Distributed denial of service (DDoS) assaults continue to be a nuisance for online businesses and their customers. Worse, the downtime caused by attacks is costly for organizations and frustrating for consumers.
With no signs of abating, understanding the methods and capabilities of perpetrators is essential to maintaining good defenses.
In our Q2 2015 DDoS Global Threat Landscape Report we share unique research data, collected in the course of mitigating thousands of DDoS assaults against Imperva Incapsula-protected domains and network infrastructures.
Leveraging this large dataset, we are able to produce statistical research of DDoS events—one which provides a bird’s-eye view of the current state of the DDoS threat landscape, focusing on latest attack methods, attack frequency and duration patterns.
As indicated by its title, this is our premier quarterly report on this topic. This marks our new commitment to producing a periodic DDoS landscape study which discloses quarter-to-quarter and cumulative annual trends in DDoS attack patterns.
At a Glance
Each quarterly report is based on unique research data, collected in the wild through the mitigation of thousands of DDoS assaults against Incapsula-protected domains and network infrastructures. Our analysis covers 1,572 network layer and 2,714 application layer attacks over a 72-day period from March 1 through May 7, 2015. Information about nefarious bot capabilities and their assumed identities comes from a sample of 60 million DDoS bot sessions collected over the same period.
Our analysis of network and application layer DDoS attacks clearly point to two interesting counter trends.
On one hand we observed long, complex, multiphase assaults that resemble advanced persistent threats (APT). These employ different methods and can last days, weeks, and even months at time. On the other hand, we also noted a preponderance of rudimentary single-vector attacks usually lasting no longer than 30 minutes.
To us, this duality relates to two main DDoS offender archetypes, the first being the professional cybercriminal, the second being a user of botnet-for-hire services—so called “booters” (or “stressers”). Their subscription-based model offers anybody the ability to launch several short-lived DDoS attacks for just a few dozen dollars a month.
Here are some of the other key report findings:
- DDoS attackers are relentless. Half of all application layer DDoS attack targets are hit again within 60 days. Targets are hit once a week on average.
- DDoS attacks last longer than most assume. Over 20 percent of all network layer attacks last over five days. The longest this past quarter lasted 54 days.
- Botnet-for-hire services endanger the Internet ecosystem. Fingerprints of botnets-for-hire services are on more than 40 percent of all network layer attacks against our clients.
- Large-scale attacks exist on both fronts. The largest network attack mitigated this past quarter was 253 Gbps, while largest application layer assault amounted to 179,700 requests per second.
- “Internet of Things” used in DDoS attacks. UDP attacks are used in more than 56 percent of all network layer threats. Of these, eight percent are SSDP DDoS attacks, launched from Internet of Things devices.
- The end of search engine impersonators? Botnet operators have all but abandoned the use of search engine impersonator bots (down from 57 percent in 2014 to a current 0.9 percent).
Cost of DDoS
To provide context to the report findings, we want to remind readers of the persistent threat DDoS events pose to online businesses.
As shown by our 2014 DDoS Impact Survey, the real-world cost of an unmitigated attack is $40,000 per hour. Implications reach far beyond lost revenues to include loss of consumer trust, data theft, intellectual property loss, and more.
Today, with a substantial percentage of attacks lasting for days, and half of all targets being repeatedly hit, a worst-case scenario entails losses of hundreds of thousands—if not millions—of dollars.
Combined with an understanding of downtime cost, it is our hope that IT decision-makers can use our findings in this and future quarterly reports to assess your potential DDoS risks and implement requisite solutions.