Imperva Incapsula, a cloud-based service provider, has released a comprehensive report titled “Q3 2017 Global DDoS Threat Landscape.” The report shows that cryptocurrency operators and Bitcoin exchanges are favorite targets of distributed denial of service (DDoS) attacks.
A DDoS attack is defined as a persistent DDoS event against the same target (e.g., IP address or domain). A single attack is preceded by a quiet (attack free) period of at least 60 minutes and followed by another quiet period of the same duration or longer. Previous Imperva reports had considered DDoS attack bursts separated by 10 minute quiet periods, but then increased the quiet period time threshold to 60 minutes in order to aggregate successive attacks.
DDoS attacks can be either network layer attacks that cause network saturation by consuming much of the available bandwidth or application layer attacks that bring down a server by consuming much of its processing resources (e.g., CPU or RAM) with a high number of requests; they are often facilitated by DDoS botnets. DDoS bots often masquerade as browsers (human visitors) or legitimate bots (e.g., search engine crawlers) to bypass security measures.
The Imperva report is based on data from 3,920 network layer and 1,755 application layer DDoS attacks on websites using Imperva Incapsula services from July 1, 2017, through September 30, 2017. Information about DDoS botnets was gathered by analyzing data from 37.4 billion DDoS attack requests collected over the same period.
Network layer DDoS attacks are measured in Mpps (million packets per second) and Gbps (gigabits per second), which indicate, respectively, the rate at which packets are delivered and the total load placed on a network. Five percent of network layer attacks reached 50 Mpps, while the largest peaked at 238 Mpps.
Application layer DDoS attacks are measured in RPS (requests per second), and the overall impact also depends on the amount of workload that a single request can force on a target server. The main difference between the two DDoS-attack types is that one will target network connections and the other will target computing resources; each requires a different set of security methods for risk mitigation.
The report noted that the cryptocurrency industry continues to be a frequent target of DDoS attacks, more so than many larger industries. In fact, three out of every four bitcoin sites were attacked in Q3 2017.
“[We] saw attacks targeting a relatively high number of cryptocurrency exchanges and services,” states the report. “This was likely related to a recent spike in the price of bitcoin, which more than doubled in the span of the quarter. Overall, more than 73 of all bitcoin sites using our services were attacked this quarter, making it one of the most targeted industries, despite its relatively small size and web presence.”
Other sectors frequently targeted by DDoS attacks are internet service providers and online gambling and gaming operators.
For network layer DDoS attacks, the U.S., China, Hong Kong and the Philippines are among the top five countries, in terms of both number of attacks received and number of targets. Germany is also frequently attacked, with 12.8 percent of the total number of DDoS attacks.
Hong Kong had only 5.1 percent of targets but was targeted by almost a third of all network layer attacks in Q3 2017. This was largely due to a large-scale campaign against a local hosting service provider which was hit more than 700 times throughout the quarter.
For application layer DDoS attacks, the U.S. had both the highest number of attacks and the highest number of targets, with the Netherlands coming in a distant second. The largest application layer attack targeted a financial services company headquartered in Europe, which was hit multiple times. The remainder of the list include developed countries with mature digital marketplaces, such as Singapore, Japan and Australia.
Identifying the origination of DDoS bots is difficult because the practice of faking a source IP — called IP spoofing — can make IP geo-data collected during DDoS attacks unreliable. IP spoofing is only possible for network layer attacks, however, since full TCP connections must be established before sending requests in application layer attacks. Thus, only data from application layer attacks was used to identify bot location.
In Q3 2017, 17 percent of botnet traffic originated in China, which represents a significant drop from the previous quarter, when China was the source of 63 percent of botnet traffic. Turkey and India are on the rise and account for 7.2 and 4 percent of botnet traffic respectively. China remains the top location of attack devices with over 40 percent of the total.