Search blog for

,

Q1 2016 Global DDoS Threat Landscape Report

Every distributed denial of service (DDoS) attack mitigated is an invitation for the attacker to try harder. This is the reality of DDoS protection business and the common motive for many of the trends we are observing in the DDoS threat landscape.

Today, we are sharing this information in our latest Global DDoS Threat Landscape Report, in which we analyze real-world data from thousands of attacks against our customers.

The report deals with the latest trends in network and application layer attacks, as well as the shift in activity of DDoS botnets.

>> Read the full report (no registration required)

Network layer: Multi-vector high Mpps/Gbps attacks

In our previous report we brought attention to an increasing number of high Mpps network layer DDoS floods launched against our customers. In such attacks small network packets, usually no larger than 100 bytes, are pumped out at an extremely high speed to max out the forwarding capacity of a network switches, resulting in a denial of service for legitimate users.

The rate at which packets are sent is measured in millions of packets per seconds (Mpps). In Q1 2016, such high Mpps attacks were more common than ever before.

On average, we mitigated one 50+ Mpps attack every four days, and an 80+ Mpps every eight days. Several of these attacks reached above 100 Mpps, with the largest peaking at 120+ Mpps.

We estimate that high Mpps attacks are being used as an attempt to circumvent current-gen DDoS mitigation solutions. By now, the majority of mitigation services and appliances are highly effective in dealing with high Gbps assaults. However, as perpetrators are finding out, many of the same solutions are not be as capable of dealing with high Mpps scenarios, as they weren’t designed with high packet processing rates in mind.

High rate network layer attack, peaking at over 120 Mpps

High rate network layer attack, peaking at over 120 Mpps

Interestingly, we also noticed many attackers use a combination different attack vector to mount more complex high Mpps and high Gbps assaults.

The most common scenario here was the combination of high Mpps UDP flood and bandwidth consuming DNS amplification attack. As a result, in Q1 2016, the prevalence of DNS amplification attacks grew by 6.3 percent from the last quarter.

Distribution of DDoS attack vectors, by commonness

Distribution of DDoS attack vectors, by commonness

In addition we also this leading to a noticeable increase in the amount of multi-vector attacks.

Overall, multi-vector assaults accounted for 33.9 percent of all network layer assaults, representing a 9.5 percent increase from the previous quarter. Speaking in absolute terms, the number of multi-vector assaults went from 1,326 in Q4 2015 to 1,785 in Q1 2016.

Distribution of a network layer DDoS attacks, by number of attack vectors used

Distribution of a network layer DDoS attacks, by number of attack vectors used

Application layer: Smarter DDoS bots

Like in case of network layer DDoS attacks, in the first quarter of 2016 we saw perpetrators upping their game and focusing on attack methods that could bypass security measures. This was best exemplified by an increase in the number of DDoS bots with an ability to slip through standard security challenges, commonly used to filter out attack traffic.

In Q1 2016, the number of such bots mushroomed to 36.6 percent of total bot traffic, compared to 6.1 percent in the previous quarter. Broken down, 18.9 percent were able to accept and hold cookies, while the other 17.7 percent were also able to parse JavaScript.

Such capabilities, when combined with a legitimate looking HTTP fingerprint, make malicious bots impervious to most common detection methods.

Distribution of application layer attack sessions, by bot capabilities

Distribution of application layer attack sessions, by bot capabilities

In addition to using more sophisticated bots, we also saw perpetrator explore new ways of executing application layer assaults. Most notable of these attempts was a HTTP/S POST flood, which used extremely large content-length requests to try and clog the target’s network connection.

Finally, we also saw the frequency of attacks continue to increase. In the first quarter of 2016, every other site that came under attack was targeted more than once. The number of sites that were targeted between two and five times increased from 26.7 percent to 31.8 percent.

Distribution by frequency of attacks against a target

Distribution by frequency of attacks against a target

Botnet landscape: South Korea tops the list of attacking countries

Starting from the second quarter of last year, we documented a steep increase in DDoS botnet activity out of South Korea—a trend that continued this quarter. This time, as the origin of 29.5 percent of all application layer DDoS traffic, South Korea has climbed to the top of the list of attacking countries.

Top Targeted Countries Top Attacking Countries
United States 50.3% South Korea 29.5%
United Kingdom 9.2% Russia 10.8%
Japan 6.7% Ukraine 10.1%
Ireland 5.2% Vietnam 7.6%
Canada 3.2% China 6.2%
Germany 3.1% United States 5.7%
France 2.9% Thailand 2.0%
Netherlands 2.9% Czech Republic 1.9%
Hong Kong 2.4% Colombia 1.7%
Australia 1.5% France 1.4%

A closer look at the data shows that the majority of attack traffic out of South Korea originated from Nitol (52.9 percent) and PCRat (38.2 percent) botnets. Over 38.6 percent of these attacks were launched against Japanese websites, while another 30.3 percent targeted US-hosted sites.

Interestingly, this quarter we also saw a steep increase in the use of Generic!BT malware—a known Trojan used to compromise computers running Windows OS. The Trojan was first identified in 2010, and now we see its variants being used to hijack devices all over the world.

In Q1 2016, Generic!BT variants were used in DDoS attacks from 7,756 unique IPs located in 52 countries—primarily in Eastern Europe. The majority of this activity was traced back to Russia (52.6 percent) and Ukraine (26.6 percent). This is why both appear higher than usual on the attack country list for the quarter.

>> Read the full report (no registration required)

Looking for soft-spots in mitigation solutions

In previous years, most of the attacks we saw were launched with the intent of causing extensive damage to target infrastructures. Typically these were crude, raw force floods that struck at high capacity and with minimal subtlety. Of these, more sophisticated assaults stood out as rare occurrences.

In the past few months, however, we have seen more and more attacks orchestrated with mitigation solutions in mind. The diversity of attack methods, as well as the experimentation with new attack vectors, suggest that more perpetrators are now re-prioritizing and crafting attacks to take down DDoS mitigation solutions, rather than just the target.

On the one hand, this speaks to the prevalence of DDoS protection services and appliances, which have become an integral feature in most security perimeters. On the other hand, this also illustrates the challenge that the DDoS mitigation industry is about to face—increasingly more elaborate attacks that exploit the soft-spots in its own technology.