ThreatList: Latest DDoS Trends by the Numbers

Trends in DDoS attacks show a evolution beyond Mirai code and point to next-gen botnets that are better hidden and have a greater level of persistence on devices – making them “far more dangerous.”

Fresh statistics reveal a mix bag of good news and bad when it comes to distributed denial-of-service attacks in Q4 2018. According to the latest numbers available, the sheer number of attacks are down, but the length of time those attacks last have reached record lengths.

The numbers come from Kaspersky Lab’s DDoS quarterly report. Here is a summary of some of the most interesting data points.

Frequency and Intensity

Quarterly comparison of the number of DDoS attacks defeated by Kaspersky DDoS Protection in 2017–2018

Quarterly comparison of the number of DDoS attacks defeated by Kaspersky DDoS Protection in 2017–2018

Kaspersky reported overall in 2018 the number of DDoS attacks dropped 13 percent compared to the previous year. The biggest drop was Q4 2018 where DDoS activity dropped 30 percent, compared to the previous year’s Q4.

But, that good news was offset by a record uptick in the duration of a DDoS attack. “The average duration of attacks in [the second half of 2018] grew steadily over the year: from 95 minutes in Q1 to 218 in Q4,” according to the report. Those prolonged attacks were HTTP floods and mixed attacks with an HTTP element. An HTTP flood attack is a type of volumetric attack designed to overwhelm a targeted server with HTTP requests.

Types of DDoS Attacks  

Distribution of attack duration by type, 2018

Distribution of attack duration by type, 2018

While HTTP flood attacks broke records, the most common type of DDoS attack in Q4 was a User Datagram Protocol (UDP) flood. A UDP Flood is a type of denial-of-service attack in which a large number of UDP packets are sent to a targeted server with the aim of overwhelming that device’s ability to process and respond, according to a description by Cloudflare.

“All this suggests that the market for unsophisticated, easy-to-organize attacks continues to shrink,” researchers wrote. “Standard DDoS attacks have been rendered almost pointless by improved anti-UDP flood protection, plus the fact that the technical resources involved are nearly always more profitably deployed for other purposes, such as cryptocurrency mining.”

On the flip side, Kaspersky warned that more complex attacks such as HTTP floods, which require time and effort to arrange, “remain popular, and their duration is on an upward curve… These trends look set to develop further in 2019.”

Bot Update

Researchers also honed in on botnets. Botnets are typically a network of privately owned end-point computers and IoT devices infected with malicious software and controlled by a third party. Many of those botnets were not Mirai clones – breaking a longstanding trend.

botnet attack DDoS Although some of the new malware samples employ snippets of Mirai code and mimic the same persistence techniques, they are mostly unique, researchers said.

“[Q2] saw increased activity on the part of the Chalubo bot, whose first attacks were registered in late August,” researchers wrote. Chalubo is a botnet that targets poorly secured Internet of Things devices. “In October, Chalubo began to be seen more often in the wild; researchers detected versions created for different architectures (32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, PowerPC), which strongly suggests that the test period is over.”

Another bot, nicknamed DemonBot, caught researcher’s attention because it targeted Hadoop clusters via a vulnerability in the execution of YARN remote commands. Yarn is a package manager for code, which supports limited code execution. Kaspersky cited research from Radware that is “currently monitoring 70 active servers that carry out up to 1 million infections per day.”

“This bot is not very complex technically, but dangerous in its choice of target: Hadoop clusters pack a major punch in terms of computing power because they are designed to handle Big Data. — cloud-integrated, they can significantly boost DDoS attacks,” Kaspersky said.

In September, researchers identified activity from a new botnet identified as Torii that targets a wide range of IoT devices. Code differs sharply from Mirai, in that it is better hidden and has a greater level of persistence on devices – making it “far more dangerous.” So far, researchers haven’t seen any DDoS attacks based on Torii, suggesting that the botnet is in its early days.

Botnet Geography

Distribution of botnet C&C servers by country, Q4 2018

Distribution of botnet C&C servers by country, Q4 2018

“The US remains out in front in terms of botnet C&C server hosting, even extending its lead from 37.31 percent to 43.48 percent,” wrote researchers. Britain comes in unceremoniously at the second most popular hosting country (7.88 percent) followed by the Netherlands (6.79 percent).

“For the third quarter in a row, the Top 10 ratings of countries by number of attacks, targets, and botnet C&C servers continue to fluctuate. Growth in DDoS activity is strongest where previously it was relatively low, while the once-dominant countries have seen a decline. This could well be the result of successful law enforcement and other initiatives to combat botnets,” researchers wrote.

Suggested articles