Global DDoS Threat Landscape
Q4 2017

Crypto-industry continues to be targeted

The young industry was ranked number five for most attacks and number eight for most targets.

Persistent attacks grow more common

Roughly two thirds of all DDoS attack targets were hit with repeat assaults.

Number of application attacks doubles

On average we mitigated 237 attacks a week, compared to 135 in the prior quarter.

HK and US are the most attacked countries

Seven out of the top-10 countries targeted by network layer assaults were in the APAC region.

Overview

Q4 2017 was characterized by a steep 50 percent decrease in the total number of network layer assaults compared to the prior quarter, while attack frequency fell from 302 to 147 a week.

Application layer attacks, on the other hand, nearly doubled quarter over quarter. On average, Imperva Incapsula services mitigated 237 application layer attacks each week in the fourth quarter of 2017, compared to 135 application layer attacks each week in the third quarter of 2017.

The majority of network layer assaults targeted internet and web service providers, gambling sites, gaming sites and the IT/software industry. Notably, after making an appearance in Q3, the cryptocurrency industry continued to rise up on the top attacked industries list, drawing 3.7 percent of attacks and representing 2.4 percent of targets.

On the most attacked countries lists, Hong Kong and the US had the dubious honor of topping the charts for most attack targets. Collectively, sites hosted in these countries drew 54.3 percent of network attacks and the United States also drew 76.4 percent of application attacks in the last quarter of the year.

Notably, an unusually high number of network DDoS assaults targeted businesses in APAC countries this quarter. Seven of the top-10 attacked countries were located in this region, which drew a combined 68.9 percent of all network layer attacks.

Finally, Q4 2017 saw an increase in the number of sophisticated DDoS attack bots, with 16.9 percent capable of bypassing commonplace security challenges (i.e., JS challenges). This represented a significant increase from the previous quarter, when only 6.4 percent of bots displayed any bypass capabilities.

Network Layer Attacks

Attack Size

Network layer attack rates scaled down in size in Q4 2017. While 3.7 percent of assaults reached above 50 Gbps in size, compared to 8.6 percent in Q3 2017, only 0.7 percent of attacks reached a rate higher than 50 Mpps, compared to five percent last quarter.

The largest attack this quarter peaked at 335 Gbps, slightly higher than the largest attack of Q3 2017, which reached 299 Gbps. This time, the Imperva Incapsula network was targeted—likely a result of our IP masking service, which disguises customer IP addresses with our own, leaving offenders no choice but to attack our platform.

The highest attack rate of Q4 2017, recorded during the above-described assault, came in at 143 Mpps. This represented a decline from the 238 Mpps attack rate seen in the previous quarter.

Similar to previous quarters, the vast majority of attacks in Q4 2017 came in below 10 Gbps (81.6 percent) and 10 Mpps (94.7 percent). These low volume and low rate assaults can be attributed to DDoS-for-hire activity.

  • Network layer DDoS attacks are measured in Mpps (million packets per second) and Gbps (gigabits per second).

  • Mpps measures the rate at which packets are delivered (a.k.a. forwarding rate) while Gbps measures the total load placed on a network (a.k.a. throughput).

    From a mitigation point-of-view, it’s important to be aware of both metrics, as they can each be bottlenecked by DDoS traffic.

    For example, if your mitigation solution has the capacity to handle 80 Gbps and process packets at a rate of 10 Mpps, a 40 Gbps DDoS attack at a rate of 20 Mpps can still bring down your network, even if it doesn’t surpass your total capacity.

    Learn more about throughput and forwarding rates.

Top attacked countries

Hong Kong topped the most attacked countries list for the second quarter in a row in Q4 2017, this time drawing 32.6 percent of all network layer assaults. Unlike in Q3 2017, when most of the attack data out of Hong Kong was connected to a single target, Q4 saw a number of major campaigns directed at three local internet providers, one of which was hit more than 240 times.

This quarter, Taiwan and the Philippines once again claimed the top two spots on the list of attacked countries by target—together, they hosted more than a third of all network layer attack victims. Surprisingly, Australia made it on to the same list with just 1.5 attacks per target on average.

Hong Kong 32.6%
United States 21.7%
Taiwan 14.1%
Philippines 8.0%
Malaysia 7.8%
Brazil 2.7%
China 2.4%
New Zealand 2.3%
Vietnam 1.7%
Germany 1.5%
  • Generally, for-profit DDoS perpetrators are interested in targeting wealthy countries with developed digital markets.

    A lack of anti-cybercrime legislation or enforcement is also a contributing factor, as some for-profit and non-profit attackers go after local targets. Finally, countries that serve likely-to-be-targeted industries, e.g., gambling, are more prone to attack.

top attacked industries

In Q4 2017, internet providers drew more than half of all network layer assaults, once again topping our list of the most targeted industries according to number of attacks. On average, each target was hit 64 times throughout the quarter.

This category includes ISPs, web hosting services, ASPs and other core infrastructure providers—businesses that often support thousands of websites, inherently exposing themselves to a high number of attacks. For example, a web hosting service used by several hundred businesses (and thousands of domains) is more likely to be attacked, especially if those businesses belong to a high-risk industry, e.g., gaming and gambling.

DDoS perpetrators continued to target the cryptocurrency industry this quarter, which came in at number five on the list of most targeted industries according to number of attacks. This was largely the result of an intensive DDoS campaign waged against a cryptocurrency exchange.

As before, we attribute these attacks to the price of bitcoin, which continued to skyrocket in the last quarter of the previous year. The price increase, combined with extensive media coverage, made the industry a lucrative attack target. More so, many of its businesses are relatively new and, as such, are more likely to be under protected.

In Q4 2017, for the second quarter in a row, gambling and gaming took the top two spots on the list of most attacked industries according to number of targets. This wasn’t surprising, as we’ve regularly seen DDoS offenders attack websites associated with both of these industries.

  • Attacker motivation typically determines why a specific industry is frequently targeted by DDoS perpetrators.

    Motivations can be broken down into the following categories:

    • Business competition – In a competitive industry, such as gambling, a DDoS attack can be used to take down a rival website.
    • Extortion – Certain industries, e.g., ecommerce, are very dependent on their online presence and are easy prey for perpetrators extorting money in exchange for keeping a specific website online.
    • Hacktivism – Hacktivists typically target political, media or corporate websites to protest their actions.
    • Vandalism – Cyber vandals, typically disgruntled users or random offenders, often attack gaming services or other high-profile targets.
    Learn more about DDoS attackers and their motivations.

Attack Duration

Q4 2017 saw an increase in attack duration, with 10 percent of network layer assaults lasting longer than six hours, up from 7.5 percent in the previous quarter. Meanwhile, average attack duration was 1.3 hours this quarter, compared to 1.2 hours in Q3 2017.

The longest attack of the quarter lasted less than a day, a significant decrease from last quarter’s more than five and a half day assault.

  • The length of a DDoS attack largely comes down to the resources at a perpetrator’s disposal.

    Shorter attacks are typically associated with DDoS-for-hire services (a.k.a. booters or stressers) that can be rented to launch short-lived attacks, usually lasting under 30 minutes.

    Longer attacks are almost always the work of more professional bad actors using their own botnets, which can carry out persistent assaults.

  • Yes. The length of an attack is not correlated with the duration of a site’s downtime. While a website (or web service) can be taken down in minutes, it usually takes hours for it to recover.

    Additionally, a short attack might be part of a repeat assault, in which a target is hit with multiple short bursts. This method is commonly used to bypass mitigation solutions that rely on manual activation, or are otherwise slow and cumbersome to deploy.

Attack persistence

Attack persistence increased in Q4 2017—67.4 percent of targets were attacked at least twice, compared to 57.7 percent in Q3.

However, the number of targets exposed to six or more attacks, as well as those hit more than 10 times remained steady quarter over quarter, at 35 percent and 29 percent respectively.

Single Attack 32.6%
2-5 Attacks 31.9%
6-9 Attacks 6.5%
10+ Attacks 29%

The most repeatedly attacked target faced 242 attacks in the span of the quarter

Attack Vectors

Amplification attack vectors remained popular among DDoS offenders in Q4 2017. DNS-amplification assaults increased from an already steep 15.9 percent to 17 percent quarter over quarter. NTP-amplification attacks also remained high at 32.9 percent this quarter, after reaching 36.9 percent in Q3 2017.

SYN, TCP and UDP floods continued to be the most popular non-amplified attack vectors this quarter, albeit at decreased rates from Q3 2017. Meanwhile, the use of DNS-flood attacks increased from 11.1 percent last quarter to 19.6 percent in Q4 2017.

Multi-Vector Attacks

Q4 2017 saw a decrease in multi-vector attacks, with just four percent of network assaults using five or more vectors, compared to seven percent in Q3.

In total, multi-vector attacks fell from 70.2 percent to 55 percent quarter over quarter.

Single vector 45%
2-4 vector 50.9%
5+ vectors 4.1%
  • In a multi-vector attack, different streams of payloads (network packets) are simultaneously sent to a target. This can help a perpetrator bypass an enterprise’s security mechanisms, which are not equipped for complex filtering and might allow some of these streams to reach their target.

  • A multi-vector assault requires more resources and skill than a single-vector attack. The more sophisticated a bad actor is, the more likely such techniques are to be employed in their assaults.

application Layer Attacks

Attack Size

The largest application layer attack of Q4 2017 came in at 138,990 RPS, slightly higher than last quarter. There was a decline, however, in overall average attack size. Specifically, just 15.7 percent of attacks clocked in at higher than 1,000 RPS, compared to 20.6 percent last quarter.

Notably, more than half of all attacks this quarter were between 100-1,000 RPS, up from 43.5 percent in Q3 2017. The data points to an increase in activity by non-professional offenders, who typically mount smaller sized assaults using attack scripts and DDoS-for-hire services.

  • Application layer DDoS attacks are measured in RPS (requests per second).

  • An application layer attack’s success depends on the amount of workload that a single request can force on a target server.

    For example, a request that downloads an image file is far less resource-intensive than a request that initiates a string of API calls.

    That said, many websites work on relatively low operational margins and can be taken offline by just a few dozen well-placed requests. There aren’t many that can handle an additional 10,000 RPS, which is equal to 36 million requests an hour.

  • The main difference between the two DDoS attack types is in that they target different resources. A network attack attempts to clog network pipes, while an application layer attack seeks to deplete resources, e.g., CPU and RAM.

    This translates into further differences in the ways these attacks are executed. It also means that mitigating each of these threats requires a significantly different set of security methods and skills.

    In fact, outside of some superficial similarities, application and network layer attacks are two very different types of threats.

Top Targeting and Attacking Countries

In Q4 2017, the US, Israel and Singapore topped our list of the most targeted countries according to number of attacks. In total, the US was on the receiving end of 76.4 percent of all assaults, a steep increase from 53.3 percent last quarter.

The US also served as home to 80.5 percent of attack victims, placing it in first place on our list of attacked countries according to number of targets.

United States 76.4%
Israel 15.7%
Singapore 1.9%
Philippines 1.7%
Ireland 1.0%
France 0.9%
Japan 0.8%
Turkey 0.4%
Netherlands 0.3%
Romania 0.2%
  • Generally, for-profit DDoS perpetrators are interested in targeting wealthy countries with developed digital markets.

    A lack of anti-cybercrime legislation or enforcement can also be a contributing factor, as some for-profit and non-profit attackers go after local targets.

    Finally, countries that are home to likely-to-be-targeted industries, such as gambling, are at greater risk of being targeted.

Attack Duration

Similar to previous quarters, the majority of attacks in Q4 lasted between 30 minutes and six hours. Attacks lasting more than six hours, however, increased from 9.7 percent in Q3 2017 to 12.4 percent this quarter. We also saw an uptick in application layer assaults under 30 minutes, which jumped from 17.1 percent to 20.1 percent quarter over quarter.

  • Similar to network layer attacks, the duration of an application layer attack largely depends on the resources at a perpetrator’s disposal.

    That said, application layer assaults are easier to execute and sustain, as even a sizeable attack of several thousand RPS can be launched from a single computer.

Attack persistence

In Q4 2017, there was a notable increase in attack persistence. In total, 63.3 percent of targets were exposed to multiple DDoS attacks, compared to 46.7 percent in the previous quarter. At the same time, 25.1 percent of attack victims were hit six or more times, compared to just 15.5 percent in Q3 2017.

Single Attack 36.7%
2-5 Attacks 38.2%
6-9 Attacks 12.4%
10+ Attacks 12.7%

The most repeatedly attacked target faced 263 attacks in the span of the quarter

  • Similar to network layer attacks, perpetrators will repeatedly attack a protected target because it’s so cheap—many offenders see no point in quitting, even if the chances for success are slim.

    Additionally, launching application layer attacks is easy and can even be done from a home PC or a very small amount of botnet devices.

bot capabilities

In Q4 2017, the number of sophisticated bots with bypass capabilities, i.e., those that are either able to bypass cookie challenges or parse JavaScript, shot up to 17 percent, compared to seven percent in the previous quarter. Moreover, 16.1 percent of bots this quarter were able to bypass both cookie and JavaScript challenges, a steep increase from 1.8 percent in Q3 2017.

Primitive attack bots 83%
Bypassed cookie challenges 0.9%
Bypassed JS and cookie challenges 16.1%

Botnet Location

Similar to last quarter, China, Vietnam and the US continued to serve as the main hubs for DDoS activity in Q4 2017. While the US and Vietnam’s attack footprint decreased slightly this quarter, the botnet traffic out of China more than doubled. Meanwhile, the number of active botnet devices operating from its territory increased by more than 50 percent.

Indian and Turkish botnet activity receded in Q4 2017, following its rapid increase in the previous two quarters. That said, Turkey still maintained a presence on the top-10 list for both attack traffic output and active botnet devices.

China 37.4%
Taiwan 7.0%
Korea 6.4%
Vietnam 5.8%
Turkey 5.3%
Russia 4.7%
United States 1.2%
Brazil 1.2%
United Kingdom 1.2%
India 1.2%
  • IP spoofing is the practice of faking a source IP to avoid backtracking and blacklisting. In theory this makes IP geo-data collected during DDoS attacks unreliable.

    IP spoofing, however, is only possible with a network layer attack. In an application layer assault, IPs cannot be spoofed, as a full TCP connection has to be established before a request is sent.

    This is why we only use data from application layer attacks to identify bot location.

    Learn more about IP spoofing.
  • There are a lot of factors that come into play here. Broadly speaking, however, the two most impactful reasons are:

    • Security awareness – Countries in which users have adopted digital security policies are better equipped to detect botnets inside their borders.
    • Connected devices – As a rule, a high number of connected devices open up more opportunities for botnet herders.

Methodology

Our analysis is based on data from 1,916 network layer and 3,079 application layer DDoS attacks on websites using Imperva Incapsula services from October 1, 2017, through December 31, 2017—referred to herein as the fourth quarter of 2017 or Q4 2017.

Information about DDoS bot capabilities and assumed identities comes from a random sample of 36.7 billion DDoS attack requests collected from such assaults over the same period of time.

Definitions

DDoS attack – A persistent, distributed denial of service event against the same target (e.g., IP address or domain). A single attack is preceded by a quiet (attack free) period of at least a sixty minutes, and followed by another quiet period of the same duration or longer.

Network layer attack – An assault against either the network or transport layers (OSI layers 3 and 4). Its goal is to cause network saturation by expending much of the available bandwidth. It’s typically measured in gigabits per second (Gbps), referring to the amount of bandwidth it can consume per second.

Application layer attack – An assault occurring on OSI layer 7. Its goal is to bring down a server by exhausting its processing resources (e.g., CPU or RAM) with a high number of requests. It’s measured in requests per second (RPS)—the number of processing tasks initiated per second. Such attacks are executed by DDoS bots able to establish a TCP handshake to interact with a targeted application.

Botnet – A cluster of compromised, malware-infected devices remotely controlled by an offender. Device owners are unaware of their system participation.

DDoS bot – A malicious software application (script) used by a perpetrator. So-called bad bots only come into play in application layer attacks, where a TCP connection is established. They typically masquerade as browsers (human visitors) or legitimate bots (e.g., search engine crawlers) to bypass security solutions

Payload – In the context of this study, a payload is a packet type used in a network layer assault. It’s fabricated by an attack script and can often be altered on the fly. In many cases, multiple payload types are used simultaneously during the course of a single event.