Network (Layer 3 & 4) DDoS Attacks
- Large SYN Floods account for 51.5% of all large-scale attacks
- Almost one in every three attacks is above 20Gbps
- 81% of attacks are multi-vector threats
- Normal SYN flood & Large SYN flood combo is the most popular multi-vector attack (75%)
- NTP reflection was the most common large-scale attack method in February 2014
- “Hit and Run” DDoS attacks: frequent short bursts of traffic, are specifically designed to exploit the weakness of services that were designed for manual triggering (e.g., GRE tunneling to DNS re-routing). Hit and Run attacks are now changing the face of anti-DDoS industry, pushing it towards “Always On” integrated solutions.
- Multi-Vector Threats: 81% of all network attacks employed at least two different attack methods, with almost 39% using three or more different attack methods simultaneously. Multi-vector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources. Combinations of different offensive techniques are also often used to create “smokescreen” effects, where one attack is used to create noise, diverting attention from another attack vector. Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators.
- Attack Type Facilitates Growth: Today large scale DDoS attacks (20Gbps and above) already account for almost 33% of all network DDoS events. There is no doubt that the increasing adoption of these techniques will facilitate the growth of future volumetric network DDoS attacks, which could in turn drive an increase in investment in networking resources. During January and February of 2014 a significant increase in the number of NTP Amplification attacks was noted. In fact, this reached the point where, in February, NTP Amplification attacks became the most commonly used attack vector for large scale network DDoS attacks.
- Weapn of Choice: attackers’ most common “weapons of choice”: i.e., large SYN floods, NTP Amplification and DNS Amplification
- NTP DDoS is on the Rise
Application (Layer 7) DDoS Attacks
- DDoS bot traffic is up by 240%: On average, Incapsula recorded over 12 million unique DDoS bot sessions on a weekly basis, which represents a 240% increase over the same period in 2013.
- More than 25% of all Botnets are located in India, China and Iran
- USA is ranked number 5 in the list of “Top 10” attacking countries
- 29% of Botnets attack more than 50 targets a month — 7% attach more than 100 per month.
- 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots)
- Botnet Geo-Locations
- “Shared Botnets”
- Bots are Evolving
- Common Spoofed User-Agents
2013-2014 DDoS Threat Landscape Report