Global DDoS Threat Landscape

Global DDoS Threat Landscape
Q4 2016

Network layer attack sizes reached a record high

The 650Gbps DDoS assault was the largest one in our record books.

Number of application layer attacks continued to increase

After shooting up in Q3, the number of attacks peaked at 889 a week.

Amplification attacks continued to decrease

Even as attack sizes scaled up, the use of amplification vectors continued to go down.

US, UK and Netherlands top attacked country list

Together, they drew 74.9 percent of all attacks.


DDoS offender capabilities have rapidly evolved over the past year, enabling them to launch bigger attacks than ever before. The shift in the threat landscape is being driven by the emergence of botnets leveraging lax password management practices and security vulnerabilities found in IoT devices.

The IoT botnet footprint was evident in attacks mitigated by Imperva Incapsula in Q4 2016. A massive 650Gbps assault was most noteworthy, the largest to ever be mitigated by our service.

Persisting for over 29 days, last quarter we also thwarted the longest network layer attack of the year. And we saw the number of application layer attacks reach a new record, with an average of 889 assaults per week.

Another notable development was the high amount of botnet activity originating in China. Our data shows that 78.5 percent of application layer DDoS attacks against Incapsula customers came from IPs located there—the most ever recorded since we began our periodic reporting in Q3 2015.


Network Layer Attacks

  • Largest attack ever mitigated by our service peaked at over 650 Gbps
  • Longest attack lasted for more than 29 days
  • Ongoing decline in the use of amplification vectors

Application Layer Attacks

  • Number of attacks increased to 889 a week
  • Longest attack lasted for more than 47 days
  • 58.3 percent of targets were hit by repeat assaults

DDoS Botnet Activity

  • 78.5 percent of assault traffic originated from China
  • 56.7 percent of attacks targeted US
  • US, UK and Netherlands were the top three attacked countries

Network Layer Attacks

In Q4 2016, Incapsula mitigated an average of 280 network layer attacks per week, totaling 3,603. This constitutes a 39.4 percent drop (after factoring in our user base growth) from the previous quarter. Since peaking at a record-high 7,389 attacks in Q2 2016, we’ve seen a significant reduction in the number of network layer assaults over the past two quarters.

However, by contrast we saw an increase in network layer assault size. The most notable was a massive 650Gbps event—the largest ever mitigated by the Incapsula service.

Launched from an unidentified botnet, which we dubbed “the leet botnet” after an element in its payload signature, this attack relied on using abnormally large SYN network packets. Interestingly, the packets were generated from system file content found on the botnet devices. Read a full assault analysis in this blog post.

Largest network layer attack in Q4 2016 peaked at 650 Gbps Largest network layer attack in Q4 2016 peaked at 650 Gbps

In Q4 Incapsula mitigated the longest network layer attack of the year, which persisted for more than 29 days.

But that event was an exception, as the average network layer attack duration remained consistent with last quarter’s figures; 89 percent lasted less than one hour. The average duration in Q4 2016 was 100 minutes—only four minutes longer than that in Q3.

Attack Duration

Distribution of network layer DDoS attacks, by duration

In Q4 we saw the trend toward shorter, quick-hit attacks continue, with well over 80 percent of them lasting under an hour—just like every previous quarter last year.

On the opposite end of the spectrum, the persistent attacks that we handled increased in duration. In Q4 2016, nearly one percent of all network layer events lasted over a day—a peak number for the year and a steep increase from just 0.2 percent in Q1. Moreover, the quarter broke the record for the longest attack of the year, lasting over 29 days.

That we saw increased activity in both the shortest and longest assaults underscores the differences between the various bad actors and their preferred MOs.

On one hand, the higher number of persistent events can be interpreted as a sign of professional offenders upping their game. On the other hand, the preponderance of short attack bursts can be attributed to the growing popularity of cheap botnet-for-hire services preferred by non-professionals.

Attack Vectors

Distribution of network layer DDoS attacks, by attack vector

Similar to the prior quarter, perpetrators continue to use a wide variety of payloads (network packets) to carry out network layer assaults. Following their substantial growth in Q3, ICMP (a.k.a., ping) floods continued to increase in Q4, appearing in 46.3 percent of all attacks. As in previous quarters, other commonly used vectors included TCP, SYN and UDP floods.

Another notable trend is the steady decrease in amplification attacks over the course of the year. DNS amplification attacks dropped from 19.4 percent in Q1 to 9.2 percent in Q4, while NTP amplification events decreased their frequency from 13.6 percent in Q1 to 6.9 percent in Q4.

This decline is likely to be a result of the following trends:

  • An increased number of open DNS resolvers being patched to prevent amplification assaults
  • The steep rise in botnet attack capacity, enabling miscreants to launch high-volume assaults without reliance of amplification techniques

The latter trend is fueled by the growth of undersecured IoT devices, which are being recruited en masse by botnet operators.

Multi-Vector Attacks

In Q4 2016, single-vector network attacks increased by almost seven percent from Q3, reaching a yearly high of 71%. Moreover, the percentage of assaults in which perpetrators used five or more different payloads dropped from 3.9 percent in Q3 to 1.9 percent in the following quarter.

With respect to multi-vector attacks, the downward trend we’re seeing can likely be attributed to the increase in less-sophisticated assaults being instigated by non-professional perpetrators using botnet-for-hire (a.k.a., stresser or booter) services. This is evidenced by over 94 percent of all single vector events lasting under an hour.

1 vector
2 vector
3 vector
4 vector
5+ vector
Distribution of network layer DDoS attacks, by number of attack vectors used

Application Layer Attacks

In Q4 2016, Imperva Incapsula mitigated 11,727 application layer attacks at an average of 889 per week. This is a 2.9% increase from Q3 2016 (after factoring in our user base growth) and marks the third consecutive record-breaking quarter in relation to attack numbers. Overall, application layer assault numbers have more than doubled since Q1 2016.

The largest event in Q4 peaked at 91,209 RPS (requests per second), substantially smaller than the annual high of 173,633 RPS from the prior quarter. However, unlike their network layer counterparts, application layer attacks don’t require high volumes to be effective. In most cases, it only takes a few hundred RPS to bring down a typical webserver.

Duration-wise, the longest application layer attack mitigated on the Incapsula network in Q4 lasted 47 days. This was the third successive quarter in which the longest assault exceeded 40 days. However, on the whole we saw the majority (74.7%) of application layer events in Q4 run 60 minutes or less.

Attack Duration and Frequency

Distribution of application layer DDoS attacks, by duration

For the most part, application layer attack duration and frequency exhibited a continuation of the trends we observed in Q3. For the third successive quarter, the longest event exceeded 40 days, while most assaults (74.7 percent) lasted under one hour. In fact, during Q1 – Q3 more than 70 percent of attacks fell into this frequency range.

At the same time the Incapsula network saw an increase in attack frequency, with the number of targets hit by multiple assaults reaching 58.3 percent, compared with 54.7 percent in Q3. In fact, the percentage of sites targeted more than ten times in Q4 reached 13.1 percent, the highest figure ever recorded for this attack frequency category.

Single Attack
2-5 Attacks
6-10 Attacks
More than 10
Distribution by frequency of attacks against a target

DDoS bot capabilities and assumed identities

The quantity of sophisticated, browser-based bots that retain cookies and execute JavaScript rose from 8.0 percent in the prior quarter to 13.6 percent in Q4. But primitive bots are still predominant and reflect the growing use of botnet-for-hire services. Over the past year, Incapsula has detected a noticeable correlation between the level of bot sophistication and attack duration.

JS + Cookies
Only Cookies
Distribution of application layer attack sessions, by bot capabilities

Assumed Impersonators

Internet Explorer 72.0%
Baidu Spider 11.7%
Firefox 5.5%
Chrome 5.3%
Opera 0.4%
Chrome (iOS) 0.2%
Googlebot 0.1%
Identities used by DDoS bots, by commonness

To avoid detection by less sophisticated mitigation services, DDoS bots use fake user agents to assume legitimate tool and browser identities. In Q4 2016, various iterations of Microsoft’s Internet Explorer browser bot and the Baidu search engine crawler bot were the most impersonated. Both of these are associated with botnets operating in China, such as Nitol. In light of the high proportion of attack traffic from China (see below), it makes sense that these bot identities top the list.

Botnet Activity and Geolocation

Top Targeting and Attacking Countries

China 78.5%
Vietnam 4.5%
South Korea 2.9%
United States 1.7%
Taiwan 1.1%
Thailand 0.9%
Hong Kong 0.7%
Ukraine 0.7%
India 0.7%
Italy 0.6%

After five quarters of running at the top of the leaderboard, the US and UK have further solidified their positions as the most attacked countries. Two-thirds of all assaults mitigated on our network in Q4 targeted businesses in those two countries.

Notably, websites in Netherlands drew a record number of DDoS events, serving as targets in over 8.6 percent of all attacks.

In Q4, 78.5 percent of worldwide DDoS assaults originated from Chinese IPs—the highest we’ve ever recorded since we began our quarterly reporting.


Our analysis is based on data from 3,603 network layer and 11,727 application layer DDoS attacks on websites using Imperva Incapsula services from October 1, 2016, through December 31, 2016—referred to herein as the fourth quarter of 2016 or Q4 2016. Information about DDoS bot capabilities and assumed identities comes from a random sample of 26.16 billion DDoS bot requests collected from such assaults over the same period.


DDoS attack – A persistent, distributed denial of service event against the same target (e.g., IP address or domain). It’s usually preceded by a quiet (attack free) period of at least ten minutes, and followed by another quiet period of the same duration or longer.

Network layer attack – An assault against either the network or transport layers (OSI layers 3 and 4). Its goal is to cause network saturation by expending much of the available bandwidth. It’s typically measured in gigabits per second (Gbps), referring to the amount of bandwidth it can consume per second.

Application layer attack – An assault occurring on OSI layer 7. Its goal is to bring down a server by exhausting its processing resources (e.g., CPU or RAM) with a high number of requests. It’s measured in requests per second (RPS)—the number of processing tasks initiated per second. Such attacks are executed by DDoS bots able to establish a TCP handshake to interact with a targeted application.

Botnet – A cluster of compromised, malware-infected devices remotely controlled by an offender. Device owners are unaware of their system participation.

DDoS bot – A malicious software application (script) used by a perpetrator. So-called bad bots only come into play in application layer attacks, where a TCP connection is established. They typically masquerade as browsers (human visitors) or legitimate bots (e.g., search engine crawlers) to bypass security solutions.

Payload – In the context of this study, a payload is a packet type used in a network layer assault. It’s fabricated by an attack script and can often be altered on the fly. In many cases, multiple payload types are used simultaneously during the course of a single event.