Global DDoS Threat Landscape

Global DDoS Threat Landscape
Q2 2016

Attackers prefer network layer assaults

Network layer attacks are up by 66.7 percent.

22.3 percent of attacks target European websites

The UK is the second most attacked country for three quarters in a row.

Network layer attacks grow more complex

Multi-vector attacks hit a new high, accounting for 36.1 percent of all network layer assaults.

High rate attacks become even more common

On average, a 50+ Mpps event occurred every three days.

Overview

Above all else, the DDoS threat landscape of Q2 2016 was characterized by the evolution of network layer attacks that grew in size, number and sophistication.

During this period Imperva Incapsula saw network layer attacks increase by 11.34 percent over the previous quarter and the number of multi-vector assaults climb to a record-high 36.1 percent.

This was also the quarter that we faced the largest network layer attack on our records, which peaked at 470 Gbps (gigabits per second). During that event, like in many other complex assaults, we saw attackers use small payloads to achieve a high packet forwarding rate—a dangerous new tactic that continues to become more common. In Q2 2016, we observed an ever-increasing frequency of such high rate assaults. On average, we mitigated a 50+ Mpps (millions of packets per second) attack every three days, compared to one every four days in the previous quarter.

Incapsula also witnessed a continuation of several trends, including the prevalence of DDoS attacks against UK-based sites. In Q2 2016, the UK was targeted by 11.7 percent of all application layer assaults, making it the second-most attacked country for the ninth month in a row.

Highlights

Network Layer Attacks

  • Largest attack peaked at over 470 Gbps
  • Number of assaults increased by 66.7 percent
  • Multi-vector attacks hit record high
  • High-rate occurrences became more common

Application Layer Attacks

  • Largest attack peaked at 108,288 RPS
  • Longest event persisted over 67 consecutive days
  • 59 percent of assaults lasted under 30 minutes
  • Signs point to an increased number of “casual” offenders

DDoS Botnet Activity

  • US and UK continue top the chart as the most targeted countries
  • China reclaimed first spot on the ‘attacking country’ list
  • 80 percent of all assault requests originated from APAC
  • Nitol botnet was used in 67 percent of events

Network Layer Attacks

In Q2 2016, Incapsula mitigated 7,389 network layer attacks at an average of 567 per week. This is an 66.7 percent increase from Q1 2016 after factoring in growth to our user base.

The most notable network layer event this quarter was a massive 470Gbps assault that occurred on June 14. Targeting a Chinese gambling site, it developed into a complex nine-vector attack; a full analysis appears in this blog post.

Largest network layer attack in Q2 2016 peaked at over 470 Gbps Largest network layer attack in Q2 2016 peaked at over 470 Gbps

Among other things, the assault was characterized by the use of small payloads—a tactic Incapsula repeatedly warned against in our previous reports. The main purpose of such attacks is to take down mitigation services by sending out a rapid burst of packets at a rate many anti-DDoS appliances can’t handle.

In this reporting period, such high rate attacks continued to become more common. On average, we mitigated a 50+ Mpps occurrence every three days, compared to one every four days in the previous quarter. Of these, 44.8 percent had exceeded 80 Mpps, with the two largest assaults peaking above 170 Mpps.

Example of high-rate network layer attack that peaked at 180 Mpps Example of high-rate network layer attack that peaked at 180 Mpps

We also saw an increase in network layer attack duration—13 percent lasted over an hour, compared to 7 percent in the previous quarter. The longest of these persisted for more than ten days in a row.

Attack Duration

Distribution of network layer DDoS attacks, by duration

The majority of attacks continued to last under an hour, mostly due to the unremitting use of hit-and-run tactics, in which short bursts are repeatedly launched against the same target.

On the other side of the spectrum, however, there was also a notable increase in the amount of prolonged assaults. Specifically, the number of attacks lasting for over an hour grew to 13 percent, a six percent increase over the prior quarter. This is also the highest that number has been since July 2015.

Drilling down, much of the uptrend is driven by the prevalence of events lasting over six hours. If this number continues to grow, it could point to a shift back toward persistent DDoS assaults, the likes of which were rarely seen in the past year.

Attack Vectors

Distribution of network layer DDoS attacks, by attack vector

Zooming in, Incapsula continues to see perpetrators using a wide variety of payloads (packets) to carry out network layer assaults.

This reflects the increasing prevalence of multi-vector attacks, in which several different payloads are used to create a more complex threat. The mitigation of these attacks requires the use of multiple resources and filtering capabilities.

One of the most common examples uses TCP or UDP floods in conjunction with a large payload. The latter comprising a flood of large SYN packets or a DNS amplification assault. The result is a rapid rate and high-capacity offensive that can overwhelm switches and other on-edge appliances, in addition to clogging network pipes.

Multi-Vector Attacks

In Q2 2016, multi-vector attacks have risen to 36.1 percent from 33.7 percent in the prior quarter and 24.4 percent in Q4 2015. This points to a clear trend in the increase of multi-vector usage. Most of the increase is driven by the pervasiveness of the most complex assaults, in which offenders used five or more different payloads.

For the second quarter in a row we also continued to see a high number of eight and nine vector attacks—previously considered a rare occurrence. Overall, these accounted for a record 0.6 percent of all network layer assaults.

1 vector
63.9%
2 vector
19.1%
3 vector
8.0%
4 vector
4.4%
5+ vector
4.6%
Distribution of a network layer DDoS attacks, by number of attack vectors used

The most common combination was an attack using DNS amplification in conjunction with UDP floods. They accounted for 17.1 of all assaults mitigated this quarter, or 70 percent of all multi-vector attacks.

This signifies increased sophistication on the part of more advanced offenders. However, the majority of network layer attacks are still single vector assaults launched by non-professional perpetrators using DDoS-for-hire (a.k.a. stresser and booter) services.

Application Layer Attacks

In Q2 2016, Incapsula mitigated 8,225 application layer attacks at an average of 630 per week. This is a 28 percent increase from Q1 2016 after factoring in growth to our user base, as over 18.9 percent of these events targeted new customers.

The largest attack peaked at 108,288 RPS (requests per second), making it the biggest of the year so far.

Largest application layer attack peaked at 108,288 RPS Largest application layer attack peaked at 108,288 RPS

During this quarter we mitigated the longest application attack of the year, which lasted for 67 days straight. After a while, however, we saw application layer attacks become shorter in duration. In Q2 2016 only 25.1 percent of events lasted for more than an hour, compared to 49.1 in the prior quarter.

Attack Duration and Frequency

Distribution of application layer DDoS attacks, by duration

In Q2 we observed a steep increase in short application layer DDoS bursts, which lasted under 30 minutes. The number of these increased to 59 percent, from 12.2 percent in the previous quarter. At the same time, we saw a slight decrease in frequency, with the number of repeated attacks dropping to 43.2 percent, from 49.9 percent in the previous quarter.

These two trends are a result of “casual” assaults undertaken by insufficiently motivated perpetrators. These are mostly non-professionals, using widely available DDoS attack software to launch application layer floods out of spite, hooliganism or plain boredom. The commonality of such occurrences is a reminder of just how easy it is to mount an application layer attack and how equally easy it is to become its target.

Single Attack
56.8%
2-5 Attacks
27.8%
6-10 Attacks
6.6%
More than 10
8.8%
Distribution by frequency of attacks against a target

DDoS bot capabilities and assumed identities

In the previous quarter Incapsula saw an alarming amount of activity from headless browser DDoS bots, able to bypass security challenges that test for basic browser capabilities (e.g., ability to parse JS).

In Q1 2016 such bots accounted for 36.6 percent of all DDoS application attack requests. This quarter, however, we saw this number recede to 8.4 percent—closer to what it was in Q4 2015. This leads us to believe that the peak seen in the prior quarter is connected to the activity of a specific botnet, which was not used to target our customers in Q2 2016.

JS + Cookies
3.1%
Only Cookies
5.3%
Primitive
91.6%
Distribution of application layer attack sessions, by bot capabilities

Notably, in August 2016, after this report data was collected, we mitigated another wave of attacks from just such a headless browser botnet, consisting of mobile Android devices able to bypass commonplace security challenges.

Assumed Impersonators

Internet Explorer 65.4%
Baidu Spider 9.6%
Firefox 7.0%
Chrome 5.6%
Googlebot 5.4%
Opera 0.2%
MSN/Bing Bot 0.1%
Identities used by DDoS bots, by commonness

DDoS bots used fake user-agents to impersonate legitimate tools and browsers. In Q2 2016 the majority of these impersonators assumed the identities of Microsoft’s IE browser and the Baidu search engine crawler bot. The latter is likely related to an increase in attack traffic from China (see below), where fake Baidu bots are a common choice for DDoS offenders.

Botnet Activity and Geolocation

Top Targeting and Attacking Countries


China 53.4%
Taiwan 6.8%
South Korea 6.6%
Vietnam 5.4%
United States 3.1%
Indonesia 2.3%
Thailand 2.1%
Morocco 1.9%
Egypt 1.7%
Algeria 1.6%

In Q2 2016 we continued to see an increase in attacks against businesses in the UK and US, which further solidified their positions as the most attacked countries.

China also regained its leading position in Q2 as the source of most DDoS traffic, due to a wave of assaults from Nitol botnets—common to the region. Overall, APAC counties were the source of 80 percent of all DDoS requests. This, despite being on the receiving end of only 3.8 of assaults.

This situation is different from that of European countries, which were the target for 22.3 of all assaults but sourced only 4.6 percent of attack traffic.

Most Active Botnets

Malware types used in DDoS attacks, by commonness

For the third quarter in a row Nitol (a different variant) continued to be the most common malware type used in DDoS attacks. In Q2 2016, Nitol botnets generated over 16.7 billion assault requests against Incapsula-protected domains, accounting for 67 percent of all application layer attack traffic. Moreover, over the span of the quarter, we recorded 345,088 IP addresses belonging to Nitol-infected devices.

Want to learn more about
Incapsula DDoS protection?

Contact us

Methodology

Our analysis is based on data from 7,389 network layer and 8,225 application layer DDoS attacks on websites using Imperva Incapsula services from April 1, 2016, through June 30, 2016—referred to herein as the second quarter of 2016 or Q2 2016.

Information about DDoS bot capabilities and assumed identities comes from a random sample of 24.9 billion DDoS bot requests collected from such attacks over the same period.

Definitions

DDoS attack – A persistent, distributed denial of service event against the same target (e.g., IP address or domain). It’s usually preceded by a quiet (attack-free) period of at least ten minutes, and followed by another quiet period of the same duration or longer.

Network layer attack – An assault against either the network or transport layers (OSI layers 3 and 4). Its goal is to cause network saturation by expending much of the available bandwidth. It’s typically measured in gigabits per second (Gbps), referring to the amount of bandwidth it can consume per second.

Application layer attack – An assault occurring on OSI layer 7. Its goal is to bring down a server by exhausting its processing resources (e.g., CPU or RAM) with a high number of requests. It’s measured in requests per second (RPS)—the number of processing tasks initiated per second. Such attacks are executed by DDoS bots able to establish a TCP handshake to interact with a targeted application.

Botnet – A cluster of compromised, malware-infected devices remotely controlled by an offender. Device owners are unaware of their system participation.

DDoS bot – A malicious software application (script) used by a perpetrator. So-called bad bots only come into play in application layer attacks, where a TCP connection is established. They typically masquerade as browsers (human visitors) or legitimate bots (e.g., search engine crawlers) to bypass security solutions.

Payload – In the context of this study, a payload is a packet type used in a network layer assault. It’s fabricated by an attack script and can often be altered on the fly. In many cases, multiple payload types are used simultaneously during the course of a single event.