DDoS in Q1 2016: the turning of tides


Securelist has released a new report on DDoS attacks in the first quarter of 2016. Despite this document mostly revolving around statistics and the extreme severity of DDoS attacks, some details make it feel almost like an entertaining read.

Business security highlights of Q1

  • A record-breaking reflection DDoS attack took place earlier this year, reaching 602 Gbps. Although it was launched by politically motivated hacktivists, the very possibility of an attack like this for a purely monetary gain looks very real and daunting.
  • The longest DDoS attack in Q1 2016 lasted 197 hours (or 8.2 days), which is far less than the previous quarter’s maximum (13.9 days). Multiple attacks on the same target became more frequent (up to 33 attacks on one resource during the reporting period).
  • UDP attacks keep decreasing, while other attack methods remain more or less constant from quarter to quarter. Apparently, they are on their way off the board.
  • SYN DDoS attacks remain the most popular type, with TCP being a distant second. ICMP attacks suddenly increased to 9% (from 3.6%), but little this affected the overall order.
  • Attackers seem to be switching from simple and cheap but long attacks to complex, sophisticated ones, hitting the same target repeatedly. This shows sophistication and narrower targeting are the general trend in the cybercrime.
  • WordPress sites were again hit with Pingback attacks. This is a problem which isn’t going anywhere until the Pingback function is set inactive by default, and that looks unlikely to happen.
  • Security companies, especially those offering anti-DDoS services, came under attack regularly, and it looks as though criminals are just testing their tools.

Protectors as test beds

“Analysis of the correspondence on underground forums suggests that the criminal fraternity uses the websites of IT security companies as a test bed, i.e. to test new methods and tools,” Securelist writes.

Activities like this are a double-edged sword for the attackers, however, because while they test new techniques and tricks that way, security experts also look, learn, and gather analytical data to predict the next steps by the malefactors.

Application level attacks back on the rise

As of the present day, it looks like “creme de la creme” of the cyberunderground goes back to good ol’ attacks on the application level: in Q1, Kaspersky Lab experts had to combat several times more HTTP(s) attacks than they did in all of 2015.

Interestingly, there were several application-layer attacks performed simultaneously against a number of Kaspersky Lab resources. The strength of the DDoS resources was spread between several targets, reducing the effect on each target. This is most probably because the aim was not to disrupt Kaspersky Lab’s sites but to test tools and to see how we responded. The longest attack of this type lasted less than six hours.

Application-layer attacks require large botnets or several high-performance servers and a wide output channel. Gathering the proper intelligence is a tough task, too. But if these attacks are executed properly, they are extremely hard to counter without blocking access to legitimate users, since malicious requests look authentic – i.e. it really looks like there’s just too many users trying to access the same server at the same time, increasing the demand sharply.

“We registered these sorts of attempts in the first quarter. This suggests that the DDoS market has developed so that complex, expensive attacks are becoming cost-effective, and better qualified cybercriminals are trying to make money using them,” Kaspersky Lab experts said, adding that there’s a real danger of these attacks going more or less mainstream.

DDoS protection

Statistics for the report were gathered using Kaspersky Lab’s own DDoS Intelligence system (among other things) that is used to track the largest botnet activity.

The DDoS Intelligence system is a part of Kaspersky DDoS Protection and is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and it does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

In general, Kaspersky DDoS Protection combines Kaspersky Lab’s extensive expertise in combating cyber threats and the company’s unique in-house developments. The solution protects against all types of DDoS attacks, regardless of their complexity, strength, or duration. You can learn more about the solution here.