CSC's marketing emails consist of information like eNewsletters, invitations to events, and other similar communications. You may unsubscribe from such service at any time and can contact CSC by mail at 251 Little Falls Drive, Wilmington DE, 19808-1674 Attn: Records Department or by phone at 1-866-403-5272.
Securing Your Digital Assets Against Hijacking, Phishing and DDOS Attacks
Please be advised that these recorded webinar presentations have been edited from the original format (which might include a poll, product demonstration, and question-and-answer session). To set up a live demo, please complete the form to the right.
We know you put your company’s cyber security first—and so do we. That’s why in the changing digital landscape with consistent threats from cyber attacks, we want you to be prepared.
In this free webinar in cooperation with our partner, Verisign®, CSC® will present the latest trends in cyber attacks and how you can stay one step ahead.
Whether you’re involved in the day-to-day of IT operations, or an executive trying to safeguard your company’s data and reputation, join CSC expert Mark Flegg and Verisign’s Rohit Kinra for a timely discussion on:
Current threat trends
Different attack vectors (portal versus infrastructure)
Portal protection and what to look for—including two-factor authentication, CSC MultiLock, and anti-phishing
DNS—build or buy?—including discussion on the cost of each, and DNS slaving as an option
Anu: Hello, everyone and welcome to today's webinar, "Securing Your Digital Assets Against Hijacking, Phishing and DDoS Attacks." My name is Anu Shah and I will be your moderator. Joining us today are Mark Flegg and Rohit Kinra.
Mark is the Global Product Director of Domains and Security for Corporation Service Company and is responsible for advising a global client base on digital risk and the preventative measures brands can take to safeguard their digital assets. He also supports CSC's sales team and helps to drive business development for the company.
As a Director of Product Technology for the Verisign Security Services Group, Rohit is the lead technical evangelist working with the product management team on product direction. Rohit meets with Verisign's most strategic customers providing information on security trends and helping them establish best practices for keeping their critical applications secure. With that, let's welcome Mark and Rohit.
Mark: Thank you, Anu.
Rohit: Thanks, Anu.
Mark: Good morning, good afternoon, everybody. Welcome to the session. I want to start out by kind of backtracking a little bit on what is in a digital brand. In much the same way we've all witnessed and participated in the extraordinary growth of the Internet, ecommerce, mobile content, social media, we're all now becoming acutely aware of the risks and threats that accompanies that development.
As you look at it and you look at the press, hardly a day goes by when we don't read about cybercrime. There's always another hacking or a company or services that have been taken offline and compromised in some way. One of the most recent ones that was shared publicly was from Lloyds Bank, who had a huge DDoS attack in January and they just shared some details on their outage.
It was interesting that part of it was a Bitcoin ransomware to the tune of $75,000. This is along similar lines that the DD4BC, so the DDoS for Bitcoins group, about two years ago were leveraging blackmailing organization. The difference with this one is obviously it hurt a lot. So if you look at that and you reflect, we're a long way from hearing about physical warehouses that have been broken into and inventory stolen. Which, back then, that passed for kind of corporate crime if it wasn't espionage.
So, having taken advantage of these new digital channels as they've evolved has made the brand target even bigger and somewhat more diluted. If you look at the graphic here, we've got what we'd consider a digital brand in the center. Everybody wants to do business online. It's very cheap. It's a very good vehicle for getting lots of eyes on your content. But that's diversifying.
Five years ago, we'd have been talking about domain names, possibly digital certificates and DNS. Now we've got mobile apps. We've got social media handles. We've got emails. These things are all expanding. So, during today's session, we're going to help you understand how to stay on top of those developing threats, how you can understand them better and how steps can be taken to mitigate them. We're also going to look at the nature of cyber threats from both the perspective of securing access to those assets and then the robustness of the assets themselves.
So, before we do that, let's just understand who is targeting our brands. That's typically coming from two categories, a cybercriminal or a hacktivist. For those that aren't aware, a cybercriminal is somebody we put into a bucket where it's an individual or organizations that are typically highly sophisticated. They exploit systems through various attack vectors. They'll conduct financial theft, corporate espionage, etc.
And there are so many examples that spring to mind--Yahoo data leak, 500 million users' data stolen, Tesco Bank hacking, £2.5 million, $3.09 million stolen from 9,000 customer accounts, the PageGroup hacking, more recently the Cloudfare breach.
The hacktivists on the other side, they're looking to gain access to systems. They are typically politically or socially motivated. They want to get their message about there. They've all got a message. They want their voice to be heard. Examples of the hacktivists would be the Syrian Electronic Army, who are synonymous with DNS hijacking, the Anonymous Group, who declared war on global banking in May. It's not the first time they've done that. They declared war on Wall Street a few years back, for those that can recall. Together with the Ghost Squad hackers, they took down over 30 banks. I'm not going to name them, but there are an awful lot of them. It just goes to show that business isn't quite prepared to deal with these attacks.
So, what are the motivations behind these? If we were to split some of the attacks down, three main categories. You've got the smallest, which is the cyber espionage. You've got your hacktivism and then you've got your cybercrime. It's no surprise that cybercrime is the biggest slice of the pie here. This is basically because people are doing it for monetary gain. They're going to attack brands. They want to get financial gain from your organization.
Now, how are they doing this? I've brought this graphic back up. You can see that the digital assets and all of the satellites that are associated with it are within a target. This is what the cybercriminals and hacktivists are doing. We've got on the left-hand side there in between the categories different methods that they're using. These are not mutually exclusive. Be aware that a hacktivist or a cybercriminal will use any tool at their disposal to get at your digital assets.
So, whether it's a DDoS attack--and we'll hear from Rohit a little later on how they're doing and what he's seeing from a Verisign perspective. It could be malware or ransomware. It could be a phishing attack. It could be SQL injection. It could social hijacking. It could be domain hijacking. There is a longer list as well. It doesn't matter what it is. They're going to exploit it if they can within your organization.
So, if we look at some of the potential threats here in a little more detail, domain hijacking, DNS hijacking and domain shadowing, as I said earlier, there's not a day that goes by where something isn't in the news. There are plenty of examples to illustrate this. If we go back in time a little bit, The New York Times, they were attacked by the Syrian Electronic Army. They didn't have registry lock in place. So, the DNS was able to be changed pointed to the Syrian Electronic Army servers. What does that mean? It means anybody that goes to the New York Times website actually ends up at the Syrian Electronic Army site. Again, this is how they get their voice heard.
Facebook, again, Syrian Electronic Army, a couple of years ago went through a spell where they attacked all of the big brands that were either social media or news outlets. Again, the way that they're looking at this is, "Okay, where am I going to get the biggest bang for my buck if I compromise somebody? Where are the most of sets of eyes?" Lenovo as well, it's not just social media. It's not just news outlets. It is manufacturers as well.
So, as we talk about domain and DNS hijacking, let me tell you the difference. So, domain hijacking is when somebody steals your domain and transfers it away from your management and it will change the ownership. DNS hijacking, which is more common, that's typically what the Syrian Electronic Army do, someone changes the resolution of your domain via the DNS, so a delegation at the registry.
Both require the stealing of usernames and passwords to the domain or the domain management portal, either by phishing, social engineering or malware. Once they're inside the domain name registrar systems, automation, which is fantastic for keeping costs down, suddenly becomes an absolute nightmare because it's super easy for somebody to make unauthorized changes. No human is looking at this. It's fully automated. So, that leaves business with a challenge, especially for their business critical domain names.
As you see from those headlines that I showed, there's a long list of well-known brands. This list unfortunately continues to increase. The one that I've got on the screen right now is an example from October last year which was targeting Blockchain.info. This was a DNS hijack and over eight million Bitcoin wallets were left inaccessible.
Again, this is a massive, massive disruption. The DNS provider in this instance was Cloudflare. They were compromised. A zone file was changed, so visitors were directed to another URL where, again, once you've got them on your site, you can phish their credentials, you can put malware infections there. You can steal their data.
Now, this seems to be a horrible trend as well. When people go out and they make claims to secure systems, they seem to instantly become a target. KrebsOnSecurity, he was probably the first victim of the Mirai virus, which is leveraging the Internet of things. That was a 624 gigabyte per second attack.
Cloudflare just before this incident had boasted about how big a DDoS attack they could withstand. I think when companies come out and do this and make these statements, they're actually putting a target on their back. It's creating a challenge for people. Again, we'll get into DDoS in greater detail, but it's super easy to launch one these days.
If we look at domain shadowing, again, very recently examples from GoDaddy, who is considered to be a retail domain registrar. This is where a bad actor is going to hack your domain name management account as before and create subdomains for your domain. So, if I take the brand cscglobal.com, somebody's going to create online.cscglobal.com. They're going to use that essentially for phishing attacks.
Hopefully the majority on this call have had phishing awareness training. The first thing you look at is the domain name on the email. Does it look legitimate? Well, if it points to 123.hotmail.com, yeah, it's going to be a bit suspicious. But if it says online.cscglobal.com, okay, I know CSC. I'm going to trust this. So, it makes them look more authentic and it's often undetected because what they're doing is adding these subdomains on defensive registrations, the domains that we're not looking at on a daily basis. So, it can fly under the radar for a long period of time.
It is difficult to stop. Again, these subdomains are high-volume, short-lived. It's random with no discernable pathings, which makes blocking extremely difficult and the worst part is it directs the users to an Angler exploit kit. So, it's important that, as we'll cover, the registrar that's looking after that digital asset, your domain name, helps protect you from those sorts of risks.
If we look at additional potential threats--poor management, malware, espionage, when we talk about poor management, you talk about domain names, you talk about SSL certificates, they have one thing in common and that is they have an expiration date. The worst thing that you can see as a brand owner is this message for your core website.
Google is leading the way in communicating risk to clients if you're using their Chrome browser. The messages are going to be way more hard hitting than this, believe it or not. Maybe some of you have seen it already where you've got the line through, "This is not a safe site," it's in big red letters. It's down to the brand owner to make sure that those certificates are renewed correctly.
Same with some big brands as well. Instagram forgot to renew its SSL certificate. So, in late 2014 in the build up to Christmas, thousands of credit cards in the US manufactured by Equinox Payments stopped working. This was all down to an expired digital certificate. They created that in 2004 and it was valid for 10 years.
When you order something for 10 years, you are going to forget about it. You're not going to put a process around it. It's too far off and you're not touching it enough. So, there were serious consequences for retailers across the country that were suddenly unable to process credit card transactions going into one of the biggest shopping seasons of the year.
The certificate industry themselves are changing. You actually can't buy a 10-year certificate anymore. Two to three years is the maximum. Business really does have to find a better way to manage this or more outages will occur.
If we look at some other expired certificate examples, in this one, Microsoft and their Azure cloud services, which is the equivalent to Amazon AWS found that users simply couldn't access the service because of an expired certificate. In one of the worst case situations, the web browser, Opera, they had an expired certificate and the hackers found a way to create a vulnerability, which led to everybody using that search engine basically downloading malware. They were very lucky that that didn't lead to a data breach. So, plenty of examples that are out there. There are a select few.
What does it mean? What does bad management mean to the business? The impact is huge. CSO Online suggested in a 2015 article that the cost was some $40 million for the average Global 5,000 company. With a growth in the need for certificates for both the Internet of things and because Google are better ranking sites with a certificate, the risks are growing.
There was a recent study by Venafi that reported that 80% of businesses surveyed were hit by a certificate-related outage, 64% said their organizations could not respond to a certificate-related security event in six hours or less. So, if you're dealing with ecommerce or you're passing very sensitive information, six hours is a lifetime. The survey also showed that most businesses do not have the visibility or tools necessary to manage this fundamental element of cybersecurity and operational availability effectively.
Those numbers are frightening. We have conversations with clients every day. We understand budgets are in place. We're businesses at the end of the day, but sometimes you've got to look at the big picture here and you've got to say, "Am I actually spending money to save money?" And as you've seen from the examples, these things are not going away. They're getting worse and worse.
So, if we now look at the potential threats from a social hijacking perspective related to your social media, we've got some examples here, some risqué photos on a Michigan college website after a hack. It's an old one but it's one of the one that makes me chuckle, but if I was the brand owner, I would be absolutely furious. This is where an employee decided that Burger King and McDonalds would merge and you could buy the McWhopper.
They did attract an additional 30,000 Twitter followers after this incident, but nevertheless, it's not what you want for your brand. That was down to a rogue employee because the credentials for the social media handles were not locked down correctly.
Again, one of the most famous ones that's out there--this is a company from the UK, HMV, they were going through a period of downsizing and the person, again, that was responsible and had access to their Twitter feed was one of the people leaving, so they thought it would be fun to do a live tweet to everybody going into the human resources office. This is not good for your business reputation by any stretch.
So, the main question is how do you manage access to your domains, your DNS, your SSL certificates and your social media usernames and passwords? These are all potential threat targets.
So, one of the things we would recommend that you review is how do you secure your digital assets? So, number one, we would recommend that you use a corporate registrar. This is someone who really appreciates the value of your brand. We did some research and about 31% of companies core domain names still utilized a retail registrar's DNS. So, if they're doing that, the domain name is there. This is not somebody that's looking out for you. You're most likely paying by credit card, which is going to expire. They won't remind you. They'll just lapse your domain name.
So, you need to think about not just how you manage but where you manage. People like GoDaddy that we mentioned the domain shadowing on, history also tells us that their call center staff are more likely to succumb to social engineering attacks, which is going to lead to DNS hijacking or domain hijacking. Google this, by all means, and it will tell you that GoDaddy are a frequent target for phishing attacks.
Without compromising on quality, look to minimize the number of providers across the digital assets. The fewer suppliers you have, the less access points can be targeted. We run scans for our customers and there will be a complimentary one available for you at the end of this session, where it will highlight that they've got six or seven at least, on average, DNS providers. I've seen some with 23 SSL providers.
This is not good, especially in a crisis situation where you're trying to figure out, "Who do I go to for this? How do I resolve this issue?" It's super important that you consolidate that. If nothing else, you're going to get a better purchasing cost because you're throwing volume at it. But more importantly, you need to choose a vendor or supplier that's focused on security.
So, you've got to have that secure portal access. Make sure they offer IP validation. Make sure they offer two-factor authentication. There are many out there that don't do this. For those that aren't aware, two-factor authentication, this is something you know, your username and password, and something you don't know.
So, generally it's a smartphone app or a hard token where it will generate a special pin code that you enter in conjunction with your username and password. That means if somebody does phish you and they get your username and password, they will never have access to that rotating pin. It changes every 60 seconds. So, they can never use your credential to get into a system. If you think about DNS hijacking and domain shadowing, how those could have been stopped with two-factor. New York Times and Lenovo, by the way, did not have two-factor authentication or registry lock.
So, if we look at other things that you can do, it's all about secure user management. If you've got your domain portfolio, for example, is there a way that you can segregate your critical or crown jewel domain names into a core account? Do you have granular access rights? Do you have request or approver mechanisms? It could be that some people need to get access to a system, but do they actually need to commit changes? Do you want another set of eyes to run past that?
As we're seeing now, federated identity--other names for it are SAML 2.0 implementation, SSO, single sign on. This is where if you log on to your network in your organization, you can automatically be logged in and authenticated in another portal from a third party. This is particularly important for if a person within your organization leaves or changes roles where they don't need that access anymore. You remove them from your system, it automatically removes them from the other systems.
This is increasingly important. It's only going to play bigger as organizations are looking to outsource. We all want best of breed systems and applications. So, it's important that in response to the security threats, that for our customers that they face, we create a security conscious culture and we develop solutions that make us recognized leaders in helping companies mitigate and manage the risks in securing their digital assets.
This includes securing the weakest link--human interaction. So, we can get a system to do anything you want. However, people fall fail to phishing. It's human nature. So, in that security conscious culture, we always insist on a customer service request validation training and phishing awareness training. This is mandatory for people at CSC. I'm hoping that your organizations adopt that as well. It's something that we all need to be aware of.
Some of our research suggests that 41% of companies include the named individual responsible for domain management within the company's WhoIs record for a core domain name. It might sound as if it's the right thing to do, but what you're doing is you're telling somebody okay, in the public information, the WhoIs, I can go and look up who I need to phish. So, where possible, we always recommend you will use a role, so Domain Admin or something like that so it's not a named individual. That also creates problems if that person changes. It can be quite costly.
The other thing that if you're going to do that, one of the things that you can use to help is email authentication. Have you considered that? Again, that can help mitigate inbound spearfishing emails. It's not today's focus, but if you do have interest, let us know after that. Again, in our research, only about 10% of core domain names have a DMARC record, which stops that phishing.
So, in addition to securing digital assets, there's another feature called CSC's MultiLock. Other providers might call it registry lock. There is another little known registrar lock as well. There's no silver bullet to securing your domain names. Two-factor, IP validation, federated identity, user access, phishing awareness, all of these things are super important, but it's multiple layers of security that's going to help you out here. For me, the most important one is MultiLock. It's locking the domain at the registry whereby you cannot make any unauthorized changes. We take something that was fully automated and make it very much manual with human interaction.
So, again, if the likes of Facebook and New York Times had MultiLock in play, DNS redelegations are not permitted without approval. So, it would have stopped that in one fell swoop. It's not just the website and the name service. You need to be considering two-factor in conjunction with it for zone changes. I don't want anybody changing my A records.
So, as we end this section, I just want to bring this graphic back up. The digital footprint is expanding. Brand owners have got more opportunities today to get awareness for your products and services, but that also opens the door for more cyber threats. It's critical that business manages those assets like they manage other assets.
It's not new to business to manage a digital asset. We've been managing assets, laptops, mobile phones, desks, fixtures and fittings in offices. We've been doing that since the dawn of business. They've been held in legers. We even put things down for depreciation over time. So, managing an asset is not new to business, but for some reason, digital assets seem to be escaping that radar right now. We want to make sure that business understands the criticality of them.
So, with that, I mentioned DDoS a few times. I'm going to pass it over Rohit Kinra, who is the director for product technology at Verisign and he's going to give us a deeper dive into DDoS.
Rohit: Thanks so much, Mark. Thank you very much, Mark. So, I'm going to be discussing industry statistics and behavioral trends as well as observations and insights from our DDoS attack mitigations that we've enacted on behalf of our customers and also some security intelligence research from our iDefense team.
But first let me begin by giving some background on Verisign. Verisign is a publicly traded company and we're headquartered in Reston. I think most people know Verisign as the Internet infrastructure and security company and we have two lines of businesses. Our naming division is responsible for operating not only two of the largest TLDs, .com and .net, but also very integral in internet root operations being the root zone maintainer as well as root zone operator for the A and J root servers.
We also operate about 23 other TLDs as well, including .gov, .edu and .tv. So, not only has Verisign operated these TLDs at scale, we do about 120 billion DNS queries on a daily basis, but we've also operated them at 100% availability for the last 10 years.
Our other line of business is Verisign Security Services. Those services were derived by the technology and experience from operating our naming business. We've launched several of those as SaaS services to help our customers protect the availability of their applications.
So, as the threat landscape is growing and evolving, it represents an increased challenge to legitimate users finding and using applications. It's clear that in planning for how users find and access your applications moving forward, it's vital to account for the growing threat landscape and to also consider how your applications are going to be deployed.
In today's environment, it's very diverse. So, the challenge remains how you maintain reachability and usability of your application even when presented with a growing attack surface and multiplied by the diverse application deployment.
So, as I mentioned, organizations are really shifting the way that they deploy applications. It used to be that when I deployed an application, I needed to get either space in a data center or run my own data center and deploy physical hardware there and that's how I can deploy my applications. That world is completely changed with the introduction of virtualization and then SaaS technologies or cloud based hosting such as Amazon AWS or Microsoft Azure or Google CloudFront or things like that.
Compute workload has really been shifting from that traditional data center to the cloud. In 2013, that ratio was 50/50. So, 50% had their applications deployed in a traditional data center, 50% were using compute in the cloud, and 70% had actually moved to the cloud in 2016. This year, sorry, by next year in 2018, we estimate that 80% will be in the cloud.
An overwhelming majority of enterprises that are using cloud for deployment of their applications are using a multi-cloud approach, so, 82% having multi-cloud strategy. Within the multi-cloud approach, within those 82%, the most popular is actually a hybrid cloud followed by private cloud and multiple public clouds.
So, the differences are a hybrid cloud would be when I host an application within my data center and I also use excess capacity at a cloud provider like, for example, AWS. So, I am running my application across both of these environments simultaneously versus multiple private clouds would be if I host multiple private cloud data centers and run them in multiple locations and multiple public cloud would be if I used Amazon AWS as well as Microsoft Azure in concert with each other.
And while this strategy will help against outages against a cloud provider, it actually increases the attack surface because the customer really has very limited visibility or control of the application in that cloud. As the companies move more of their workload into the cloud, they're exposed to new security risks and there's actually more potential for application down time. The challenge here is really balancing availability and security, which is complicated by the fact that attacks are growing in size, complexity and frequency. Traditional tools that we use are often in operable and ineffective in cloud environments.
Now, this is also complicated by the fact that launching a DDoS attack has become much more accessible to attackers thanks to the rise of cloud computing, of all things. It's because what you're seeing is just like everything else is moving to the cloud, DDoS attacks are also moving to the cloud.
So, you can have anybody attack you at this point. It can be low skill teenagers who want to cheat while playing online games to cybercriminals looking to supplement their income. The DDoS for hire market is actually booming. At this point, the cost of defense versus protection has become dramatically asymmetric. The cost of launch an attack is as little as $5 an hour, which makes pretty much anybody a potential adversary.
Complicated with that is also the size and scale of attacks. So, in 2016, we saw some very, very large scale attacks. As Mark mentioned earlier, there was the Krebs attack, which happened in September of 2016. Then not only a few weeks later, there was another attack against a large hosting company called OVH in France.
So, attack sizes have consistently been going up. So, in 2010 to 2012, we were seeing attack sizes going up by 50%. The scary part is between 2015 and 2016, we saw greater than 167% increase in attack size.
So, DDoS attacks are actually indiscriminate. What I mean by that is they're really not limited to any industry or vertical. When we look at the attacks against our customer base, we found that IT service SaaS cloud customers actually experienced the largest number of attacks. They represented about 49% of all attacks the Verisign mitigated in Q4 of 2016 and the average attack size for that vertical was 16.3 gigabytes per second.
Followed closely by that was the public sector, which was a little surprising. The public sector was 32% of all mitigations, up from 12% in Q3 and averaging 6.9 gigabytes in attack size. This is the largest percentage of DDoS attacks that Verisign has observed against the public sector since the inception of our report, which was in Q1 of 2014.
The financial and media entertainment sectors were also targeted, representing 6 and 7% of all mitigations, respectively, and averaging 10.4 and 25.5 gigabytes in attack size. Finally, while the communications sector wasn't frequently attacked at 4%, the average attack size was actually quite large at 15.8 gigabytes per second.
So, as you can see, it really almost doesn't matter which industry or vertical you're at. You have a large threat of DDoS. The attack sizes are significantly larger than they were. We're seeing average attack sizes north of 10 gigabytes a second. So, typically most customers don't have that type of incoming bandwidth to protect themselves.
So, in terms of actual attack sizes, 87% of the attacks that we've mitigated in Q4 2016 peaked over 1 gigabytes per second, 52% peaked over 5 gigabytes per second, and 22% were over 10 gigabytes per second. The average size of attack across the entire customer base for all of Q4 was 11.2 gigabytes per second, which was actually a slight decrease when compared to Q3 2015 and the decrease was 12% decreasing. We saw 12.78 gigabytes per second in Q3.
However, the average attack sizes in 2016 were significantly larger than previous years. Verisign observed an average of 16.1 gigabytes per second in 2016, which was 167% increase from 2015, as I mentioned earlier, which had an average attack size of 6.02 gigabytes per second.
In addition to that, attackers launched sustained and repeated attacks against their targets. Verisign observed that more than 50% of customers who experienced a DDoS attack in Q4 2016 were targeted multiple times in that quarter. The largest and highest intensity attack that we observed in Q4 2016 was a multi-vector attack that peaked over 125 gigabytes per second and was around 50 million packets per second.
This was notable because attackers were persistent, sending attack traffic on a daily basis for almost an entire month. So, the attack was relentless. The attack consisted of DNS reflection traffic as well as ICMP traffic, which was Internet control message protocol. They switched periodically to TCP SYN floods and TCP reset floods, peaking at approximately 70 gigabytes per second and 50 million packets per second. The attack also included IP fragments to increase the volume of the attack.
So, what you're seeing there is the multi-vector effect. What that means is that attackers changed their tactics in the middle of an attack so that they can find what your weak point is and they do this because it's more complicated and more complex to protect against that attack. Sixty-eight percent of attacks that we mitigated in Q4 employed multiple attack sites. So, that required not only continuous monitoring, but an optimal mitigation strategy.
So, as in throughout 2016, UDP flood attacks really dominated, making up 52% of all attacks in the quarter. The most common of the UDP floods was DNS reflection attacks followed by NTP reflection attacks. The balance of the attacks that we mitigated were IP fragments, 23%, TCP floods at 16% and application layer attacks at 7%. Application layer attacks are very complex. So, while they may not be very large in terms of bandwidth intensive, the issue with them is that in those cases, the attackers have taken the time to understand your application and they've built an attack that specifically targets you.
So, an example of an application layer attack would be if I'm an ecommerce website, I've scaled my website to be able to do maybe 100,000 add to carts a minute and the attacker is sending me somewhere in the neighborhood of a million add to carts a minute. So, that's going to take up my back end resources. So, my databases will freeze. The app server won't be able to communicate with that database.
You're essentially making the functionality of adding an item to the cart for every user on the website unusable. So, while the entire website is available, the main function I would argue for an ecommerce company is unavailable. So, the application layer attacks, while you're representing a small percentage, they're actually the hardest to mitigate and they require a very skilled organization or a skilled DDoS engineer to be able to mitigate against them.
And of course, certainly not the least thing is protection of DNS. Most people really don't think about DNS because it works all the time. However, when DNS doesn't work, it's a major problem. It's a mission critical component of the Internet, the resolution of my domain name to an IP address, allowing users to navigate and find my website.
If you don't fortify your DNS, everything else that you're doing in terms of your application is kind of all for not because no one can really remember the IP address of how to get to your applicant. So, I think in 2016 we saw a number of DNS attacks as well that showed the critical importance of making sure you fortify and make sure you have a very secure DNS service.
So, with that, I'm going to pass it back to Anu.
Anu: Great. Thank you. So, folks, that is all the time we have today. Again, a big thank you to Mark and Rohit for the information they provided and also to all of you for joining us. If we didn't get to your question, we will contact you with a response after the webinar and we hope to see you next time. Thank you.