Nexusguard Monthly Threat Report Reveals China is Top Target for DDoS Reflection Attacks

NTP attacks continue to dominate the network threat landscape

October 29, 2015

3 Min Read


SAN FRANCISCO – October 27, 2015 – China bore the brunt of DDoS reflection attacks last month, with 61 percent of the top attack destinations observed hitting Chinese-based systems. Of the 21,845 attack events during the period, 77 percent of them used network time protocol (NTP) vulnerabilities, reinforcing hackers’ favor for the vector as the most popular DDoS reflection method. These findings were issued today via the Nexusguard September 2015 Threat Report. Nexusguard, the worldwide leader in DDoS security solutions, issues its threat reports each month, analyzing a network of vulnerable devices for new cyber threats and scanning data for trends in attack vectors, duration, sources and other characteristics.

Organizations continue to see increases in distributed reflection denial-of-service (DrDoS) attacks due to the ease with which hackers can start the attacks and their high amplification, causing outages and masking infrastructure intrusions and other digital mischief. Nexusguard’s team of security analysts and engineers noted the sustained popularity of NTP reflection attacks, securing the top spot in the 21,845 attack events measured between Sept. 1 and Sept. 30, 2015. CHARGEN was the second-most scanned protocol at 35 percent of the 23,743 scan events. Although there has been less need for the protocol in recent times, many CHARGEN-enabled devices are online worldwide, with the default settings leaving the protocol vulnerable.

The report findings also show that:

  • Sept. 2 showed a single target event, which used NTP vulnerabilities for multiple attacks that lasted for more than 9 hours. This may correlate with crises in Europe and the Middle East regarding reports on Europe’s refugee response and conflicts in Syria.

  • CHARGEN scans gradually increased in frequency over the course of the month, while SSDP scans trended downward.

  • The second-highest volume source network for attack scans was Comcast. Given the Internet service provider is based in the U.S., the high volume may be attributable to a large number of hosting companies that are quick to respond to abuse reports.

“Security professionals have closely tracked cyberwarfare between countries, resulting in organizations often citing China and Russia as the major sources of politically or economically charged attacks; however, China was the prime target for all DrDoS attacks last month,” said Terrence Gareau, chief scientist of Nexusguard. “Additionally, we were surprised that popular DDoS mitigation companies didn’t appear in the top 10 attack targets. This may indicate that few organizations enlist expert help when protecting against DDoS compared to the number of attacks we monitored.”

Read the full Nexusguard September 2015 Threat Report for more details.


About Nexusguard

Founded in 2008, Nexusguard is the global leader in fighting malicious Internet attacks. Nexusguard protects clients against a multitude of threats, including distributed denial of service (DDoS) attacks, to ensure uninterrupted internet service. Nexusguard provides comprehensive, highly customized solutions for customers of all sizes, across a range of industries, and also enables turnkey anti-DDoS solutions for service providers. Nexusguard delivers on its promise to maximize peace of mind by minimizing threats and improving uptime. Headquartered in San Francisco, Nexusguard’s network of security experts extends globally. Visit for more information.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights