ake78 (3D & photo) - Fotolia

Application layer DDoS attacks increasing, Imperva data shows

Distributed denial of service attacks targeting applications almost doubled in the last three months of 2017, according to Imperva Incapsula data

Application layer distributed denial of service (DDoS) attacks almost doubled in the last quarter of 2017, according to the latest threat report from security firm Imperva.

As well as increasing by 43% compared with the previous quarter, application layer attacks also became more persistent, with 63.3% of targets being subjected to repeat attacks, up from 46.7% in the third quarter. At the same time, 25.1% of targets were hit six times or more, up from 15.5% in Q3.

 On average, Imperva Incapsula services mitigated 237 application layer attacks each week in the fourth quarter of 2017, compared with 135 application layer attacks each week in the third quarter.    

The largest application layer attack came in at 138,990rps (requests per second), slightly higher than in Q3, but there was a decline in the average attack size, with just 15.7% of attacks clocking in at higher than 1,000rps, compared with 20.6% in Q3.

However, more than half of all application layer attacks were between 100 and 1,000rps, up from 43.5% in the previous quarter.

By contrast, network layer DDoS attacks fell by more than 50% and attack frequency fell from 302 to 147 a week, but also became more persistent, with 67.4% of targets attacked at least twice, up from 57.7% in Q3. The number of targets exposed to six or more attacks remained steady at 35%.

Network layer attack size also scaled down. Only 3.7% reached above 50Gbps in size, compared with 8.6% the previous quarter.

But the largest network layer attack during the quarter peaked at 335Gbps, slightly higher than the largest attack in Q3 2017, which reached 299Gbps.

Similar to previous quarters, the vast majority of attacks came in below 10Gbps (81.6%). These low-volume and low-rate assaults can be attributed to DDoS-for-hire activity, the report said.

Most network layer assaults targeted internet and web service providers (58.4%), gambling sites (23.6%), the IT and software industry (5.3%), and gaming sites (4.8%).

DDoS attackers also continued to target the cryptocurrency industry, which came in at number five (3.7%), which the report attributes to the rapid rise in the value of bitcoin during the quarter.

Read more about DDoS attacks

  • Europe in the firing line of evolving DDoS attacks.
  • Malicious insiders and DDoS attacks cost UK businesses the most.
  • Criminal activity has become the top motivation for DDoS attacks, so taking no action is not an option.
  • Average DDoS attacks fatal to most businesses, report reveals.

The report is based on data from more than 1,900 network layer and 3,000 application layer DDoS attacks on websites using Imperva Incapsula services.

Hong Kong was on the receiving end of the most network layer attacks (32%), followed by the US (21.7%) and Taiwan (14.1%).

An unusually high number of network DDoS assaults targeted businesses in Asia Pacific countries, with seven of the top 10 attacked countries located in this region, accounting for 68.9% of all network layer attacks.

The US topped the list of countries suffering the most application layer attacks (76.4%), followed by Israel (15.7%) and Singapore (1.9%).

In terms of duration, the quarter saw 10% of network layer assaults lasting longer than six hours, up from 7.5% in the previous quarter. The average duration was 1.3 hours, up from 1.2 hours in Q3.

Similar to previous quarters, the majority of application layer attacks in Q4 lasted between 30 minutes and six hours. Attacks lasting more than six hours increased to 12.4% from 9.7% in Q3. There was also an increase in application layer attacks under 30 minutes to 20.1%, up from 17.1% in Q3.

Amplification attack vectors remained popular for network layer DDoS attacks in Q4 2017. DNS amplification assaults increased from an already steep 15.9% to 17% quarter on quarter. Network time protocol (NTP) amplification attacks also remained high at 32.9% after reaching 36.9% in the third quarter.

SYN, transmission control protocol (TCP) and user diagram protocol (UDP) floods continued to be the most popular non-amplified attack vectors during the quarter, although at decreased rates from Q3.

The use of domain name system (DNS) flood attacks increased from 11.1% to 19.6%, but there was a decrease in multi-vector attacks, with just 4% of network assaults using five or more vectors, compared with 7% in Q3. In total, multi-vector attacks fell from 70.2% to 55%.

Finally, the report noted that Q4 2017 also saw an increase in the number of sophisticated DDoS attack bots, with 16.9% capable of bypassing commonplace security challenges or parse JavaScript, up from 6.4% of bots displaying bypass capabilities in Q3. The data shows that 16.1% of bots were able to bypass both cookie and JavaScript challenges – a steep increase from just 1.8% in Q3.

Read more on IT risk management

Data Center
Data Management