There’s no doubt about it – DDoS attacks are getting worse. That concise bit of bad news leaves a lot of blanks to be filled in, however: in what way are they getting worse? How is that happening? What types of attacks are being used? Who’s being targeted? The fine details of the bad DDoS news are right here thanks to the 2016 Q4 and 2017 Q1 Global DDoS Threat Landscape Reports from DDoS mitigation provider Incapsula.
First, the good news
According to Incapsula, there is one distributed denial of service attack stat that could be considered a positive: attacks are, on average, getting shorter. In the first quarter of 2017, 80 percent of all 17,000+ attacks mitigated by the company lasted less than one hour – a stat that carried over from all four quarters of 2016.
This is partially linked to another trend that has carried over from 2016, which is an overall increase in DDoS activity. Both of these trends are driven in part by activity coming from DDoS for hire services, which allow anyone with an internet connection and a few dollars to launch a short, low-volume attack at any target they’d like. While many attacks fell into that quick burst, low-volume category, not all did.
What worse means
To begin with, attacks are getting bigger, which is to say bigger than ever. In Q4 2016 Incapsula mitigated the biggest network layer attack they’d ever dealt with, a 650 Gbps assault, and in Q1 2017 they handled a whopping 176,000 RPS application layer attack, beating the 2016 record by 3,000 RPS. This is because botnets are also becoming bigger than ever thanks to the scores of unsecured or undersecured devices in the Internet of Things. (The Mirai botnet ring a bell?)
Attacks are also becoming increasingly complex, with the percentage of multi-vector attacks rising sharply to 40 percent in Q1 2017 from 29 percent in Q4 2016, which means that many of the attacks that aren’t coming from DDoS for hire services are coming courtesy of attack specialists that are throwing out every trick they have in an attempt to circumvent security measures. For websites that are using anything less than leading professional protection, this is a very effective strategy that will have security scrambling – and likely failing – to react in time.
Perhaps most frustratingly, attacks are steadily becoming all the more persistent. In Q4 2016 over 58 percent of targets were targeted more than once, with over 24 percent getting smashed six or more times. As bad as those numbers are, they were even worse in Q1 2017 when 74 percent of targets suffered more than one attack. Nineteen percent were barraged 10+ times, and one Incapsula-protected website was targeted 1,046 times. So much for figuring you’ve been hit with your share of bad luck when that first DDoS attack occurs. (Although how many years has it been since anyone has been able to think that, anyway?)
Network layer vs. application layer
Distributed denial of service attacks can be broadly divided between network layer attacks and application layer attacks, and lately attackers have been all about that application layer. Network layer attacks peaked in Q2 2016 and fell sharply thereafter – between Q3 and Q4 of 2016 the number of network layer attacks seen by Incapsula fell over 39 percent. Application layer attacks are effortlessly picking up that slack, reaching an all-time high of 1,099 per week in the first quarter of 2017. This spells trouble for websites and services not using dedicated DDoS protection, as application layer attacks mimic legitimate traffic and are therefore difficult to detect.
Where in the world
Distributed denial of service attacks are a truly global endeavor unfortunately for, well, everyone. China and South Korea have long ranked in the top three countries from which attacks originate, but while Vietnam was in the top three in the fourth quarter of 2016, they dropped off in the first quarter of 2017 and the United States snuck in instead.
While the US is getting better at dishing it, they’ve also had to get better at taking it. In Q4 2016 the US absorbed 56.7 percent of attacks. In Q1 2017? A jaw-dropping 92.7 percent. The United Kingdom ranked as the second-most targeted nation in both quarters, with Japan and the Netherlands rounding out the top four.
The big picture
Attacks are getting shorter on average but more frequent, bigger, more complex and more persistent, and the kind that are difficult to detect because they mimic legitimate traffic are becoming more popular. Yep, that all adds up to DDoS attacks being worse. Whether you prefer to take in the big picture or you enjoy zeroing in on the nitty-gritty details, one point should be glaringly obvious: professional protection against DDoS attacks now ranks somewhere beyond necessity.