We are all attempting to figure out the right investments in DDoS resistance and mitigation. In the fog of hype and vendor pitches, it is difficult to get some perspective on what we need to be preparing for on this front. Every hard data resource has exaggerated value in the current situation.
Incapsula recently released “2013-2014 DDoS Threat Landscape Report.” Their findings outlined below are based on hundreds of attacks perpetrated against websites using Incapsula’s DDoS Mitigation service. Using that data their report concludes (most quoted from their report):
Network (Layer 3 & 4) DDoS Attacks
- Large SYN Floods account for 51.5% of all large-scale attacks
- Almost one in every three attacks is above 20Gbps
- 81% of attacks are multi-vector threats
- Normal SYN flood & Large SYN flood combo is the most popular multi-vector attack (75%)
- NTP reflection was the most common large-scale attack method in February 2014
2014: Emerging Trends
- “Hit and Run” DDoS attacks: frequent short bursts of traffic, are specifically designed to exploit the weakness of services that were designed for manual triggering (e.g., GRE tunneling to DNS re-routing). Hit and Run attacks are now changing the face of anti-DDoS industry, pushing it towards “Always On” integrated solutions.
- Multi-Vector Threats: 81% of all network attacks employed at least two different attack methods, with almost 39% using three or more different attack methods simultaneously. Multi-vector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources. Combinations of different offensive techniques are also often used to create “smokescreen” effects, where one attack is used to create noise, diverting attention from another attack vector. Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators.
- Attack Type Facilitates Growth: Today large scale DDoS attacks (20Gbps and above) already account for almost 33% of all network DDoS events. There is no doubt that the increasing adoption of these techniques will facilitate the growth of future volumetric network DDoS attacks, which could in turn drive an increase in investment in networking resources. During January and February of 2014 a significant increase in the number of NTP Amplification attacks was noted. In fact, this reached the point where, in February, NTP Amplification attacks became the most commonly used attack vector for large scale network DDoS attacks.
- Weapn of Choice: attackers’ most common “weapons of choice”: i.e., large SYN floods, NTP Amplification and DNS Amplification
- NTP DDoS is on the Rise
Application (Layer 7) DDoS Attacks
In the second half of 2013 Incapsula began to encounter a much more complex breed of DDoS offenders, including browser-based bots which were immune to generic filtering methods and could only be stopped by a combination of customized security rules and reputation-based heuristics. (High volume is not essential)…even a rate of 50-100 requests/second would be enough to cripple most mid-sized websites, exceeding typical capacity margins.
- DDoS bot traffic is up by 240%: On average, Incapsula recorded over 12 million unique DDoS bot sessions on a weekly basis, which represents a 240% increase over the same period in 2013.
- More than 25% of all Botnets are located in India, China and Iran
- USA is ranked number 5 in the list of “Top 10” attacking countries
- 29% of Botnets attack more than 50 targets a month — 7% attach more than 100 per month.
- 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots)
2014: Emerging Trends
- Botnet Geo-Locations
- “Shared Botnets”
- Bots are Evolving
- Common Spoofed User-Agents
2013-2014 DDoS Threat Landscape Report
The findings above are summarized in the graphic below from Incapsula