In a new report, NSFOCUS introduced the IP Chain-Gang concept, in which each chain-gang is controlled by a single threat actor or a group of related threat actors and exhibit similar behavior among the various attacks conducted by the same gang.
IP Gang attack-type classification against attack volume size
Researchers analyzed attack types, volume, size of events, gang activities, and attack rates. By studying the historical behavior of the 80 gangs identified in the report, NSFOCUS built several unique gang profiles to analyze their preferred attack methodologies and how to develop a better defense system against future attacks.
- These gang members, though only a tiny fraction (2 percent) of all the attackers, are responsible for a much larger portion (20 percent) of all the attacks.
- Most of the gangs have fewer than 1,000 members, but NSFOCUS also sees one gang with more than 26,000 members.
- Reflection flood attacks are the dominant attack methods favored by the gangs, specifically in high-volume attacks due to their great amplification factor.
- Gangs typically do not operate at their full potential capacity. However, knowing their maximum attacking power is very important in planning the defense against them.
- The top attacker source region are European countries. Asian countries, as well as North America, also contributed a significant amount.
“Since botnet activities and DDoS attacks are usually collaboratively launched from multiple sources, it’s not surprising to see that many of these recidivists are working together as a group in these attacks,” said Richard Zao, senior vice president of global threat research, NSFOCUS. “We believe that this is the first time that DDoS attacks have been studied as coordinated gang activities. Moving forward, we plan to track IP Chain-Gangs’ evolving history and study the interconnections among their members. By doing this, we will be better able to detect, mitigate, forensically analyze, and even predict future DDoS attacks.”