WP 2015–16 Annual DDoS Threat Landscape Report | Imperva

Archive

2015–16 Annual DDoS Threat Landscape Report

2015–16 Annual DDoS Threat Landscape Report

In Imperva Incapsula DDoS Threat Landscape Report we share detailed information about the latest attack trends, using data collected in the course of mitigating thousands of DDoS assaults against Imperva Incapsula customers.

Leveraging this real-world data, we profile the current evolution of DDoS threat landscape—preparing you for the threats of today while predicting the challenges you`ll likely face tomorrow.

Read on for some of the key takeaways or download the full report here.

Highlights

DDoS attacks increase in number and frequency

From April 1, 2015, through March 31, 2016, Imperva Incapsula mitigated an average of 445 attacks per week targeting its customers. As evidenced by the graph below (figure 1), over that period the number of both network and application layer attacks doubled during the year.

Application layer assaults accounted for the majority (60 percent). But looking closer, their relative number has been trending downward—dropping by more than five percent year over year. If this continues, network layer attacks could be as commonplace as their application layer counterparts by 2018.

ddos-report-2015-16

Figure 1 – Average number of DDoS attacks per week

The uptrend in DDoS attacks is fueled by:

  • Increased use of DDoS-for-hire services (a.k.a., stressers or booters), the number of which climbed from 63.8 percent in Q2 2015 to 93 percent in Q1 2016.
  • The use of hit-and-run tactics, in which a single assault is executed through multiple consecutive attack bursts.

Notably, more than 40 percent of targets were attacked more than once, while 16 percent were targeted more than five times.

ddos-report-application-layer-frequency-2015-16

Figure 2 – DDoS attack frequency

Looking at data across the four quarters, you can observe an uptick in repeated attack events, which have increased from 29.4 percent in Q3 2015 to 49.9 percent in Q1 2016. This showcases the tenacity of DDoS offenders, many of whom persist in trying to take a target down even after multiple failed attempts.

Network layer attacks grow larger and smarter

ddos-report-network-layer-2015-16

Figure 3 – Network layer peak attack sizes

During the past 12 months, Incapsula mitigated multiple attacks exceeding 200 Gbps (Gigabits per second), making them almost a regular occurrence.

The bar was raised to a new high during the second quarter as we protected one customer from a multi-vector, 470 Gbps attack—the largest we’ve seen to date. Its details provide an interesting case study as to the increasing complexity of network layer DDoS events.

The case study shows how perpetrators have taken to using small payloads (network packets) to achieve both high packet forwarding rates and high throughput capacity. In using packet forwarding rates, they’re attempting to exploit a design oversight in current-generation mitigation appliances. The majority of these can’t handle such high Mpps (million packets per second) processing loads.

Alarmingly, such attacks are becoming increasingly more common. In Q1 2016 we mitigated an 80+ Mpps attack every eight days. More than a few exceeded 100 Mpps, with the largest peaking at 300 Mpps.

ddos-report-network-layer-470gbps-2015-16

Figure 4 – The face of a new threat—high rate attack peaking at 300 Mpps

Application layer attacks target mitigation solutions

Similar to the aforementioned high Mpps attacks, this past year offered multiple examples of new application layer assaults crafted to bypass mitigation solutions.

One prominent case involved a uniquely executed HTTP flood attack, in which the target was bombarded by abnormally large POST (upload) requests. The attack exploited a nuanced soft spot of hybrid DDoS mitigation setups, highlighting the degree of understanding some perpetrators now have about the inner workings of anti-DDoS solutions.

The trend was also exemplified by an increased use of advanced attack bots. They exhibited browser-like traits, including being able to retain cookies and parse JavaScript.

On average, our records show that 24 percent of DDoS bots were so-called advanced attackers—able to bypass at least some of the rudimentary security tests. In Q1 2016, their number rose to a record high of 36.6 percent.

ddos-report-application-layer-bots-2015-16

Figure 5 – DDoS bot capabilities

Download the full report to learn more about other attack trends, including:

  • The effect of botnet-for-hire services on the DDoS ecosystem
  • An increase in DDoS attacks targeting UK-based businesses
  • Latest statistics of DDoS attack durations
  • Most commonly used DDoS botnets
  • Reasons for DDoS activity spike emanating from South Korea

And more.

Do you have any questions about the information found in this report or Incapsula security services? Let us know in the comments below.