Q2 2016 Global DDoS Threat Landscape Report

Imperva Incapsula’s latest Global DDoS Threat Landscape Report is based on our analysis of more than 15,000 network and application layer DDoS attacks mitigated during Q2 2016.

The data collected in the course of these events points to a number of recurring trends that intensify from quarter to quarter. The most noteworthy is the evolution of network layer attacks, which continue to increase in number, size and sophistication.

In addition, Q2 data shows that the US and UK continue to serve as top-priority DDoS targets.

>> Read the full report

Network Layer Attack Evolution

In Q2 2016, Incapsula mitigated 8,225 network layer assaults at an average of 575 per week. This represents an 11.3 percent quarterly increase, even after factoring in our user base growth.

Beyond the increase in sheer numbers, network attacks in Q2 also swelled in capacity. This escalation, driven by the rapid expansion of IoT botnets, served as a prelude to the most recent wave of mega barrages. As part of this trend, on June 14 we mitigated the largest attack to date on our record—peaking at 475 Gbps.

Largest network layer attack in Q2 2016 peaked at over 470 Gbps

Fig 1 – Largest network layer attack in Q2 2016 peaked at over 470 Gbps

In addition, in Q2 we saw yet another upsurge in multi-vector attacks. In these several different payloads are used to create a more complex and difficult-to-mitigate threat. Overall, multi-vector assaults accounted for 36.1 percent of all network layer events.

Largest network layer attack in Q2 2016 peaked at over 470 Gbps

Fig 2 – Distribution of network layer DDoS attacks, by number of vectors used

One of the most common combinations was the use of high rate UDP floods in conjunction with DNS amplification. Here, perpetrators attacked on two fronts at once, attempting to overwhelm switches and other edge appliances—in addition to trying to clog network pipes.

High-rate attacks, a relatively new and concerning tactic, deserve a separate mention as they continued to become more common during the quarter.

In such scenarios, abnormally powerful botnets are used to launch small TCP and UDP payloads at an extremely high rate—one which many edge appliances can’t process. The combination can bring down a network, even in the presence of an on-edge mitigation solution and without exceeding its uplink capacity.

Example of high-rate network layer attack that peaked at 180 Mpps

Fig 3 – Example of high-rate network layer attack that peaked at 180 Mpps

Generally, we consider 50 Mpps (millions of packets per second) to be a minimal criterion for a high-rate attack. In Q2 2016 we mitigated a 50+ Mpps assault every three days, compared to one every four days during the previous quarter. The largest exceeded 170 Mpps—way above what many edge appliances can handle.

>> Read the full report

22.3% of Attacks Target European Websites

In Q2 2016 Incapsula continued to see an increase in assaults against businesses in the US and UK, further solidifying their “most-attacked country” positions. The UK now has the unwanted distinction of holding the second position for the ninth month in a row.

Overall, European countries held six out of the ten positions on the top-attacked countries list. Together they accounted for 22.3 percent of all assaults.

Country DDoS Attack Traffic
United States 60.1%
United Kingdom 11.7%
Russia 5.5%
Netherlands 4.2%
Canada 3.3%
Germany 2.8%
Ireland 2.5%
Japan 2.1%
Spain 1.1%
Hong Kong 0.9%
Fig 4 – Top targeted countries

>> Read the full report

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.