercepting short messages, continuously sending
spam messages to a phone number, or launching UDP flood attacks to target IP addresses.

4.4 Fast-Flux Botnets

Fast-flux botnet hackers use the DNS service to quickly change C&C-proxy zombie hosts (with multiple IP addresses for one
or more domain names), through which HTTP requests to C&C are redirected. As a result, only zombie hosts access the
actual C&C. When Fast-flux botnets are detected, only zombie hosts' IP addresses are obtained, and not the IP address of
the actual C&C server hidden behind the zombie hosts.

2013 Botnets and DDoS Attacks Report 10

In essence, both Content Distribution Networks (CDNs) and Fast-flux botnets use DNS to implement redundancy and load
balancing. That is, DNS resolves a domain name into multiple IP addresses and uses a small time to live (TTL) value to make
IP addresses quickly change.

Fast-flux completely bypasses traditional IP-based traffic filtering. The client does not directly connect to a C&C server, but to
a zombie host on the Fast-flux botnet. The IP address of the zombie host acting as the C&C proxy changes frequently and is
unpredictable.

Although CDNs and Fast-flux botnets have similar technical principles, they have different variation rules in domain names
and IP addresses. On a CDN, the DNS IP address provided to users in the same area upon request is close to the IP addresses
of the users to ensure quality of service, unless there is a network failure. On a Fast-flux botnet, the DNS results carry the IP
addresses of proxy zombie hosts over a wide geographical area, often belonging to different AS domains, to evade security
checks. Therefore, monitoring DNS cache server domain name requests is an effective means of detecting Fast-flux botnets.

According to Huawei Cloud Security Center analysis, Zeus botnets are the most common Fast-flux botnets controlled over
HTTP. Zeus steals user computer passwords (for mailboxes, FTP download, social networking websites, and online banking).
The analysis shows that Zeus uses a total of 19 domain names, as listed in the following table.

Table 4-1 Zeus domain name list

No. Domain Name No. Domain Name
1 goldencaravela.net 11 mafisiengo.ru
2 aroolohnet.ru 12 oashae2ieyek.ru
3 esvr1.ru 13 ophaeghaev.ru
4 esvr3.ru 14 phaizeipeu.ru
5 esvr4.net 15 promojoy.net
6 hazelpay.ru 16 turbo-force.org
7 hesneclimi.ru 17 zeferesds.com
8 hgaragesales.net 18 indextech.info
9 jademason.com 19 allaboutc0ntrol.cc
10 kldmten.net

ophaeghaev.ru is used as an example. One domain name resolution returns 20 records with a TTL of 20 seconds. The IP
addresses of the records are backwards resolved, and the autonomous system numbers (ASNs) are queried. The 20 IP
addresses belong to 14 ASs from 9 countries, outlined in Table 4-2. Zeus either simultaneously or in turn, uses domain
names and IP addresses to evade security system monitoring.

Table 4-2 ophaeghaev.ru backwards resolution results

Domain Name IP Address TTL ASN Country
ophaeghaev.ru 189.15.28.59 20 16735 BR
ophaeghaev.ru 189.200.175.216 20 28534 MX
ophaeghaev.ru 200.77.16.110 20 13999 MX
ophaeghaev.ru 200.83.90.190 20 22047 CL
ophaeghaev.ru 200.92.112.227 20 13999 MX
ophaeghaev.ru 201.132.72.192 20 13999 MX
ophaeghaev.ru 201.246.123.238 20 7418 CL
ophaeghaev.ru 24.242.224.104 20 11427 US
ophaeghaev.ru 41.103.82.126 20 36947 DZ
ophaeghaev.ru 83.34.110.137 20 3352 ES
ophaeghaev.ru 88.29.65.213 20 3352 ES
ophaeghaev.ru 90.168.95.237 20 12479 ES
ophaeghaev.ru 92.251.149.131 20 21327 IE
ophaeghaev.ru 177.25.170.164 20 26599 BR
ophaeghaev.ru 186.78.47.35 20 7418 CL
ophaeghaev.ru 186.102.46.62 20 27921 CO
ophaeghaev.ru 186.129.144.81 20 22927 AR
ophaeghaev.ru 186.198.200.112 20 26615 BR
ophaeghaev.ru 187.46.90.108 20 26615 BR
ophaeghaev.ru 187.119.196.208 20 26599 BR

11 2013 Botnets and DDoS Attacks Report

5
DDoS Attacks

5.1 DDoS Attack Conditions

Hackers usually launch DDoS attacks for reasons including political motivations, industrial espionage, to commit financial
crime, and as a form of blackmail. Loosely managed hosts in cyber cafes, IDC servers, free Internet proxies, and open DNS
servers are easy targets for botnets and DDoS attacks.

According to Huawei Cloud Security Center, 28.05% more DDoS attacks occurred in the first half of 2013, compared with
the first half of 2012.
Total DDoS attack events

First half of 2012

First half of 2013

Data source: Huawei Cloud Security Center

5.2 Geographical Distribution of DDoS Attacks

In China, DDoS attacks primarily hit major cities, such as Beijing, Shanghai, and Shenzhen, accounting for 81.42% of all DDoS
attacks in China. According to statistics on attacks that occurred in the first half of 2013, the average IDC in these three cities were
hit by an average of over 200 DDoS attacks each month. The attacks targeted the IDCs' online services, such as e-commerce, online
gaming, DNS authorization services, online banking systems, social media websites, forums, blogs, and portals. One of the main
motives behind these attacks is industrial espionage. More profitable online service systems are prone to more frequent and longer
DDoS attacks. The longest attack recorded on an e-commerce client lasted for 349 hours, 36 minutes, and 42 seconds. In the first
half of 2013, DDoS attacks hit every IDC. Actually, IDCs have become the areas most severely affected during DDoS attacks.

DDoS attacks on the network layer severely damage the basic IDC architecture and may cause network congestion or exhaust
session resources on session-based forwarding devices, such as firewalls, IPS, and load balancing devices, which then become
network bottlenecks. DDoS attacks on the network layer affect the service systems under attack and also other client service
systems. Lower IDC bandwidth availability leads to a rise in IDC operation expenses, compromised client satisfaction, and even loss
of clients. When under a DDoS attack, IDC service systems are slow to respond or may even crash, causing significant financial losses
to ISPs. More IDC operators have come to recognize the importance of protecting these IDCs with professional anti-DDoS solutions.

2013 Botnets and DDoS Attacks Report 12

 Distribution of DDoS attacks in China

Data source: Huawei Cloud Security Center

5.3 Attack Categories

According to Huawei Cloud Security Center, DDoS attacks are commonly launched in the forms of SYN flood and UDP flood
attacks. However, as HTTP-based Internet applications are growing fast, HTTP GET flood attacks follow SYN flood attacks as
a common DDoS attack form.

DNS-targeted attacks account for 13.5% of all attacks, and most of them are DNS query flood attacks with the intent to
generate a Cache Miss. Internet service systems are usually implemented on server clusters. In comparison, DNS systems
have far more weak security and attack tolerance than server clusters. This is why DNS servers in Metropolitan Area
Networks (MAN) and enterprises' DNS authorization servers are prone to DDoS attacks.

Attack categories
40.00%

35.00% 35.90% SYN Flood

30.00% 25.20% HTTP Get Flood

19.24% UDP Flood
25.00%
11.40% DNS Query Flood
20.00% 2.40% ACK Flood
2.10% TCP Flag Error
15.00%
2.01% ICMP Flood
10.00% 0.78% UDP Fragment Flood
5.00% 0.39% DNS Reply Flood

0.00%
Data source: Huawei Cloud Security Center

According to Huawei Cloud Security Center, the top three IDC service attack targets are e-commerce, online gaming, and
DNS services. Hackers launch DDoS attacks for reason including political motivations, industrial espionage, to commit
financial crime, and as a form of blackmail. In China the primary motivation is industrial espionage, with attacks focusing
on e-commerce, online gaming, and DNS authorization services. Outside China, attacks are mainly motivated by political
intentions. Attacks on online gaming are firstly due to industrial espionage and secondly as a form of blackmail. Attacks
on online financial service systems are usually motivated by political intentions, blackmail, and obscuring unauthorized
operations.

13 2013 Botnets and DDoS Attacks Report

Attacks on e-commerce are mainly launched in the form of HTTP GET flood (CC) attacks. Attacks leverage botnets to send
frequent uniform resource identifier (URI) access requests (database query operations) to servers to exhaust their processing
capacity. Such attacks originate from the same source and exhibit a high query per second (QPS) rate, and they request
access to a fixed URI.

DNS service attacks are mainly DNS query flood attacks intended to generate Cache Misses. The most frequent and severe
attacks focus on DNS authorization servers, though there are also some DDoS attacks on DNS buffer servers. According to
Huawei Cloud Security Center, IDCs carrying out DNS authorization are hit by far more often than other functional IDCs. In
China, attacks on known DNS authorization servers have never stopped and the attack frequency is far higher than that for
other Internet services. DDoS attacks on DNS authorization servers are usually launched in the form of Cache Miss attacks,
which request a non-existing domain name. The Cache Miss attacks that traverse or fake live DNS buffer servers are the
most difficult to defend against. DDoS attacks targeting DNS authorization servers have increased significantly, indicating
an attack target shift from online service servers to domain name resolution servers used by online services. The Cache Miss
attacks run rampant because they require few resources and use a source faking technique to conceal the botnets behind
them. Such attacks severely affect online service availability and the associated domain name resolution for other Internet
services. They cause widespread disruptions and even threaten the basic Internet architecture. The Kmplayer event in 2009
is an example of a typical Cache Miss attack. In recent years, to quickly boost the impact of these types of attacks, attackers
launch a large number of DNS reflection attacks, resulting in more frequent DNS reply flood attacks.

Attacked applications
60.00%

50.00%

56.79% E-commerce
40.00%
25.14% Online game
30.00% 6.68% DNS service
3.53% Financial service
20.00%
7.86% Others

10.00%

0.00%
Data source: Huawei Cloud Security Center

DDoS attacks on UDP-based online gaming services are mainly UDP flood attacks; those on TCP-based online gaming
services are mainly SYN flood, TCP connection flood, and ACK flood attacks; those on HTTP-based web gaming services are
mainly HTTP GET flood (CC) attacks.

Attacked application protocols

10000%
87.11%
90.00%
80.00%
87.11% HTTP
70.00%
3.04% DNS
60.00%
2.65% HTTPS
50.00%
1.18% SMTP
40.00%
1.31% SIP/VOIP
30.00%
4.71% OTHERS
20.00%
10.00% 3.04% 2.65% 4.71%
1.18% 1.31%
0.00%
Data source: Huawei Cloud Security Center

2013 Botnets and DDoS Attacks Report 14

According to Huawei Cloud Security Center, as HTTP-based Internet applications become more widespread, HTTP-targeted
DDoS attacks have increased to up to 87.11% of total DDoS attacks. Attack frequency varies with attack type: highest for
HTTP GET flood (CC) attacks, then for SYN flood, UDP flood, ACK flood, and ICMP flood attacks.

HTTP GET flood applications

45.00%

40.00%
42.14% E-commerce
35.00%
24.08% Gaming
30.00%
14.72% Finance
25.00% 6.70% Forum
20.00% 5.67% Social
3.01% Portal
15.00%
0.67% Blog
10.00%
3.01% Others
5.00%

0.00%
Data source: Huawei Cloud Security Center

HTTP GET flood attacks usually target e-commerce, online gaming services, and online payment services.

Attack traffic
40.00% 37.90%

35.00%

30.00% 27.42% 14.52% Below 500M

25.00% 15.32% 500M-1G
37.90% 1G-2G
20.00%
15.32% 27.42% 2G-10G
14.52%
15.00% 3.23% 10G-20G

10.00% 1.61% 20G以上

5.00% 3.23%
1.61%
0.00%
Data source: Huawei Cloud Security Center

The average attack bandwidth is relatively low because attacks are more commonly targeting sessions and applications
instead of bandwidth. Even low attack traffic may cause destructive effects. In addition, such low traffic attacks are even
more difficult to detect. Botnets tend to be small because they are easier to manage and conceal. Widespread DDoS attacks
may involve several botnets, resulting in a proportional increase in attack costs. If the attack targets are pre-determined,
application-targeted DDoS attacks may achieve the desired impact using low traffic. Even after the attacks stop, recovery of
service systems is usually extremely difficult.

15 2013 Botnets and DDoS Attacks Report

6
Trend Forecast

6.1 Growth Trends of Botnets

Evolution of the Fast-Flux Service Network
In recent years, the Fast-Flux service network has been evolving into service network with a greater number of malicious
domain names. In most cases attackers apply for multiple Internet domain names and use dynamic load balancing to apply
to multiple domain names simultaneously or in turn, or even use the Domain Generation Algorithm (DGA) to generate
domain names dynamically. In this way, they launch network attacks without exposing the origin of the attack source to
evade the detection and blocking by security devices, such as firewalls.

Cross-Platform Botnet
Both mobile botnets and traditional PC botnets have massive numbers of terminals deployed and yield huge profits on the
black market. There are signs that botnet controllers are attempting to control zombies on both types of botnet, which
expands botnet coverage and more severely impacts the entire network as well as terminal users.

6.2 Growth Trends of DDoS Attacks

Data Centers Continue to Be the Hardest-Hit Areas of DDoS Attacks
The attack statistics from Mainland China, Taiwan, Hong Kong, and the United States indicate data centers are the hardest-
hit areas of DDoS attacks. Attack targets are primarily data center online services, including e-commerce, online gaming,
DNS authorization, online banking payment systems, social networking websites, forums, blogs, and portals. The attack
event statistics show that online service systems that yield more profits are more frequently attacked and the attacks last
longer. Many aspects of data center stress testing software have been exploited as DDoS attack tools for high profits. Facing
an increasing number of application-layer attacks on data center service systems, many data center experts turn pale at
the mention of CC attacks. In the coming years, the growth of Internet services and cloud computing will be accompanied
by more frequent DDoS attacks on cloud IDCs. These DDoS attacks may evolve to light traffic application-targeted attacks
and other low-speed attacks, intended to lower attack costs, conceal attack sources, and evade security devices while
maintaining attack impact.

Mobile Terminals Become DDoS Attack Sources

With the popularization of smartphones and mobile apps, DDoS attacks simulating smartphones to attack mobile apps have

2013 Botnets and DDoS Attacks Report 16

occurred repeatedly on the Internet. Although the attack type and method of the mobile app-targeted DDoS attacks are
essentially the same as DDoS attacks on fixed networks, no DDoS attacks from an actual smartphone have been detected to
date.

At the end of 2012, the Android Trojan Android.DDoS.1.origin was detected and found to be capable of launching UDP
flood attacks to a specified website based on the C&C server signals. However, due to limited mobile bandwidth, no
damage has been detected from this Trojan. Current mobile botnets generally send spam messages, steal user information,
and push advertisements. With the commercialization of LTE over the next three to five years, mobile network bandwidth
will increase rapidly. Meanwhile, mobile terminals can access networks any time. Therefore, using smartphones to launch
DDoS attacks will become a strong possibility. If the smartphone HTTP protocol stack is not secured, the Internet will face
an unprecedented challenge. With increasingly regular mobile Internet service updates and DDoS attack technologies,
security device providers have no choice but to develop more effective defense techniques, such as behavior analysis and IP
reputation.

DDoS Attacks Occur More Frequently Due to Uneven Traffic Distribution

With the extensive use of multi-core network security devices, attackers may construct special DDoS attack packets to cause
the multi-core network security devices to unevenly distribute traffic across the cores. Detection data shows that this type
of DDoS attacks has exceeded 10 Gbit/s in traffic during peak hours. This type of DDoS attack challenges the performance
of gateway devices or DDoS traffic cleaning devices. If the gateways or DDoS traffic cleaning devices cannot divert traffic
packet by packet, or the interfaces are incapable of dynamic filtering, traffic to the multi-core network security device will
be diverted to specific CPUs. Therefore, the majority of CPUs will be idle and only the specified CPUs are processing traffic.
In this case, the performance of the device consists of only the running CPUs. That is, uneven traffic distribution degrades
the overall performance of the network security device. To resolve this problem, multi-core network security devices must
be capable of line-rate forwarding and dynamic attack traffic filtering. In the coming years, as long as multi-core network
security devices are extensively deployed, this type of DDoS attacks will increase rapidly and challenge the performance of
these devices.

IPv6 Network DDoS Attacks

The transition from IPv4 to IPv6 will continue over the coming years. During the transition, the dual stack is available
on network devices for online services. Therefore, IPv4 and IPv6 hybrid attacks will become a new type of DDoS attack.
Inevitably, session resources on IPv4-to-Pv6 conversion gateways will become a new target for this type of DDoS attack.
With the evolution of IPv6 networks, IPv6 vulnerabilities will be constantly exploited to launch massive attacks.

17 2013 Botnets and DDoS Attacks Report

7
About Huawei Security Product Line

Network security is a core customer requirement. Huawei’s security product line considers the long-term construction of cloud
security centers as a core technology that builds competitive edge and will continue making investments in the security area.
A wide range of network security experts came together to establish the Huawei Cloud Security Center, focused on building
an advanced security reputation system and cloud security architecture, safeguarding information security, and striving to
continuously develop customer service.

Drawing on Huawei’s cutting-edge security capabilities, the cloud security center collects malicious samples from various channels,
summarizes the massive number of samples into the management system, rapidly analyzes and converts these samples to compile
a signature database, and releases the database to security products deployed worldwide, so customers' networks are equipped
with the latest security defense capabilities. Besides inheriting legacy security capabilities, the cloud security center draws
together cutting-edge technologies, adapts them specifically to each field, and sets up dedicated security labs with rich technical
characteristics. The research team leverages security products and solutions to provide with an active security defense system.

As the Internet evolves, cloud computing and mobile terminals become more widespread, and innovative apps emerge,
as do subsequent new threats, posing new challenges for network security personnel. To meet these ever-increasing
challenges, Huawei continues the security capability construction and provides customized products, solutions, and services
to help customers effectively defend against global security threats and risks.

7.1 Botnet Research Lab

The botnet research lab is affiliated with Huawei cloud security center. With Huawei’s security reputation system, the botnet
research lab analyzes the collected samples and builds a monitoring system based on botnet behavior lifecycles to effectively
identify botnet behaviors. By monitoring and analyzing botnet behaviors, the botnet research lab identifies and collects C&C IP
addresses, Fast-Flux domain names, and malicious program files on botnets, and forms IP reputation, file reputation, domain
reputation, and web reputation in the security reputation system. In addition, the research lab performs long-term tracing on
botnets that cause severe damage and implements reverse analysis and behavior analysis to determine the control signals of
the controller and trace the IP addresses the controller uses to log in as evidence for botnet source tracing and control.

7.2 Feedback
If you have any comments about this report, please send them to secinfo@huawei.com.
Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent
of Huawei Technologies Co., Ltd. All information in this document is the internal data of Huawei cloud security center and
related labs. All information is for reference only and does not constitute a warranty of any kind, express or implied.
All trademarks, pictures, logos, and brands in this document are the property of Huawei Technologies Co., Ltd. or an authorized third party.

2013 Botnets and DDoS Attacks Report 18

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademark Notice

, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.

General Disclaimer HUAWEI TECHNOLOGIES CO., LTD.

The information in this document may contain predictive statements including, Huawei Industrial Base
without limitation, statements regarding the future financial and operating results, Bantian Longgang
future product portfolio, new technology, etc. There are a number of factors Shenzhen 518129, P.R. China
that could cause actual results and developments to differ materially from those Tel: +86-755-28780808
expressed or implied in the predictive statements. Therefore, such information Version No.: M3-032102-20131014-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice. www.huawei.com