Q2 2017 Global DDoS Threat Landscape Report
This week we released our latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula services during Q2 2017.
This quarter, for the fifth one in a row, we saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter. We also saw a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099.
The largest network layer assault we mitigated in Q2 2017 peaked at 350 Gbps and was carried out using a new tactic that we encountered on multiple occasions throughout the quarter.
The tactic, which we labeled a ’pulse wave attack’, enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone.
A detailed analysis of the pulse wave attack method can be found in our whitepaper, available here as a free download.
Number of Repeat Attacks Goes Up, US Targets Are Most Exposed
One of the most prevalent trends we observed in Q2 2017 was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row.
In the second quarter of the year, 75.9 percent of targets were subjected to multiple attacks—the highest percentage on our record.
Figure 2: Number of targets subjected to repeat DDoS attacks
Notably, US-hosted websites bore the brunt of these repeat assaults—38 percent were hit six or more times, out of which 23 percent were targeted more than 10 times.
Figure 3: Distribution of repeat DDoS attacks in the US and worldwide
Conversely, 33.6 percent of sites hosted outside of the US saw six or more attacks, while “only” 19.5 percent saw more than 10 assaults in the span of the quarter.
Increased Botnet Activity Out of Turkey, Ukraine and India
Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India.
In Turkey, we recorded over 3,000 attacking devices that generated over 800M attack requests, more than double what we saw last quarter.
In Ukraine and India, we recorded 4,300 attacking devices, representing a roughly 75 percent increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter.
As the origin of 63 percent of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of “attacking countries”.