Imperva Incapsula latest DDoS Threat Landscape Report details the changes in DdoS attack patterns

February 2016 by Imperva

Imperva Incapsula latest DDoS Threat Landscape Report details the changes in DdoS attack patterns during the final months of 2015. The report was compiled using data from 3,997 network layer and 5,443 application layer DDoS attacks mitigated by Imperva Incapsula services from October 1 through November29, which we refer to as Q4 or the fourth quarter.

This information helps anticipate the DDoS threats organizations may face in 2016, while also heralding changes in how the security industry approaches DDoS mitigation.

Highlights

25.3 percent increase in network layer attacks from last quarter. (calculated after factoring in Incapsula user base growth). This adding to the 108.5 increase in the previous quarter.

The largest network layer attack peaked at 325 Gbps and 115 Mpps. This made it one of the largest DDoS attacks to date.

75.6 percent of attacks were single vector and 82.9 percent were under 30 minutes. These point to increased activity of DDoS-for-hire services, known for short their short single vector bursts. This is also the result of shift in perpetrators MO that favors repeated burst attacks that are used to conduct wars of attrition, with multiple attacks being launched in the span of a few hours.

Increase in the amount of high rate (high Mpps) attacks that use smaller-sized network packets (e.g., SYN and TCP floods). Such assaults force operators to think in terms of processing capacity (Mpps), rather than network bandwidth (Gbps), when considering their infrastructure’s soft spots.

The longest application layer attacks lasted for 101 days (and is ongoing). Interestingly, the target of this assault is a relatively small US catering business. This serves as a reminder that DDoS is a communal problem affecting the entire Internet ecosystem. This also shows just how easy it is to sustain a sizable application layer attack; only a few compromised devices are needed to generate enough traffic to take down a mid-sized website and keep it paralyzed for a very long duration.

With regard to frequency, the prior quarter saw a higher ratio of repeated attacks, the amount of which increased by 15.3 percent. Part of this trend is the steep increase in targets that were assaulted over 10 times, the amount of which more than doubled from 5.3 percent to 10.7 percent.

As in previous quarters, US-based websites drew the bulk of DDoS attacks in Q4 2015, being the objective of 47.6 percent of all botnet traffic.

This time they were followed by the UK and Japan—both of which were targeted by significantly more DDoS attacks than they were in the prior quarter. Specifically, attacks against UK-based websites rose from 2.5 percent to 23.2 percent. In Japan, they increased from 1.2 to 8.6 percent.

On the attackers’ side, China, South Korea, the US and Vietnam continued to lead the list, with variants of Nitol (33.3%) , PCRat (32.8%) and Dirtjumper (5.3%) being the most commonly-used attack malware.

3.7 percent of application layer attacks were enabled by a known flaw in the Joomla! Googlemaps plugin. This vulnerability let the perpetrator use the hosting server as a proxy for denial of service, XML injection, cross-site scripting and full-path disclosure attacks.

The plugin was patched long ago to secure against this exploit. Still, the high number of attacks we saw suggests that many websites continue to use one of its vulnerable legacy versions.

Looking at the attack patterns that emerged in the second half of 2015, Imperva sees an increase in the number of short repeated assaults that are used to wage wars of attrition against on-demand DDoS protection services.

The idea behind them is to force the target to repeatedly reactivate their mitigation solutions to the point where the “cure” becomes almost as bad as the “disease” itself.

Clearly, countering such tactics requires a solution can be rapidly and seamlessly deployed, with a focus on near instant time to mitigation—something that DDoS protection vendors often struggle to provide.

In addition, in 2016 Imperva expects to see more high-rate attacks. These will require solutions that can handle both high Mpps and Gbps counts—another rare feat for many mitigation solutions.

Interestingly, both of these trends link to an evolution in the mitigation industry, which repeatedly displayed its capability to deal with the traditional long and high-capacity DDoS threats over the course of the year. Now, with that door closed, the perpetrators are forced to think outside of the “100Gbps box” and look for new soft spots in the security perimeter. In the cat and mouse game that is cyber security, it is once again the mouse’s turn to come up with a new trick.