Threat Intelligence

Global DDoS Threat Landscape: What’s new?

April 7, 2017 by Pierluigi Paganini

The Current Global DDoS Threat Landscape

In this post, we analyze the current Global DDoS threat landscape focusing on the economic aspect of this kind of criminal activity.

The extortion crimes continue to represent a serious threat to businesses and organizations worldwide; ransomware infections and DDoS attacks are becoming daily problems.

Security experts at Imperva confirmed that DDoS attacks are growing in size and level of sophistication. According to the new report ‘Global DDoS Threat Landscape, Q4 2016‘ published by Imperva, the creation of huge Internet of Things botnets and the availability of cheap DDoS-for-hire services are creating the condition for the growth of DDoS attacks.

Network layer attack sizes reached a record high; the researcher mentioned a massive DDoS attack powered by a new botnet dubbed Leet Botnet that before Christmas targeted the network of the firm Imperva.

Figure 1 – Leet Botnet malicious traffic

In Q4 2016, security experts observed other powerful DDoS attacks launched by the Mirai Botnet, in the same period researchers observed the longest network layer attack of the year, which lasted for 29 days.

“The IoT botnet footprint was evident in attacks mitigated by Imperva Incapsula in Q4 2016. A massive 650Gbps assault was most noteworthy, the largest to ever be mitigated by our service.

Persisting for over 29 days, last quarter we also thwarted the longest network layer attack of the year. And we saw the number of application layer attacks reach a new record, with an average of 889 assaults per week.” reads the report published by Imperva.

These amazing volume of malicious traffic is reached thanks to the use of amplification vectors.

The number of application layer attacks also increased in Q4, reaching the number of 889 attacks a week.

Imperva mitigated an average of 280 network layer attacks per week in Q4, totaling 3,603, a 39.4% drop from Q3. Much of DDoS attacks (89%) lasted for less than one hour.

Experts at Imperva mitigated 11,727 application layer attacks, for an average of 889 per week (+2.9% from Q3 2016).

“In Q4 2016, single-vector network attacks increased by almost seven percent from Q3, reaching a yearly high of 71%. Moreover, the percentage of assaults in which perpetrators used five or more different payloads dropped from 3.9 percent in Q3 to 1.9 percent in the following quarter,” reads the report.

“With respect to multi-vector attacks, the downward trend we’re seeing can likely be attributed to the increase in less-sophisticated assaults being instigated by non-professional perpetrators using botnet-for-hire (a.k.a., stresser or booter) services.”

The largest application layer attack reached 91,209 RPS (requests per second), while the longest attack DDoS lasted 47 days. 74.7% of application layer DDoS attacks lasted less than an hour.

“The Incapsula network saw an increase in attack frequency, with the number of targets hit by multiple assaults reaching 58.3 percent, compared with 54.7 percent in Q3,” continued the Incapsula report. “In fact, the percentage of sites targeted more than ten times in Q4 reached 13.1 percent, the highest figure ever recorded for this attack frequency category.”

In Q4, the experts observed that most network layer attacks had a short duration, more than 80 percent of them lasting under an hour—just like every previous quarter last year. A similar trend was observed for application layer attacks, their duration and frequency increased respect Q3. For the third successive quarter, the longest event exceeded 40 days, while the majority of the attacks (74.7 percent) lasted under one hour.

“At the same time the Incapsula network saw an increase in attack frequency, with the number of targets hit by multiple assaults reaching 58.3 percent, compared with 54.7 percent in Q3. In fact, the percentage of sites targeted more than ten times in Q4 reached 13.1 percent, the highest figure ever recorded for this attack frequency category,” reads the report.

To avoid detection, DDoS bots continues to use fake user agents to assume legitimate tool and browser identities. According to the experts, the quantity of sophisticated, browser-based bots that retain cookies and execute JavaScript jumped from 8.0% up to 13.6% in Q4.

The report also includes data related to the Top Attacking Countries; China is in the first place (78,5), followed by Vietnam (4.5%), South Korea (2.9%), United States (1.7%).

Most attacks hit the US (56.7%), followed by the United Kingdom (9.6%), and the Netherlands (8.6%).

Figure 2 – Top targeted countries (Imperva Report)

How Does a DDoS Attack Service Cost?

The number of DDoS continues to increase because this practice is considered by cyber criminals high profitable. It is quite easy to find in the cyber-criminal underground tools and services to power DDoS attacks.

Criminals would pay for a DDoS attack service available in one of the numerous black markets.

Launching a DDoS attack against an organization is, even more, cheaper, an attack can cost as little as $7 an hour, while a targeted DDoS attack against a company can cost up to thousands or millions of dollars.

Researchers at Kaspersky Lab have published an interesting analysis on the cost of DDoS attacks in the criminal ecosystem. The experts estimated that the cost to power a DDoS attack using a cloud-based botnet of 1,000 desktops is about $7 per hour. A DDoS attack service typically costs $25 an hour; this means that the expected profit for crooks is around $25-$7=$18 per hour.

Thinking of these profits on a large scale could give us and idea about the profitability of such kind of illegal activity.

Figure 3 – DDoS attack price list

Prices for DDoS attacks are highly variable and depend on multiple factors. A DDoS attack can cost from $5 for a 300-second attack to $400 for 24 hours.

“This means the actual cost of an attack using a botnet of 1000 workstations can amount to $7 per hour. The asking prices for the services we managed to find were, on average, $25 per hour, meaning the cybercriminals organizing DDoS attack are making a profit of about $18 for every hour of an attack,” reads the analysis published by Kaspersky.

DDoS services offered in the cyber-criminal underground are easy to use and implement an efficient reporting system.

Almost any booter implements useful dashboards that allow them to manage loyalty programs and allow customers to plan their DDoS attacks according to the availability of the attacking infrastructure.

Figure 4 – DDoS service

Prices for DDoS attack services depend on their generation as well as the source of attack traffic. For example, DDoS attacks powered by botnets composed of “Internet of Things” devices are cheaper than the ones powered by a botnet of servers.

“For example, a botnet of 1000 surveillance cameras may be cheaper in terms of organization than a botnet of 100 servers. This is because cameras and other IoT devices are currently less secure – a fact that is often ignored by their owners,” reads the report.

Another factor that influences the final price for a DDoS attack service is the target and its characteristics. Not all the DDoS services could be used against any target, for example, some booters could not be used against well-resourced websites, such as the site of a Government.

DDoS attack services that allow hitting any target independently from the countermeasures it has in place are more expensive.

“The cost of the service may also depend on the type of anti-DDoS protection the potential victim has: if the target uses traffic filtering systems to protect its resources, the cybercriminals have to come up with ways of bypassing them to ensure an effective attack, and this also means an increase in the price,” reads the report.

To give an idea of the cost, a DDoS attack against an unprotected website ranges from $50 to $100, while an attack on a protected site can go for $400 or more.

The cost of a cyber-attack also depends on the location of targeted websites, DDoS attacks on English-language websites are usually more expensive than similar attacks on Russian-language sites.

Cyber criminals can launch DDoS attacks for extortion, DDoS are a high-margin business, according to experts at Kaspersky the profitability of a single attack can exceed 95%. Victims of an ongoing DDoS attack are often willing to pay a ransom to stop the offensive.

All the data collected by security firms suggests that the average cost of DDoS attacks in the next future will continue to drop, while their frequency will increase.

It is easy to predict also the diffusion of DDoS-as-a-Service that will cause a significant increase in hit-and-run attacks for extortion purposes.


Posted: April 7, 2017
Pierluigi Paganini
View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.