Global DDoS Threat Landscape

Transcription

1 DDOS REPORT Global DDoS Threat Landscape

2 Crypto-industry continues to be targeted The young industry was ranked number five for most attacks and number eight for most targets. Persistent attacks grow more common Roughly two thirds of all DDoS attack targets were hit with repeat assaults. Number of application attacks doubles On average we mitigated 237 attacks a week, compared to 135 in the prior quarter. HK and US are the most attacked countries Seven out of the top-10 countries targeted by network layer assaults were in the APAC region. 2

3 was characterized by a steep 50 percent decrease in the total number of network layer assaults compared to the prior quarter, while attack frequency fell from 302 to 147 a week. Application layer attacks, on the other hand, nearly doubled quarter over quarter. On average, Imperva Incapsula services mitigated 237 application layer attacks each week in the fourth quarter of 2017, compared to 135 application layer attacks each week in the third quarter of The majority of network layer assaults targeted internet and web service providers, gambling sites, gaming sites and the IT/software industry. Notably, after making an appearance in Q3, the cryptocurrency industry continued to rise up on the top attacked industries list, drawing 3.7 percent of attacks and representing 2.4 percent of targets. On the most attacked countries lists, Hong Kong and the US had the dubious honor of topping the charts for most attack targets. Collectively, sites hosted in these countries drew 54.3 percent of network attacks and the United States also drew 76.4 percent of application attacks in the last quarter of the year. Notably, an unusually high number of network DDoS assaults targeted businesses in APAC countries this quarter. Seven of the top-10 attacked countries were located in this region, which drew a combined 68.9 percent of all network layer attacks. Finally, saw an increase in the number of sophisticated DDoS attack bots, with 16.9 percent capable of bypassing commonplace security challenges (i.e., JS challenges). This represented a significant increase from the previous quarter, when only 6.4 percent of bots displayed any bypass capabilities. 3

4 Network layer attack rates scaled down in size in. While 3.7 percent of assaults reached above 50 Gbps in size, compared to 8.6 percent in Q3 2017, only 0.7 percent of attacks reached a rate higher than 50 Mpps, compared to five percent last quarter. The largest attack this quarter peaked at 335 Gbps, slightly higher than the largest attack of Q3 2017, which reached 299 Gbps. This time, the Imperva Incapsula network was targeted likely a result of our IP masking service, which disguises customer IP addresses with our own, leaving offenders no choice but to attack our platform. The highest attack rate of, recorded during the above-described assault, came in at 143 Mpps. This represented a decline from the 238 Mpps attack rate seen in the previous quarter. Similar to previous quarters, the vast majority of attacks in came in below 10 Gbps (81.6 percent) and 10 Mpps (94.7 percent). These low volume and low rate assaults can be attributed to DDoS-for-hire activity. Fig. 1: Network layer attack sizes Fig. 2: Network layer attack rates 4

5 Hong Kong topped the most attacked countries list for the second quarter in a row in, this time drawing 32.6 percent of all network layer assaults. Unlike in Q3 2017, when most of the attack data out of Hong Kong was connected to a single target, Q4 saw a number of major campaigns directed at three local internet providers, one of which was hit more than 240 times. This quarter, Taiwan and the Philippines once again claimed the top two spots on the list of attacked countries by target together, they hosted more than a third of all network layer attack victims. Surprisingly, Australia made it on to the same list with just 1.5 attacks per target on average. Fig. 3: Network layer: In, internet providers drew more than half of all network layer assaults, once again topping our list of the most targeted industries according to number of attacks. On average, each target was hit 64 times throughout the quarter. This category includes ISPs, web hosting services, ASPs and other core infrastructure providers businesses that often support thousands of websites, inherently exposing themselves to a high number of attacks. For example, a web hosting service used by several hundred businesses (and thousands of domains) is more likely to be attacked, especially if those businesses belong to a high-risk industry, e.g., gaming and gambling. 5

6 DDoS perpetrators continued to target the cryptocurrency industry this quarter, which came in at number five on the list of most targeted industries according to number of attacks. This was largely the result of an intensive DDoS campaign waged against a cryptocurrency exchange. As before, we attribute these attacks to the price of bitcoin, which continued to skyrocket in the last quarter of the previous year. The price increase, combined with extensive media coverage, made the industry a lucrative attack target. More so, many of its businesses are relatively new and, as such, are more likely to be under protected. In, for the second quarter in a row, gambling and gaming took the top two spots on the list of most attacked industries according to number of targets. This wasn t surprising, as we ve regularly seen DDoS offenders attack websites associated with both of these industries. Fig. 4: Network layer:, according to number of attacks Fig. 5: Network layer:, according to number of targets 6

7 saw an increase in attack duration, with 10 percent of network layer assaults lasting longer than six hours, up from 7.5 percent in the previous quarter. Meanwhile, average attack duration was 1.3 hours this quarter, compared to 1.2 hours in Q The longest attack of the quarter lasted less than a day, a significant decrease from last quarter s more than five and a half day assault. Fig. 6: Network layer: increased in 67.4 percent of targets were attacked at least twice, compared to 57.7 percent in Q3. However, the number of targets exposed to six or more attacks, as well as those hit more than 10 times remained steady quarter over quarter, at 35 percent and 29 percent respectively. Fig. 7: Network layer: 7

8 Amplification attack vectors remained popular among DDoS offenders in. DNSamplification assaults increased from an already steep 15.9 percent to 17 percent quarter over quarter. NTP-amplification attacks also remained high at 32.9 percent this quarter, after reaching 36.9 percent in Q SYN, TCP and UDP floods continued to be the most popular non-amplified attack vectors this quarter, albeit at decreased rates from Q Meanwhile, the use of DNS-flood attacks increased from 11.1 percent last quarter to 19.6 percent in. Fig. 8: Network layer: saw a decrease in multi-vector attacks, with just four percent of network assaults using five or more vectors, compared to seven percent in Q3. In total, multi-vector attacks fell from 70.2 percent to 55 percent quarter over quarter. Fig. 9: Network layer: 8

9 How are network layer DDoS attacks measured? Network layer DDoS attacks are measured in Mpps (million packets per second) and Gbps (gigabits per second). What s the difference between Mpps and Gbps? Mpps measures the rate at which packets are delivered (a.k.a. forwarding rate) while Gbps measures the total load placed on a network (a.k.a. throughput). From a mitigation point-of-view, it s important to be aware of both metrics, as they can each be bottlenecked by DDoS traffic. For example, if your mitigation solution has the capacity to handle 80 Gbps and process packets at a rate of 10 Mpps, a 40 Gbps DDoS attack at a rate of 20 Mpps can still bring down your network, even if it doesn t surpass your total capacity. Learn more about throughput and forwarding rates. Why are some countries targeted more than others? Generally, for-profit DDoS perpetrators are interested in targeting wealthy countries with developed digital markets. A lack of anti-cybercrime legislation or enforcement is also a contributing factor, as some for-profit and non-profit attackers go after local targets. Finally, countries that serve likelyto-be-targeted industries, e.g., gambling, are more prone to attack. Why are some industries targeted more than others? Attacker motivation typically determines why a specific industry is frequently targeted by DDoS perpetrators. Motivations can be broken down into the following categories: Business competition In a competitive industry, such as gambling, a DDoS attack can be used to take down a rival website. Extortion Certain industries, e.g., ecommerce, are very dependent on their online presence and are easy prey for perpetrators extorting money in exchange for keeping a specific website online. 9

10 Hacktivism Hacktivists typically target political, media or corporate websites to protest their actions. Vandalism Cyber vandals, typically disgruntled users or random offenders, often attack gaming services or other high-profile targets. Learn more about DDoS attackers and their motivations. What influences the duration of a network layer attack? The length of a DDoS attack largely comes down to the resources at a perpetrator s disposal. Shorter attacks are typically associated with DDoS-for-hire services (a.k.a. booters or stressers) that can be rented to launch short-lived attacks, usually lasting under 30 minutes. Longer attacks are almost always the work of more professional bad actors using their own botnets, which can carry out persistent assaults. Are short attacks a real threat? Yes. The length of an attack is not correlated with the duration of a site s downtime. While a website (or web service) can be taken down in minutes, it usually takes hours for it to recover. Additionally, a short attack might be part of a repeat assault, in which a target is hit with multiple short bursts. This method is commonly used to bypass mitigation solutions that rely on manual activation, or are otherwise slow and cumbersome to deploy. Why do perpetrators continue attacking a protected target? There are a number of reasons to repeatedly attack a protected target, including: It s common for perpetrators to change methods and try different attack vectors in an attempt to break through a site s defenses. The price of executing an attack is extremely low. If a first attempt fails, a perpetrator can try again (and again), even if their chances of success are slim. For certain perpetrators, e.g., those executing pulse wave attacks, repeat assaults are part of their MO. What types of enterprises are more likely to be targeted by persistent attacks? Generally speaking, large organizations are more likely to be the targets of persistent attacks, which are often initiated by competitors or skilled extortionists. 10

11 Why would a perpetrator use different attack vectors? For DDoS offenders, switching between different attack payloads (i.e., different types of network packets) is an attempt to bypass a network s filtering mechanisms. What s the difference between amplified and non-amplified attack vectors? Amplified attacks vectors, such as DNS and NTP, are executed through a third party, e.g., an open DNS server. Conversely, non-amplified attacks are executed using a perpetrator s botnet. Why do perpetrators launch multi-vector attacks? In a multi-vector attack, different streams of payloads (network packets) are simultaneously sent to a target. This can help a perpetrator bypass an enterprise s security mechanisms, which are not equipped for complex filtering and might allow some of these streams to reach their target. What do multi-vector attacks tell us about a perpetrator? A multi-vector assault requires more resources and skill than a single-vector attack. The more sophisticated a bad actor is, the more likely such techniques are to be employed in their assaults. 11

12 The largest application layer attack of came in at 138,990 RPS, slightly higher than last quarter. There was a decline, however, in overall average attack size. Specifically, just 15.7 percent of attacks clocked in at higher than 1,000 RPS, compared to 20.6 percent last quarter. Notably, more than half of all attacks this quarter were between 100-1,000 RPS, up from 43.5 percent in Q The data points to an increase in activity by non-professional offenders, who typically mount smaller sized assaults using attack scripts and DDoS-forhire services. Fig. 10: Application layer attack sizes Top Targeting and Attacking Counties In, the US, Israel and Singapore topped our list of the most targeted countries according to number of attacks. In total, the US was on the receiving end of 76.4 percent of all assaults, a steep increase from 53.3 percent last quarter. The US also served as home to 80.5 percent of attack victims, placing it in first place on our list of attacked countries according to number of targets. Fig. 11: Application layer: 12

13 Similar to previous quarters, the majority of attacks in Q4 lasted between 30 minutes and six hours. Attacks lasting more than six hours, however, increased from 9.7 percent in Q to 12.4 percent this quarter. We also saw an uptick in application layer assaults under 30 minutes, which jumped from 17.1 percent to 20.1 percent quarter over quarter. Fig. 12: Application layer: In, there was a notable increase in attack persistence. In total, 63.3 percent of targets were exposed to multiple DDoS attacks, compared to 46.7 percent in the previous quarter. At the same time, 25.1 percent of attack victims were hit six or more times, compared to just 15.5 percent in Q Fig. 13: Application layer: 13

14 In, the number of sophisticated bots with bypass capabilities, i.e., those that are either able to bypass cookie challenges or parse JavaScript, shot up to 17 percent, compared to seven percent in the previous quarter. Moreover, 16.1 percent of bots this quarter were able to bypass both cookie and JavaScript challenges, a steep increase from 1.8 percent in Q Fig. 14: Application layer: 14

15 How are application layer DDoS attacks measured? Application layer DDoS attacks are measured in RPS (requests per second). How many RPS does an attack need to take down a website? An application layer attack s success depends on the amount of workload that a single request can force on a target server. For example, a request that downloads an image file is far less resource-intensive than a request that initiates a string of API calls. That said, many websites work on relatively low operational margins and can be taken offline by just a few dozen well-placed requests. There aren t many that can handle an additional 10,000 RPS, which is equal to 36 million requests an hour. What is the difference between a network and application layer DDoS attack? The main difference between the two DDoS attack types is that they target different resources. A network attack attempts to clog network pipes, while an application layer attack seeks to deplete resources, e.g., CPU and RAM. This translates into further differences in the ways these attacks are executed. It also means that mitigating each of these threats requires a significantly different set of security methods and skills. In fact, outside of some superficial similarities, application and network layer attacks are two very different types of threats. Why are some countries targeted more than others? Generally, for-profit DDoS perpetrators are interested in targeting wealthy countries with developed digital markets. A lack of anti-cybercrime legislation or enforcement can also be a contributing factor, as some for-profit and non-profit attackers go after local targets. Finally, countries that are home to likely-to-be-targeted industries, such as gambling, are at greater risk of being targeted. s What influences the duration of an application layer attack? Similar to network layer attacks, the duration of an application layer attack largely depends on the resources at a perpetrator s disposal. That said, application layer assaults are easier to execute and sustain, as even a sizeable attack of several thousand RPS can be launched from a single computer. 15

16 Why do perpetrators continue attacking a protected target? Similar to network layer attacks, perpetrators will repeatedly attack a protected target because it s so cheap many offenders see no point in quitting, even if the chances for success are slim. Additionally, launching application layer attacks is easy and can even be done from a home PC or a very small amount of botnet devices. 16

17 Similar to last quarter, China, Vietnam and the US continued to serve as the main hubs for DDoS activity in. While the US and Vietnam s attack footprint decreased slightly this quarter, the botnet traffic out of China more than doubled. Meanwhile, the number of active botnet devices operating from its territory increased by more than 50 percent. Indian and Turkish botnet activity receded in, following its rapid increase in the previous two quarters. That said, Turkey still maintained a presence on the top-10 list for both attack traffic output and active botnet devices. Fig. 15: Botnet location How can you accurately identify botnet geolocation despite IP spoofing? IP spoofing is the practice of faking a source IP to avoid backtracking and blacklisting. In theory this makes IP geo-data collected during DDoS attacks unreliable. IP spoofing, however, is only possible with a network layer attack. In an application layer assault, IPs cannot be spoofed, as a full TCP connection has to be established before a request is sent. This is why we only use data from application layer attacks to identify bot location. Learn more about IP spoofing. 17

18 Why do some countries generate more botnet activity than others? There are a lot of factors that come into play here. Broadly speaking, however, the two most impactful reasons are: Security awareness Countries in which users have adopted digital security policies are better equipped to detect botnets inside their borders. Connected devices As a rule, a high number of connected devices open up more opportunities for botnet herders. 18

19 Our analysis is based on data from 1,916 network layer and 3,079 application layer DDoS attacks on websites using Imperva Incapsula services from October 1, 2017, through December 31, 2017 referred to herein as the fourth quarter of 2017 or. Information about DDoS bot capabilities and assumed identities comes from a random sample of 36.7 billion DDoS attack requests collected from such assaults over the same period of time. DDoS attack A persistent, distributed denial of service event against the same target (e.g., IP address or domain). A single attack is preceded by a quiet (attack free) period of at least a sixty minutes, and followed by another quiet period of the same duration or longer. Network layer attack An assault against either the network or transport layers (OSI layers 3 and 4). Its goal is to cause network saturation by expending much of the available bandwidth. It s typically measured in gigabits per second (Gbps), referring to the amount of bandwidth it can consume per second. Application layer attack An assault occurring on OSI layer 7. Its goal is to bring down a server by exhausting its processing resources (e.g., CPU or RAM) with a high number of requests. It s measured in requests per second (RPS) the number of processing tasks initiated per second. Such attacks are executed by DDoS bots able to establish a TCP handshake to interact with a targeted application. Botnet A cluster of compromised, malware-infected devices remotely controlled by an offender. Device owners are unaware of their system participation. DDoS bot A malicious software application (script) used by a perpetrator. So-called bad bots only come into play in application layer attacks, where a TCP connection is established. They typically masquerade as browsers (human visitors) or legitimate bots (e.g., search engine crawlers) to bypass security solutions Payload In the context of this study, a payload is a packet type used in a network layer assault. It s fabricated by an attack script and can often be altered on the fly. In many cases, multiple payload types are used simultaneously during the course of a single event. 19

20 What s next To learn more about the business effects of DDoS attacks, read this free DDoS Impact Report. To estimate the potential cost of DDoS to your business, use our free DDoS Cost Calculator. For more information about Incapsula DDoS protection services, visit Try a 14-day Free Trial No software to download or equipment to hook up Getting started is easy and requires only a DNS change Includes load-balancing and web application acceleration Get Started Today Questions? Contact us About Imperva Incapsula Imperva Incapsula is a cloud-based application delivery service that protects websites and increases their performance, improving end user experiences and safeguarding web applications and their data from attack. Incapsula includes a web application firewall to thwart hacking attempts, DDoS mitigation to ensure DDoS attacks don t impact online business assets, a content delivery network to optimize web traffic, and a load balancer to maximize the potential of web environments. WEBSITE SECURITY DDOS PROTECTION Application Delivery LOAD BALANCER CONTENT DELIVERY NETWORK Only Incapsula provides enterprise-grade website security and performance without the need for hardware, software, or specialized expertise. Unlike competitive solutions, Incapsula uses proprietary technologies such as client classification to identify bad bots, and big data analysis of security events to increase accuracy without creating false positives. 2018, Imperva, Inc. All rights reserved. Imperva, the Imperva logo, SecureSphere, Incapsula, CounterBreach, ThreatRadar, and Camouflage and design are trademarks of Imperva, Inc. and its subsidiaries. All other brand or product names are trademarks or registered trademarks of their respective holders. incapsula.com 20