Trends DDOS attacks 2015-2016

DDOS attacks are one of the most common cyber threats for online businesses today. Understanding this threat is very important for developing an organization’s IT security strategy.

The study of the company Imperva cites key facts about how the situation with DDOS attacks is currently changing. The study uses its own data from a company that provides site protection services and is one of the notable players in this market. Therefore, the above data can be a useful indicator of what is happening in general in the world of DDOS attacks.

For the period from the 2nd quarter. 2015 on the 1st quarter. In 2016, most attacks (60%) were application level attacks. However, if we consider their share on a quarterly basis, during the period under review it decreased by more than 5%.
')
If this trend continues, by 2018, network-level attacks will become as common as application-level attacks.



As can be seen from the graph, the number of attacks of both types has doubled over the past year. At this time, Incapsula increased the number of customers, and this factor also affects this figure. But there are other factors, the authors note:

• Growth in DDOS-to-order services. Such services allow anyone to launch a short attack, for example, a 30-minute influx of network traffic without any advanced protection bypass technology. The share of such attacks increased from 63.8% in the 2nd quarter of 2015 to 93% in the 1st quarter of 2016.
  
  
• Use the tactics of multiple small attacks. Attackers use such tactics to “exhaust” IT security services personnel, as well as to force the victim company to keep the attack suppressors on, which can sometimes lead to the degradation of the services provided by the company. Finally, such frequent small attacks are used to disguise or distract from other attacks, for example, with the aim of hacking into a company’s network or stealing data.

Trends in network level attacks

The attack volume is usually defined in gigabits per second (Gbps) and is the main metric of such a threat. Over the past year, many attacks of more than 200 Gpbs have been suppressed, such attacks have ceased to be something unusual.

The graph shows the largest attack volumes of the network layer.


In particular, in the 2nd quarter of 2016, an attack of 470 Gbps was registered, one of the largest in the history of the Internet.

One of the features of this attack was the use of small network packets, which allowed attackers to achieve high packet forwarding speeds, as well as high bandwidth. This has become a new feature, which is now manifested in many attacks.

Relying on high packet forwarding, attackers try to exploit the flaws of existing attack suppression devices, most of which cannot cope with such high loads. Presumably, the number of such attacks will increase further.

The longest attack lasted for 54 days, but throughout the year there was a trend towards a decrease in the duration of the attack. The most massive are short-term attacks lasting less than 30 minutes.


The increase in the number of network-level attacks is mainly due to the growing popularity of DDOS-to-order services. Such services allow you to launch an attack that lasts from a minute and costs from $ 5.

Since attacks of this level make up to 90% of all attacks, this indicates that the customer’s profile of attacks is changing. These are IT professionals who use DDOS attacks for extortion, and sometimes just for fun.

This trend leads to the fact that the potential victims are small-scale online businesses that previously could not consider themselves a possible target for intruders.


Using different types of traffic in a single attack reflects the level of complexity. There is a trend towards a decrease in the share of multi-vector attacks, and the explanation for this is also that the proportion of attacks ordered by non-professionals is increasing.

Interestingly, in the first quarter of 2016, the proportion of attacks using 5 or more vectors increased significantly. This is reminiscent of the fact that while “amateurs” increase the number of simplest attacks ordered by them, truly professional cybercriminals continue to improve their methods.

Trends in application level attacks

This type of attack volume is secondary, since most servers can be downed by just a few hundred requests per second (RPS).

But throughout the year, giant volumes of attacks were observed, including 268,000 RPS - the largest in service history. The purpose of such attacks is not only to “drop” the target, but also to breach the defensive perimeter.


As in the case of network layer attacks, there are examples of the complexity of attacks, where attackers experiment with rare and unique methods. In particular, in one case of an attack via HTTP traffic, the target was bombarded with abnormally large POST requests (for file downloads).

With an attack volume of 163,000 RPS, the attackers were able to generate DDOS traffic at 8.7 Gbps. This is unheard of for application-level attacks, where traffic rarely exceeds 0.5 Gbps. This attack used some nuances and weaknesses of the hybrid DDOS suppression system. This complexity of attack gives an idea of ​​how deep an understanding some intruders have with regard to the internal mechanisms of anti-DDOS solutions.

Unlike network-level attacks, application-level attacks are much easier to sustain for a long time, since this requires much less botnet resources. As a result, more than 44% of such attacks lasted more than 1 hour, while at the network level of attacks of such duration only 12%.


Unlike network-level attacks, which are often directed against the Incapsula network as a whole, in each application-level attack you can trace the specific goal against which it was directed. This makes it possible to measure the frequency of attacks against each attacked company.

On average, more than 40% of companies are attacked more than once, and 16% - more than 5 times. There is a clear trend towards an increase in repeat attacks, and intruders do not seem to stop their failed attempts and the realization that their target is well protected.


Application-level attacks use bot networks to create multiple TCP connections to the server to drain its resources. To hide their nature, bots of this type use fake user-agent HTTP headers, usually with the most popular browser types. Some advanced bots can emulate behavior similar to browser behavior, for example, they can save cookies and parse JavaScript. Such bots can deceive many basic security systems that rely only on these factors when defining “fake” users.

The evolution of bots speaks about the development of means to attack at the application level. 24% of DDOS bots belong to the “advanced” type, that is, they are able to overcome basic security checks. In the 1st quarter of 2016, the share of such bots reached a record 36.6%.

Attack Geography Trends

With regard to the geographical distribution of sources of attack, China remains the leader: 3 quarters of 4, China was the main source of botnet activity.

An interesting trend is the sharp increase in bots traffic from South Korea. In particular, in the first quarter of 2016, almost a third of the DDOS traffic at the application level came from South Korea. This is not surprising, given the powerful Internet infrastructure of this country. Its high-speed Internet backbone allows botnet owners to increase their outgoing traffic. It is likely that this will not last long, as the South Korean authorities are increasing their investment in cybersecurity.


The geography of the “victims” remained generally the same. Since the target of attackers is usually extortion or cyber-vandalism in order to attract attention, the targets of attacks are mostly companies in highly developed countries.

Particular mention should be made of the surge in DDOS attacks in the UK in the last six months. The peak occurred in the 4th quarter of 2015, and then the trend went down, but this period was marked by several highly professional attacks, such as the “collapse” of the BBC, HSBC and Irish National Lottery sites.


During the study period, most of the attacks used botnets on various types of Nitol, Cycloe and PC Rat. On average, these attacks accounted for 55.1% of all attacks from botnets.

In the 2nd and 3rd quarters of 2015, there were multiple attacks from routers for the home and office infected with Mr.Black malware. The attackers also used the Sentry MBA password hacking tool, which can be used for DDOS attacks when working with a high access rate.

In the first quarter of 2016, there was a rise in botnet activity on Generic! BT, mainly from Russia and Ukraine. They gave 12.8% of botnet activity this quarter.

Conclusion

In conclusion, we note once again two important points:

• Baseline DDOS attacks are becoming more common due to DDOS-to-order services. Now even a little IT-aware user can order such an attack for ridiculous money simply because he is angry at the support service of your company.
• In the upper segment of the complexity of DDOS attacks, there is a constant evolution of methods and tools, and this suggests the need to monitor such trends and invest in IT security tools.