The rise of DDoS Botnets


Last week, Incapsula released a report analyzing the latest trends on the DDoS front. The report exposes advancements in both network and application layers.

While the Incapsula report analyses in detail the different trends and types of DDoS attacks and their volumes, I would like to look into one of the really interesting aspects of their findings – the application DDoS attacks that are originating in botnets.

Last year we wrote extensively about the trend on CMS hacking for industrialized cybercrime where attackers use botnets in order to onboard infected machines into botnets and then use those as platforms for network and application attacks. For DDoS attacks, it just makes sense. When a hacker has the power of masses with a large botnet, there are great opportunities to disrupt service. When servers are being infected rather than user’s computers – its even worst, just because of the bandwidth and computing power that becomes available to the hacker.

Incapsula’s research demonstrates our findings from last year, with a large portion of the attacks coming from botnets. During 2013, Incapsula witnessed an increase of 240% in attack volume, and it is important to mention that many of them used the WordPress CMS platform as the bot attack platform.

Figure: DDoS botnets geographic distribution


DDoS bots become more complex

A few months ago we demonstrated in a Threat Advisory on a JBoss vulnerability, how easy it is to hijack a server for malicious intent,. but the hacker code was always quite simple in terms of abilities.

Incapsula, using its unique bot analysis mechanism, was able to isolate an interesting trend. The bots, while still primarily primitive, are evolving. More and more bots are advanced to a point where they can interact with the application itself mimicking a user.



Figure: DDoS botnets geographic distribution


At the very least, this shows the direction that industrialized hackers are going. Realizing the potential in bots, hackers move to develop more advanced bots that can bypass classic solutions by incorporating the ability to disguise as a user or as a browser.

Here are some of Incapsula’s bot-related findings:

  • More than 25% of all botnets are located in India, China and Iran
  • 29% of botnets attack more than 50 targets a month
  • 29.9% of DDoS bots can hold cookies
  • 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots)

Where can I learn more ?

  1. The Incapsula DDoS report, Here
  2. Incapsula’s infographic, Here