Imperva Incapsula’s latest Global DDoS Threat Landscape Report is an analysis of more than 17,000 network and application layer DDoS attacks mitigated by our services during Q1 2017.

For the fourth quarter in a row we saw a decrease in the number of network layer assaults, which fell to 269 per week compared to 568 in Q2 2015. In contrast, we saw yet another spike in the number of application layer assaults, which reached an all-time high of 1,099 per week.



Figure 1: Number of attacks per week, by attack type

The largest application layer attack we mitigated this quarter peaked at over 176,000 RPS—already higher than the largest attack we saw in 2016, which peaked at approximately 173,000 RPS.

On a macro level we saw DDoS attacks continue to evolve in terms of complexity and persistence, while also growing shorter in duration.

Read the full report >

Attacks Are Growing Shorter, More Complex and Persistent

In Q1 2017 we witnessed yet another decrease in average attack duration, attesting to the prevalence of botnet-for-hire services (a.k.a. booters or stressers). that enable their users to launch short, low-volume bursts. Such attack tools are commonly used by non-professional offenders, often internet trolls who use DDoS to settle a personal dispute or to simply harass their victims.

Overall, 80 percent of all DDoS attacks lasted less than one hour and, for the first time, 90 percent of network layer attacks lasting less than 30 minutes, compared to 78.2 percent in Q4 2016.

At the same time, we continued to observe a higher level of sophistication in DDoS offenders, reflected by a steep rise in multi-vector attacks. In Q1 2017 these accounted for more than 40 percent of all network layer assaults, up from 29 percent in Q4.

Figure 2: Distribution of network layer attacks, by number of attack vectors

In the first quarter of the year we saw attacks grow more persistent. Specifically, 74 percent of targets suffered repeat attacks during the quarter, with 19 percent being attacked 10 times or more—in both cases these numbers were the highest ever on record. In the most extreme case, an established US-based science news website was hit 1,046 times by low-volume bursts lasting 10 minutes or less.

Figure 3: Distribution of application layer attacks, by frequency

In terms of worldwide botnet activity, almost 69 percent of all DDoS attack requests came from China (50.8 percent), South Korea (10.8 percent) and the United States (7.2 percent).

Consistent with previous quarters, the United States, United Kingdom and Japan continued to top the list of most targeted countries. For the first time in the past year, they were joined by Singapore and Israel.

Read the full report >