Office Time: Mon - Fri (1:00 am to 4:00)

Security Blog


Four in five organizations reported facing some form of network or application- based attack in 2017. Survey findings underscore that attacks have become more targeted—with organizations hit less frequently but experiencing greater impact. This section of Chapter 4 combines the experience of Radware’s ERT and responses to this year’s survey to identify key trends and threats in the attack vector landscape.

Trend 1: Ransom Attacks Grow 40% - Organisations reported experiencing 40% more ransom attacks in 2017 than 2016. A key driver of these attacks is Bitcoin’s exponential climb during 2017 (as of this publication, the value exceeds $14,000 per Bitcoin). Radware also sees growth in socially engineered threats—illustrating that hackers recognize the need to work harder to bypass security controls and hit their targets. Radware observed a 10% growth in the number of organizations hit by a DDoS attack, underscoring that this attack method is here to stay.

Trend 2: Application DDoS Overtakes Network DDoS - This year brought declines in UDP, ICMP, TCP-Other and IPv6 attack vectors—marking a significant drop in network attacks (51% in 2017 vs. 64% in 2016). The incidence of application attacks remained steady at 64% in 2017 compared to 63% the year before. However, respondents this year reported fewer HTTPS (28% in 2017 vs. 36% in 2016) and SMTP (23% in 2017 vs. 31% in 2016) attacks.

Trend 3: Other Attack Types Still Emerging - Hackers continue to move away from single-vector attacks as advanced persistent DDoS campaigns have become the norm. New tactics include the surprise effect, randomized IPs and astonishing volumes. One of the prominent trends in 2017 was an increase in short-burst attacks, which have become more complex, more frequent and longer in duration. Burst tactics are typically used against gaming websites and service providers due to their sensitivity to service availability as well as their inability to sustain such attack maneuvers. Forty-two percent of organizations suffered DDoS attacks in recurring bursts. These attacks lasted no more than a few minutes for most victims. Timely or random bursts of high traffic rates over a period of days or even weeks can leave the targeted organization with no time to respond— causing a severe service disruption. Just a two-second disconnection can result in dropped users for certain services. For the gaming sector such disruptions affect a service’s credibility.

DNS Amplification Reflective Attack – a sophisticated DoS attack that takes advantage of a DNS server’s behavior in order to amplify the attack.

NTP Reflection - an amplification attack that exploits the publicly accessible Network Time Protocol (NTP) servers to overwhelm and exhaust the victim with UDP traffic. NTP is an old networking protocol for clock synchronization between computer systems over packet-switched networks. It is widely used across the Internet by desktops, servers and even phones to keep their clocks in sync. Several old versions of NTP servers contain a command called monlist, which sends the requester a list of up to the last 600 hosts who connected to the queried server.

In a basic scenario the attacker repeatedly sends the “get monlist” request to a random NTP server and spoofs the source IP address for the requesting server as the victim server. NTP server responses will then be directed to the victim server to cause a significant increase in UDP traffic from source port 123. This is an old and simple tactic detected by most DDoS protection solutions in the market today. It remains very prevalent because this vector is truly easy to execute and could cause severe service impact to those without any DDoS protection.

SSDP Reflection - an attack that exploits the Simple Service Discovery Protocol (SSDP) that allows Universal Plug and Play (UPnP) devices to broadcast their existence. It also enables discovery and control of networked devices and services, such as cameras, network-attached printers and many other electronics equipment. When a UPnP device is connected to a network, after it receives an IP address, the device is able to advertise its services to other computers in the network by sending a message in a multicast IP. Once a computer gets the discovery message about the device, it makes a request for a complete description of the device services. The UPnP device then responds directly to that computer with a complete list of any services it has to offer. As in NTP and DNS amplified DDoS attacks, the attacker can use a small botnet to query that final request for the services. The attacker then spoofs the source IP to the victim’s IP address and sends the responses directly to the victim.