The latest Imperva quarterly DDoS Threat Landscape Report details the changes in attack patterns during Q4 2015. It was compiled using data from 3,997 network layer and 5,443 application layer distributed denial of service (DDoS) attacks mitigated by Imperva Incapsula services from October 1 through November 29, 2015, which we refer to as Q4 or the fourth quarter.
This information helps anticipate the DDoS threats organizations may face in 2016, while also heralding changes in how the security industry approaches DDoS mitigation.
Network layer: Get ready for high-volume DDoS bursts
Most notably, the second half of 2015 saw a surge in the use of DDoS-for-hire services. These services let anyone having a PayPal account launch DDoS attacks of medium-to-high volume lasting between 30 and 60 minutes.
DDoS-for-hire has been around for a while. However, increased availability of these tools, coupled with media attention and lackluster regulation, recently put this segment on an accelerated growth path. This has led to a surge in the number of DDoS attacks.
Consequently, in Q4 2015, we saw a 25.3 percent increase in the frequency of network layer attacks against our clients. This was in addition to the 108.5 percent increase we reported in the prior quarter of last year. These were predominantly short high-volume bursts, best exemplified by the largest network layer assault we dealt with in Q4—a 40 minute-long SYN flood that peaked at 325 Gbps and 115 Mpps, one the largest attacks mitigated by any DDoS protection provider to date.
Overall, 82.9 percent of network layer attacks in Q4 2015 lasted under 30 minutes. We often saw such bursts repeatedly launched against the same target in the span of several hours.
From a mitigation point of view, concurrent bursts are generally more dangerous than a single assault of comparable length. Dealing with them requires a combination of early detection and rapid activation, in addition to scalability. This is something that few DDoS protection solutions can offer.
Also in Q4 2015, we recorded an increase in high-volume assaults that used smaller-sized network packets (e.g., TCP floods). When considering their infrastructure’s soft spots, such high-rate attacks force operators and mitigation providers to think in terms of processing capacity (Mpps) rather than network bandwidth (Gbps).
Application layer: Repeated attacks, plus one that hasn’t ceased
Similar to network layer attacks, application layer incidents also continued to shorten in duration while losing nothing in tenacity. The largest such assault mitigated in Q4 2015 was a very short, yet very intense burst that targeted a Chinese-based online trading platform and peaked at 161,300 RPS.
Serving as an exception to the rule, the longest application layer attack lasted the entire quarter—a total of 101 days…and counting (it was still going on, even as this was being written).
Interestingly, the target of this assault is a relatively small US catering business.
On the one hand, this serves as a reminder that DDoS is a communal problem affecting the entire Internet ecosystem.
On the other, it represents just how easy it is to sustain a sizable application layer attack; only a few compromised devices are needed to generate enough traffic to take down a mid-sized website and keep it paralyzed for a very long duration.
Summing things up, Q4 2015 continued to see a high frequency of repeated application layer attacks, with 44.7 percent of targets being hit more than once and 18 percent assaulted more than five times.
Botnet activity: Surge in attacks against Japan and UK
Similar to previous quarters, US-based websites drew the bulk of DDoS attacks in Q4 2015, being the objective of 47.6 percent of all botnet traffic.
This time they were followed by the UK and Japan—both of which were targeted by significantly more DDoS attacks than they were in the prior quarter.
Specifically, attacks against UK-based websites rose from 2.5 percent to 23.2 percent. In Japan, they increased from 1.2 percent to 8.6 percent.
|Top Targeted Countries||Top Attacking Countries|
|United Kingdom||23.2%||South Korea||12.6%|
On the attackers’ side, China, South Korea, the US and Vietnam continued to lead the list, with variants of Nitol, PCRat and Dirtjumper being the most commonly-used attack malware.
|DDoS malware type||Percentage of botnet devices|
Notably, 3.7 percent of application layer assaults were reflection attacks enabled by a known flaw in the Joomla! Googlemaps plugin. This vulnerability let the perpetrator use the hosting server as a proxy for denial of service, XML injection, cross-site scripting and full-path disclosure attacks.
The plugin was patched long ago to secure against this exploit. Still, the high number of attacks we saw suggest that many websites continue to use one of its vulnerable legacy versions.
We advise all Joomla! users who are still using Googlemaps v3.0 (or earlier) versions to visit here and update this plugin as soon as possible.
Bottom line: Rapid response and processing scalability
Looking at attack patterns that emerged in the second half of 2015, we saw an increase in short, repeated assaults used to wage wars of attrition against on-demand DDoS protection services. The idea behind these is to force a target to repeatedly reactivate its mitigation solutions to the point where the cure becomes almost as bad as the disease.
Clearly, countering such tactics requires DDoS protection that can be rapidly and seamlessly deployed, with a focus on near-instant time to mitigation—something vendors often struggle to provide.
We also expect to see more high-rate attacks in 2016. These will require solutions that can handle both high Mpps and Gbps counts—another rare feat for many mitigation services and appliances.
Both of these trends link to an evolution in the mitigation industry, which repeatedly displayed its capability to deal with traditional long and high-capacity DDoS threats over the course of the year. With that door now closed, perpetrators are forced to think outside of the “100Gbps box” and look for new soft spots in the security perimeter.
In the cat and mouse game constitutes cyber security, it’s once again the mouse’s turn to come up with a new trick.