Global DDoS Threat Landscape

Global DDoS Threat Landscape
Q1 2016

Application layer attackers are growing more advanced

36.7 percent of bots knew how to pass standard security challenges, up from 6.1 percent in the previous quarter.

Network layer attacks are growing more sophisticated

Multi-vector attacks were up to 33.9 percent. Perpetrators tend to combine high Gbps and high Mpps attack vectors.

South Korea cements position as a major hub of DDoS activity

South Korea was the country of origin for 29.5 percent of all botnet activity, up from 12.6 percent in Q4 2016.

Generic!BT botnets are emerging from Eastern Europe

The majority of activity was traced back to Russia (52.6 percent) and Ukraine (26.6 percent).

Overview

In the first quarter of 2016, we saw perpetrators experiment with elaborate tools and attack methods to carry out DDoS and DoS assaults.

In the case of application layer attacks, this resulted in the expanded use of browser-like DDoS bots capable of bypassing standard security challenges. The use of these bots increased to a record breaking 36.6 percent, up from 6.1 percent in the previous quarter.

In addition, we also saw perpetrators exploring uncommon attack methods, including the use of upload scripts to mount a multi-gigabit POST flood attack.

In the case of network layer attacks, the trend translated into the increased use of high Mpps assaults, similar to the ones we reported on last quarter. In such attacks small network packets, usually no larger than 100 bytes, are pumped out at an extremely high speed to max out the forwarding capacity of a network switches, resulting in a denial of service for legitimate users.

The rate at which attack packets are sent is measured in Mpps (millions of packets per second). On average, in Q1 2016, we mitigated a 50+ Mpps attack every four days and an 80+ Mpps every eight days. Several of these reached above 100 Mpps.

On the botnet side, the most notable occurrence was a steep increase in DDoS traffic out of South Korea, making it the country of origin for 29.5 percent of botnet activity. The majority of these assaults were aimed at websites hosted in Japan and the US.

We also documented the emergence of new botnet(s) that were comprised of Windows OS devices infected with Generic!BT malware.

Highlights

Network Layer Attacks

  • Longest attack lasted 48.5 hours
  • Largest attack peaked at 200+ gigabits per second
  • Highest attack rate was 120+ million packets per second
  • Multi-vector attacks were up to 33.9 percent
  • Most multi-vector attacks combined UDP floods with DNS amp

Application Layer Attacks

  • Longest attack has lasted for 36 days (and is ongoing)
  • Largest attack peaked at 100,100 requests per second
  • 18.9 percent of DDoS bots could bypass cookie challenges
  • 17.7 percent of bots could bypass both cookie and JS challenges
  • 49.9 percent of targets suffered repeated attacks

DDoS Botnet Activity

  • 29.5 percent of all botnet activity originated out of South Korea
  • Generic!BT botnets emerged in Eastern Europe
  • DDoS bots masking as Chrome and Firefox became much more common
  • Assaults on US-hosted sites went up to 50.3 percent

Network Layer Attacks

Overview

In the first 60 days of Q1 2016, Imperva Incapsula mitigated 3,791 network layer attacks. This represented a 30.9 percent decrease from Q4 2015 after factoring in growth to our user base. This decrease represents the usual transition from the last quarter of the year, during which high-profile retail events (e.g., Cyber Monday) lead to an increase in DDoS activity.

This quarter we continued to encounter multiple 100+ Gbps assaults, the largest of which peaked at over 200 Gbps. More alarmingly, the majority were high Mpps attacks using small network packets. At times, these attacks reached above 100 Mpps, with the largest peaking at 120+ Mpps.

Largest network layer attack in Q1 2016, peaking at over 200 Gbps

In our last report we warned of an increase in frequency of such high Mpps attacks, which aim to exploit the forwarding rate limits of network routers, switches and mitigation solutions.

This quarter, these attacks became even more and more common, with 50+ Mpps attacks occuring every four days and an 80+ Mpps assault recorded every eight days, on average.

High rate network layer attack, peaking at over 120 Mpps

Finally, we also saw a significant increase in the amount of multi-vector attacks, which went up to 33.9 percent from 22.4 percent in the previous quarter.

Typically, these assaults combine high Gbps and high Mpps attack vectors.

Attack Duration

Distribution of network layer DDoS attacks, by duration

In Q1 2016, we continued to see similar patterns from last quarter in network attack durations, with 99.4 percent lasting under six hours. Like before, many of these were part of larger hit-and-run assaults in which repeated attacks were periodically launched against the same target.

This method—using multiple short bursts to apply continuous pressure on a target—is meant to exploit the inherent weaknesses of many on-demand DDoS mitigation solutions, which may require several minutes to deploy after each activation.

Against such solutions, a war of attrition with short repeated bursts is often found to be the most effective tactic.

Attack Vectors

Distribution of DDoS attack vectors, by commonness

While durational patterns remained unchanged from last quarter, there were several notable shifts in methods used to launch network layer attacks.

In Q1 2016 we saw a noticeable increase in DNS amplification attacks, which grew by 6.3 percent since the last quarter.

When amplification vectors were used, they were often employed in conjunction with high Mpps attacks (e.g., SYN and UDP floods). With a combination of high Gbps amplified attacks and high Mpps non-amplified floods, perpetrators were hoping to improve their chances—testing both the bandwidth capacity and processing capabilities of our scrubbers.

Multi-Vector Attacks

In Q1 2016 we saw an interesting trend reversal, with a noticeable increase in the amount of multi-vector DDoS threats.

Overall, multi-vector attacks accounted for 33.9 percent of all network layer assaults, representing a 9.5 percent increase from the previous quarter. Amongst these, the number of DDoS assaults using five attack vectors grew from 2.5 percent to 3.7 percent. Speaking in absolute terms, the number of multi-vector assaults went from 1,326 in Q4 2015 to 1,785 in Q1 2016.

1 vector
66.1%
2 vector
18.3%
3 vector
7.9%
4 vector
3.9%
5+ vector
3.8%
Distribution of a network layer DDoS attacks, by number of attack vectors used

The most common combination was an attack using DNS amplification in conjunction with UDP floods. They accounted for 17.1 of all assaults mitigated this quarter, or 70 percent of all multi-vector attacks.

This signifies increased sophistication on the part of more advanced offenders. However, the majority of network layer attacks are still single vectors assaults launched by non-professional perpetrators using DDoS-for-hire (a.k.a. stresser and booter) services.

Application Layer Attacks

In the first 60 days of Q1 2016, Imperva Incapsula mitigated 5,267 application layer attacks, representing a 28.6 percent decrease from the previous quarter. This calculation was made after factoring in the growth of our user base. As mentioned above, the decrease is to be expected, as the last quarter of the year is known to be the peak time for DDoS activity.

However, the assaults we encountered this quarter were significantly more sophisticated. This was evident by the record number of DDoS bots displaying browser-like capabilities, 36.6 percent of which were able to bypass either JavaScript or cookie-based security challenges.

The largest application layer attack in Q1 peaked at 100,100 RPS, while the longest attack lasted for 36 days (and counting). The target, once again, was a relatively small site—a WordPress blog filled with Middle-Eastern cuisine recipes.

Largest application layer attack this past quarter, peaking at 100,100 RPS

As a whole, application layer attacks mitigated in Q1 2016 were also noticeably longer, with 87.8 percent lasting over 30 minutes—an 11.4 percent increase from last quarter. The attacks were also more frequent than before, with 49.9 percent of targets suffering repeated attacks and 18.1 percent attacked more than five times.

Attack Duration and Frequency

Distribution of application layer DDoS attacks, by duration

In Q1 2016, the majority (65 percent) of application layer attacks lasted between 30 minutes and 3 hours. This represented a 7.6 percent increase from the previous quarter.

Frequency wise, we continued to see an increase in repeat attacks. This quarter, every other site that came under attack was targeted more than once. The number of sites that were targeted between two and five times increased from 26.7 percent to 31.8 percent.

Single Attack
50.1%
2-5 Attacks
31.8%
6-10 Attacks
7.2%
More than 10
10.9%
Distribution by frequency of attacks against a target

DDoS Bots Capabilities

One of the most alarming trends in Q1 2016 was the increased sophistication of the DDoS bot population. In Q1 2016, the number of DDoS bots that possessed browser-like capabilities mushroomed to 36.6 percent of total bot traffic, compared to 6.1 percent in the prior quarter.

Broken down, 18.9 percent of bots were able to accept and hold cookies and the other 17.7 percent were also able to parse JavaScript. Such capabilities, when combined with a legitimate looking HTTP fingerprint, make malicious bots impervious to most common detection methods.

JS + Cookies
17.7%
Only Cookies
18.9%
Primitive
63.4%
Distribution of application layer attack sessions, by bot capabilities

This can substantially limit mitigation options, forcing either an indiscriminate use of CAPTCHAs or—preferably—an adoption of adaptive techniques that rely on behavior analysis and IP reputation data.

In addition to using more capable DDoS bots, we also saw perpetrators explore new ways of executing application layer assaults. This, again, in an effort to regain the advantage in the cat-and-mouse game of DDoS mitigation

Most notable of these was a HTTP/S POST flood, which used extremely large content-length requests to try and clog the target’s network connection—a known but very rarely used method.

Assumed Impersonators

Internet Explorer 30.7%
Chrome 20.1%
Firefox 17.7%
Opera 5.0%
Mobile Safari 4.1%
Yandex Bot 2.8%
Googlebot 2.1%
Safari 1.9%
Identities used by DDoS bots, by commonness

Throughout 2015, over 70 percent of DDoS attackers used bots with these "generic" identities. This quarter, however, we saw attackers attempting to mask their DDoS assaults using a higher variety of fake user-agents.

This was most likely done in an attempt to bypass bare bones filtering mechanisms, built to weed out DDoS bots based on the content of their HTTP headers. It should be noted that such techniques are mostly ineffective against commercial-grade solutions.

This does, however, show that attackers are updating their tools, both by improving their bots’ capabilities and by recrafting their HTTP signatures.

Botnet Activity and Geolocation

Top Targeting and Attacking Countries


South Korea 29.5%
Russia 10.8%
Ukraine 10.1%
Vietnam 7.6%
China 6.2%
United States 5.7%
Thailand 2.0%
Czech Republic 1.9%
Colombia 1.7%
France 1.4%

One of the more surprising trends observed in Q1 2016 was a steep increase in botnet activity from South Korea—the country of origin for 29.5 percent of all such activity.

In previous reports, South Korea was identified as one of the major hubs of DDoS botnet activity. In fact, for the past six months it has repeatedly ranked second in the top attacking country list, with 9.4 percent in Q3 2015 and 12.6 percent in Q4 2015. This is, however, the first time we have seen it leading the chart.

A closer look at the data shows that the majority of attack traffic out of South Korea originated from Nitol (52.9 percent) and PCRat (38.2 percent) botnets. Over 38.6 percent of these attacks were launched against Japanese websites, while another 30.3 percent targeted US-hosted sites.

In the coming months, we plan on keeping a close eye on the spread of botnet activity in South Korea. One of our goals is to understand how it relates to the evolution of DDoS bot capabilities, which was described in the previous section of this report.

Most Active Botnets

Malware types used in DDoS attacks, by commonness

As in last quarter, Nitol leads the list for the most commonly used DDoS malware. In this quarter we saw Nitol botnet activity increase from 33.3 percent to 44.4 percent. As mentioned, this growth was fueled by an increase in botnet activity in South Korea, where Nitol seems to be the preferred weapon-of-choice for offenders and botnet “shepherds”.

Interestingly, this quarter we also saw a steep increase in the use of Generic!BT bot—a known Trojan used to compromise computers running Windows OS. The Trojan was first identified in 2010, and now we see its variants being used to hijack devices all over the world.

In Q1 2016, Generic!BT variants were used in DDoS attacks from 7,756 unique IPs located in 52 countries—primarily in Eastern Europe. The majority of this activity was traced back to Russia (52.6 percent) and Ukraine (26.6 percent). This is why both appear higher than usual on the attack country list for the quarter.

Want to learn more about
Incapsula DDoS protection?

Contact us

Methodology

Our analysis is based on data from 3,791 network layer and 5,267 application layer DDoS attacks on websites using Imperva Incapsula services from January 1, 2016 through February 29, 2016, which is referred to in this report as the first quarter of 2016 or Q1 2016. Information about DDoS bot capabilities and assumed identities comes from a random sample of 5.35 billion DDoS bot sessions collected from such attacks over the same period.

An attack is defined as a persistent DDoS event against the same target (IP address or domain). It is preceded by a quiet (attack free) period of at least ten minutes and then followed by another attack-free period of the same duration or longer.

The following study also makes a distinction between two different DDoS event types: network layer and application layer attacks. These definitions refer to the OSI model, which conceptualizes the process of data transmission by segmenting packets into seven layers. Thus, network layer attacks target the network and transport layers (OSI layers 3 and 4). Such high-volume assaults have the ability to cause network saturation by utilizing much of the available bandwidth resources. Network layer attacks are typically measured in Gbps (gigabits per second), for the amount of bandwidth they’re able to consume per second.

Application layer attacks target OSI layer 7. Unlike their network layer counterparts, they can bring down a server by overbearing its processing resource (e.g., CPU) with a high number of requests. Application layer assaults are measured in RPS (requests per second), for the amount of processing tasks initiated per second. They are executed by bots— inhuman visitors that are able to establish a TCP handshake to interact with a targeted application.