Global DDoS Threat Landscape

Global DDoS Threat Landscape
Q3 2015

100+ Gbps attacks became more commonplace

On average, Imperva Incapsula mitigated a 100+ Gbps DDoS attack every other day. Largest network layer attack peaked at 260 Gbps.

Perpetrators focus fire on APAC and U.S.

Websites hosted in U.S. were targeted by 45.8 percent of DDoS attacks, while websites hosted in APAC were targeted by 40.7 percent of DDoS attacks.

116 percent increase in number of DDoS attacks

There was a 108.5 percent increase in network layer attacks and a 121.9 percent increase in application layer attacks.

152 percent increase in DDoS traffic from China

Overall, 37.5 percent of DDoS botnet traffic originated from China, compared to 14.9 percent in the previous quarter.

Overview

Distributed denial of service (DDoS) attacks are a constantly evolving menace that threaten online businesses with downed websites, financial losses and damaged client relationships. As perpetrators continue to adopt new technologies and methods to execute attacks, the need for organizations to stay informed and up-to-date with the latest trends in online security has never been greater.

This report reviews how the DDoS threat landscape changed in Q3 2015. It was compiled using data from 7,752 network and application layer assaults mitigated by Imperva Incapsula in Q3.

The third quarter was notable for a number of reasons, not least of which was the high number of attacks targeting clients in our network during this period. On average we mitigated 129 every day, representing a 116 percent increase from the second quarter. Additionally, the changes in attack tactics we witnessed point to new threats of which every online entity should be aware.

Highlights

Network Layer Attacks

  • 108.5 percent increase in network layer DDoS attacks from second quarter
  • On average we mitigated a 100+Gbps DDoS attack every other day
  • Longest network layer DDoS attack lasted 31 days
  • Largest network layer DDoS attack peaked at 260 Gbps
  • 38.5 percent of network layer DDoS attacks were multi-vector threats

Application Layer Attacks

  • 121.9 percent increase in application layer DDoS attacks from second quarter
  • 14.6 percent of application layer DDoS attacks lasted more than 12 hours
  • Longest application layer DDoS attack lasted more than 20 days
  • Largest application layer DDoS attack peaked at 268,800 RPS
  • 62.3 percent of DDoS bots disguised themselves as browsers

DDoS Botnet Activity

  • 37.5 percent of DDoS botnet traffic originated from China
  • Websites hosted in U.S. were targeted by 45.8 percent of DDoS attacks
  • Websites hosted in APAC were targeted by 40.7 percent of DDoS attacks
  • ChinaZ became more active, accounting for 3.5 percent of DDoS attacks
  • Generic scripts and tools accounted for 10.7 percent of DDoS attack sessions

Network Layer Attacks

Overview

The number and duration of network layer DDoS attacks against our clients provided some interesting developments. We mitigated 2,732 network layer attacks (OSI layer 3 and 4) in Q3—a 108.5 percent increase from the second quarter. The longest attack lasted 31 days, with the largest peaking at 260 Gbps. On average we mitigated a 100+ Gbps attack once in every two days (48 hours).

Largest network layer attack in Q3 2015, peaking at 260Gbps

While the number of Q3 attacks was up significantly, the majority were short burst (or hit-and-runs), with only 3.6 percent lasting more than three hours. Few attacks lasted more than 24 hours. In comparison, 25.3 percent of Q2 attacks were longer than three hours.

The third quarter also saw a marked increase in single vector assaults—61.5 percent compared to 56.2 percent in the second quarter. Combined with shorter assault duration, this increase indicates that more perpetrators are using DDoS-for-hire services.

In terms of attack vectors, SYN and UDP floods were once again the most popular choice, used for the majority of network layer barrages. That being said, DNS amplification attacks saw a steep rise, almost doubling in number compared to the second quarter.

We also saw further evidence of extremely sophisticated DDoS malware that can execute very complex eight and nine vector attacks, using the same botnet resources.

Attack Duration

Distribution of network layer DDoS attacks, by duration

One of the prevailing themes of the third quarter was that the duration of network layer assaults dropped significantly—88.2 percent lasted less than an hour. These hit-and-run barrages point to an ongoing trend in which perpetrators prefer to launch multiple assaults against a number of targets, as opposed to a single prolonged attack. They are also a sign of DDoS-for-hire (a.k.a., streesers or booters) service usage, which offer subscribers a rationed access to botnet resources—enough to launch a few short duration, mid-sized attacks.

Attack Vectors

Distribution of DDoS attack vectors, by commonness
Distribution of DDoS attack vectors, by peak attack volume

In the thrid quarter UDP flood remained the most popular vector used in 38.9 percent of attacks against Imperva Incapsula clients. As in the second quarter, SYN floods were almost as common, used in 35.4 percent of incidents.

Meanwhile, large SYN attacks were the most devastating, with a single one being responsible for a 260 Gbps assault—the largest of the period. After dropping out of favor last year—and somewhat surprisingly—DNS amplification attacks became significantly more popular in Q3. They appeared in 13.4 percent of all network layer attacks—almost double from 7.9 percent in the second quarter.

Multi-Vector Attacks

Multi-vector attacks, traditionally the work of more sophisticated perpetrators, took a drop from 43.8% in Q2. The decrease in their relative commonness corresponds with an increase in activity by inexperienced perpetrators who rely on generic attack scripts and DDoS-for-hire services.

As an interesting countertrend, we also see that the sophistication of the multi-vector attacks has risen. Whereas the number of vectors in Q2 never exceeded seven, over the current reporting period we’ve seen eight- and even nine-vector assaults.

Such multi-vector barrages are still very much a rarity, accounting for no more than 1.1 percent of all mitigated assaults. However, they showcase the advanced botnet capabilities used by DDoS pros—botnets that can switch on the fly to produce attacks using different packet types, as well as easily shift between symmetrical and asymmetrical attack methods.

1 vector
61.5%
2 vector
25%
3 vector
8.4%
4 vector
0.8%
5+ vector
4.3%
Distribution of a network layer DDoS attacks, by number of attack vectors used

Application Layer Attacks

Overview

Incapsula mitigated 5,020 application layer DDoS attacks (OSI layer 7) last quarter, a 121.9 percent increase from Q2. The increase was especially notable in relation to the 14.6 percent of attacks that lasted more than 12 hours—more than double what we saw in the second quarter. The longest barrage lasted more than 20 days, while the largest peaked at 268,800 requests per second.

Largest application layer attack this past quarter, peaking at 268,800 RPS

Additionally, attempted application layer attacks had a noticeably higher distribution, with only 29.39 percent of targets being repeatedly hit, compared to 46.9 percent in second quarter.

After a huge decline in Q2, Baidu impersonators resurfaced, accounting for 21.5 percent of all DDoS bot traffic. We attribute this to an increase in attacks originating in China, as well as an increase in assaults against Chinese targets.

Attack Duration and Frequency

Distribution of application layer DDoS attacks, by duration

Unlike with network layer assaults, application layer attack duration didn’t drop significantly in the third quarter. If anything, certain periods saw a marked increase, including the 14.6 percent of attacks lasting longer than 12 hours—up from 6.2 percent in the second quarter.

At 83 per day, application layer attack frequency was 121.9 percent higher than in the second quarter. This corresponds with a significantly higher target distribution among Imperva Incapsula clients.

While fewer clients were subjected to repeated assaults, (29.4 percent vs. 46.9 percent in Q2), the widening target pool for application layer attacks is a worrying trend as we approach the final quarter of 2015.

Single Attack
70.6%
2-5 Attacks
18.9%
6-10 Attacks
5.2%
More than 10
5.3%
Distribution by frequency of attacks against a target

DDoS Bots Capabilities

DDoS bots continue to display advanced capabilities. While the majority (73.6 percent) could still be described as primitive, 26.4 percent displayed at least some browser-like features, useful for bypassing common security challenges. This included 25.2 percent that were able to pass a cookie challenge, and 1.2 percent that could fool both JavaScript and cookie challenges.

JS + Cookies
1.2%
Only Cookies
25.2%
Primitive
73.6%
Distribution of application layer attack sessions, by bot capabilities

DDoS Bots' Assumed Identities

Internet Explorer 53.4%
Baidu Crawler 21.5%
Mozilla Firefox 3.9%
Google Chrome 2.8%
Safari 2%
Opera 0.3%
Others 16.2%
Identities used by DDoS bots, by commonness

Q3 2015 was significant due to the return of DDoS bots impersonating search engine clients, a trend that appeared earlier to be on the decline. In total, 21.5 percent of blocked DDoS agents tried to disguise themselves as Baidu bots, with most of them originating from ChinaZ and MrBlack botnets.

Internet Explorer impregnators were by far the most common of all DDoS bots, accounting for 53.4 percent of all bot traffic. Overall, browser impersonators accounted for 62.3 percent.

Botnet Activity and Geolocation

Top Targeting and Attacking Countries


China 37.53%
South Korea 9.44%
United States 9.11%
Vietnam 6.25%
Brazil 5.87%
Thailand 3.00%
Taiwan 2.04%
Andora 2.00%
India 1.83%
Columbia 1.73%

When identifying the leading country of botnet attack origin, China is the clear leader. It accounts for 37.5 percent of all DDoS botnet traffic, more than double its footprint compared to the second quarter (14.9 percent). Next up is South Korea, followed by the United States, each being responsible for more than 9 percent of DDoS botnet activity in Q3.

US-hosted websites were the most targeted, drawing 45.8 percent of attacks. These are followed by sites in Taiwan and China. Overall, websites hosted in Asian-Pacific countries were on the receiving end of 40.7 percent of the assaults, while 11.98 percent targeted EU sites.

Common Botnet Malware and Attack Scripts

Malware types used in DDoS attacks, by commonness

Regarding botnet malware and attack scripts used by bad actors, there were several interesting Q3 trends relative to the second quarter. The most significant was the decline in attacks attributed to named botnets, including MrBlack (16.3 percent vs. 26.4 percent in Q2) and Nitol (14.8 percent vs. 18.4 percent in Q2).

At the same time, generic GET-HEAD-POST scripts and WP brute force scripts were increasingly used, to a point where they accounted for 10.7 percent of all application layer instances. This again points to an influx in activity attributable to amateur perpetrators armed with out-of-the-box DDoS tools.

The ChinaZ botnet, relatively dormant in Q2, was used more frequently, accounting for 3.5 percent of assaults in Q3. This likely corresponds with the increase of targeted attacks within China.

Want to learn more about
Incapsula DDoS protection?

Contact us

Methodology

Our analysis is based on DDoS data collected from 2,732 network layer and 5,020 application layer attacks on websites using Incapsula services from July 1 through August 29 of this year, referred to as the third quarter. Information about DDoS bot capabilities and assumed identities comes from a random sample of 4.34 billion bot sessions collected from such assaults over the same period.

Data from Q2, or the second quarter, is taken from 1,572 network layer and 2,714 application layer attacks on websites using Incapsula services from March 1, 2015 to May 7, 2015.

An attack is defined as a persistent DDoS event against the same target (IP address or domain). It is preceded by a quiet (attack free) period of at least ten minutes and then followed by another attack-free period of the same duration or longer.

This study differentiates between two different event types; network layer and application layer attacks. Referring to the OSI model, the former attacks target layers 3 and 4, with such high-volume assaults being able to saturate the network by consuming much of the available bandwidth resources. Network layer assault consumption is typically measured in Gbps (gigabits per second).

Application layer attacks target layer 7 and are executed by bots—inhuman visitors able to establish a TCP handshake to interact with a targeted application. Measured in RPS (requests per second), they can bring down a server by overbearing its processing resource (e.g., CPU) with a high number of requests.