DDoS Threat Landscape in 3rd Quarter of 2017

DDoS Threat Landscape in 3^rd Quarter of 2017

They're getting more powerful and persistent. This is how Imperva Incapsula described the global distributed denial-of-service (DDoS) threat landscape in the 3rd quarter of 2017.

In its Global DDoS Threat Landscape Q3 2017, Imperva Incapsula defined DDoS attack as a “persistent, distributed denial of service event” against a particular IP address or domain. Imperva Incapsula considers a DDoS attack as a single attack when it’s conducted at least 60 minutes, held prior to an attack-free period and followed by another attack-free period of the same duration or longer.

“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is ‘distributed’ because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.”

Imperva Incapsula identifies two types of DDoS attacks: network layer attack and application layer attack.

Network layer attack is defined as a DDoS attack that causes network saturation by consuming much of the available bandwidth. Attack under this type is measured in million packets per second (Mpps) and gigabits per second (Gbps) – referring to the amount of bandwidth it can consume per second.

Application layer attack, meanwhile, is defined as a DDoS attack for the purpose of bringing down a server by exhausting its processing resources – CPU or RAM – with a high number of requests. Attack under this type is measured in requests per second (RPS) – referring to the number of processing tasks initiated per second.

Network Layer DDoS Attacks

In terms of network layer attacks, 90.2% were under 10 Mpps, 4.8% between 10-50 Mpps, 2.1% between 50-100 Mpps and 2.9% above 100 Mpps. The largest network layer attack recorded last quarter reached 299 Gbps.

According to Imperva Incapsula, attacks under 10 Mpps were mostly the result of DDoS-for-hire activities.

 

On average, each network layer attack target suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.

Top Attacked Industries

The Imperva Incapsula report showed that online gambling is the number one industry targeted by network layer DDoS attackers (34.5%), followed by gaming (14.4%), internet services (10.8%), financials (10.1%), retail (5.8%), IT and software (5.8%), media and publishing (5.8%), cryptocurrency or bitcoin platforms (3.6%), transportation (2.2%) and telecom (1.4%).

The following reasons were put forward why over a third of the network layer DDoS attacks were targeted on gambling sites and related services:

• Reliance on web structure for operation which in return exposes this industry to DDoS extortion attempts
• Highly competitive and are commonly targeted by rival companies
• Originate from users either trying to influence the outcome of a game or just trying to vent their frustrations

The report also found that 3 out of 4 of bitcoin sites were attacked in the last quarter. The relatively high number of DDoS attacks on cryptocurrency exchanges and services observed in the 3^rd quarter of 2017 was attributed to the recent staggering spike in the price of bitcoin, which more than doubled in the period of the quarter.

Top Attacked Countries

Hong Kong was the most targeted with 31% of the total global network layer DDoS attack, followed by the US (19%), Germany (12.8%), Philippines (7.6%), China (7.2%), Taiwan (7.1%), Singapore (4.4%), Malaysia (3.9%), Japan (0.8%) and Canada (0.8%).

Almost a third of the network layer DDoS attacks last quarter went to Hong Kong as a result of a large-scale campaign against a Hong Kong-based hosting service provider. Taiwan and the Philippines also made it to the top 10 list as a result of large campaigns targeting gambling websites in these countries.

Application Layer DDoS Attacks

In terms of application layer DDoS attacks, on average, each victim suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.

The US ranked as the most targeted country in terms of application layer DDoS attack (53.3%), followed by Netherlands (8.8%), Singapore (6.3%), Belgium (5%), Italy (4.4%), Germany (3.9%), Russia (3.1%), Japan (3.1%), Hong Kong (1.8%) and Australia (1.5%).

DDoS BOTNET

Imperva Incapsula’s global DDoS threat report for the 3^rd quarter of 2017 showed that attackers use botnet – a group of malware-infected IoT devices – in carrying out DDoS attacks. These malware-infected IoT devices are remotely controlled by attackers and device owners have no knowledge that their devices are used for DDoS attacks.

In terms of attack requests, 16.9% came from China, 7.6% from Vietnam, 7.2% from Turkey, 5.7% from the US and 4% from India. Meanwhile, in terms of the number of attacking devices, 42.5% came from China, 11.1% from the US, 5.4% from Vietnam, 2.9% from India and 2.2% from Turkey.

DDoS Mitigating Measures

The main distinction between network layer DDoS attack and application layer DDoS attack is that they target different resources. A network layer DDoS attack tries to clog the network, for instance, consuming much of the available bandwidth, while application DDoS layer attempts to drain resources like CPU and memory.

As these 2 types of DDoS attacks target different resources, the attacks are also executed differently. Considering that these 2 types of DDoS attacks target different resources and are executed differently, mitigating each of these DDoS threats needs a substantially different set of security methods.

It’s also important to take into consideration the difference between Gbps and Mpps for mitigation purposes.

Gbps is defined as the measure of the total load placed on a network, also known as throughput, while Mpps is defined as a measure of the rate at which packets are delivered, also known as forwarding rate.

For instance, if your organization’s DDoS mitigation solution has the capability to handle 100 Gbps and process packets at a rate of 20 Mpps, a 50 Gbps DDoS attack at a rate of 40 Mpps can still bring down your organization’s network.

Adding a guaranteed DDoS mitigation to your application or network does not have to be complicated, and does not require an upfront investment. Connect with us today to better understand all available option, and secure your web applications and networks.