VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORTVOLUME 3, ISSUE 3 – 3RD QUARTER 2016

Complimentary report supplied by

EXECUTIVE SUMMARY 3

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2016 4DDoS Attacks are Unpredictable 4Multi-Vector DDoS Attacks Continue to Dominate 6Types of DDoS Attacks 7Highest Intensity Flood and Largest Volumetric Attack 8Every Organization is at Risk 9

VERISIGN DDoS TRENDS REPORT | Q3 2016 2

CONTENTS

EXECUTIVE SUMMARYThis report contains the observations and insights derived from distributed denial of service (DDoS) attack mitigations enacted on behalf of, and in cooperation with, customers of Verisign DDoS Protection Services from July 1, 2016 through Sept. 30, 2016 (“Q3 2016”) and the security research of Verisign iDefense® Security Intelligence Services conducted during that time. It represents a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for Q3 2016.*

Verisign observed the following key trends in Q3 2016:

VERISIGN DDoS TRENDS REPORT | Q3 2016 3

13%decrease from the third quarter of 2015

Number of Attacks

Volume

257 Gigabits per second (Gbps)

Peak Attack Size

152 Million packets per second (Mpps) Highest intensity flood ever observed by Verisign

12.78 Gbps

Average Peak Attack Size

16%of attacks over 10 Gbps

49%of attacks were User Datagram Protocol (UDP) floods

Most Common Attack Mitigated

59%of attacks employed multiple attack types

37%of mitigation activity

IT Services/Cloud/SaaS

Speed

5 GBPSa “do-it-yourself”

approach to DDoS PROTECTION

would be challenging for most organizations.

With almost a third of attacks over

VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q3 2016DDoS Attacks Are UnpredictableDDoS attacks continue to be complex and unpredictable, making them more challenging for companies to mitigate. While not directly observed by Verisign, Q3 2016 was notable due to several attacks unprecedented in attack size. Specifically, the approximately 620 Gbps attack against KrebsonSecurity1 and a 579 Gbps attack reported by Arbor Networks2 were significant and widely reported within the industry.

Attackers in Q3 2016 launched sustained and repeated attacks against their targets. In fact, out of all the Verisign customers targeted by DDoS attacks in Q3 2016, 41 percent were targeted multiple times during the quarter.

Figure 1: Mitigation Peaks by Quarter from Q4 2014 to Q3 2016

2015-Q1 2015-Q2 2015-Q3 2015-Q4 2016-Q1 2016-Q2 2016-Q3

>10 Gbps>5<10 Gbps>1<5 Gbps<1 Gbps

0

20

40

60

80

100

Perc

ent o

f Atta

cks

2014-Q4

VERISIGN DDoS TRENDS REPORT | Q3 2016 4

81% peaked over 1 Gbps 30% peaked over

5 Gbps

Attack Size

1 https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/; Retrieved on Nov. 1, 20162 https://www.arbornetworks.com/arbor-networks-releases-global-ddos-attack-data-for-1h-2016; Retrieved on Nov. 1, 2016

Average Peak Attack Size

Figure 2: Average Attack Peak Size by Quarter from Q4 2014 to Q3 2016

6.885.53

3.64

7.037.39

2015-Q1 2015-Q2 2015-Q3 2015-Q4

19.37

2016-Q1

17.37

2016-Q2

12.78

2016-Q30

2

4

6

8

10

12

14

16

18

20

2014-Q4

Gbps

VERISIGN DDoS TRENDS REPORT | Q3 2016 5

12.78 Gbps82%

increase in average attack peak size since Q3 2015

Overall, average attack peak sizes in 2016 have been larger than previous recorded years

41%of the DDoS attacks in Q3

2016 utilized 3 or more different attack types.

Multi-Vector DDoS Attacks Continue to Dominate Fifty-nine percent of the DDoS attacks mitigated by Verisign in Q3 2016 employed multiple attack types indicating that DDoS attacks continue to be complex, and thus require more time and effort to mitigate.

Figure 3: Number of Attack Types Per DDoS Event in Q3 2016

1 Attack Type2 Attack Types3 Attack Types4 Attack Types5 or More Attack Types

41%

18%23%

14%

4%

VERISIGN DDoS TRENDS REPORT | Q3 2016 6

VERISIGN DDoS TRENDS REPORT | Q3 2016 7

IP Fragment Attacks

Layer 7TCP Based

UDP Based

Other

49%

22%20%

6%3%

Types of DDoS Attacks UDP flood attacks continue to dominate in Q3 2016, making up 49 percent of the total attacks in the quarter. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) reflection attacks. 49%

of attacks were UDP FLOODS

Figure 4: Types of DDoS Attacks in Q3 2016

Highest Intensity Flood and Largest Volumetric Attack The highest intensity flood attack observed by Verisign in Q3 2016 was a TCP SYN flood that peaked at approximately 60 Gbps and 150 Mpps. This flood attack is one of the highest packets per second attacks ever observed by Verisign, surpassing the previous highest flood of 125 Mpps mitigated by Verisign in the fourth quarter of 2015.

The largest attack in Q3 2016 utilized the Generic Routing Encapsulation (GRE) protocol (IP protocol 47) and peaked at 250+ Gbps and 50+ Mpps. This is the first time Verisign observed this type of attack against its customer base. The attack was notable in that the attackers encapsulated UDP packets to legitimate service ports within the GRE protocol. Attackers were able to increase the payload and add volume to the attack with this technique. Both the source and destination IP addresses in the encapsulated data were spoofed.

VERISIGN DDoS TRENDS REPORT | Q3 2016 8

60 Gbps

150 Mpps

The highest intensity flood attack in Q3 2016 was a TCP SYN flood that

peaked at approximately

and

8.8 Gbps

Average attack size:

39.1 Gbps

Average attack size:

5.8 Gbps

Average attack size:

5.0 Gbps

Average attack size:

VERISIGN DDoS TRENDS REPORT | Q3 2016 9

Mitigations on behalf of Verisign Customers by Industry for Q3 20163

37%of mitigations

IT Services/Cloud/SaaS

Financial

29%of mitigations

Public Sector

12%of mitigations

10%of mitigations

E-Commerce and Online Advertising

Telecommunications and Other

2%of mitigations

Every Organization is at RiskDDoS attacks are not limited to any specific industry or vertical.

3 The attacks reported by industry in this document are solely a reflection of the Verisign DDoS Protection Services customer base.

4.1 Gbps

Average attack size:

0.6 Gbps

Average attack size:

Media and Entertainment/Content

10%of mitigations

VERISIGN DDoS TRENDS REPORT | Q3 2016 10

Figure 5: Peak DDoS Attack Size by Industry from Q4 2015 to Q3 2016

Financial Media &Entertainment

E-Commerce/Online

IT Services/Cloud/SaaS

Q1 2016 Q2 2016 Q3 2016Q4 2015

0

50

100

150

200

250

300

Gbps

Telecommunications& Other

Public Sector

Peak Attack Size by Industry (Quarterly)

The Financial industry saw the highest attack peak size in 2016 thus far. For Q3 2016, the attack peak size was 257 Gbps, a 47 percent increase from the second quarter of 2016.

VERISIGN DDoS TRENDS REPORT | Q3 2016 11

TO LEARN MORE ABOUT VERISIGN DDoS PROTECTION SERVICES, VISIT Verisign.com/DDoS.

About VerisignVerisign, a global leader in domain names and internet security, enables internet navigation for many of the world’s most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet’s root servers, as well as performs the root-zone maintainer function for the core of the internet’s Domain Name System (DNS). Verisign’s Security Services include intelligence-driven Distributed Denial of Service Protection, iDefense Security Intelligence and Managed DNS. To learn more about what it means to be Powered by Verisign, please visit Verisign.com.

*The information in this Verisign Distributed Denial of Service Trends Report (this “Report”) is believed by Verisign to be accurate at the time of publishing based on currently available information. Verisign provides this Report for your use in “AS IS” condition and at your own risk. Verisign does not make any and disclaims all representations and warranties of any kind with regard to this Report, including, but not limited to, any warranties of merchantability or fitness for a particular purpose.

Verisign Public VRSN_DDoS_TR_A10_Q3-16_201611

Verisign.com© 2016 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.