DDoS Trends 2013-14

DDOS Attack Trends 2013-2014 In 2013: Rapid increase in peak attack volumes and bot sopistication. Defending against headless-browser DDOS, and advanced bots that execute JS and hold cookies. 200 180 – 160 140 120 +60Gbps DDOS attacks, NTP Amp. attacks increase. Biggest one 100 at least once a week. First "Hit and Run" 80 DDOS noted. Many reaching 180Gbps. 4Gbps DDOS Cannon spotted. 60 more to come... Pushado botnet attack. Overall, 400K sources 40 target a single client. 20 In 2014: The upward trend continues with several ~100Gbps threats, including a 180Gbps NTP DDOS attack. Network (Layer 3&4) Attacks Last 90 Days Total Network DDOS Attacks Large DD0S Attacks (+20Gbps) (by Type) (by Type) Large SYN 26.2% Large SYN 51.5% Normal SYN 24.5% DNS Amp. 34.9% DNS Amp. 18.6% NTP Amp. NTPAmp. 13.6% 14.8% Small DNS 14.3% Almost 1 in every 3 network attacks exceeds 20Gbps. Large DNS 1.7% Most DDOS Incidents Involve Multiple Attack Vectors Single Vector 19% 2 vectors 41.3% Multi Vector 81% 3 vectors 32.1% 4 vectors 4.2% 5 vectors 3.4% The Most Common Attack Method is Normal SYN Flood + Large SYN Flood (+75% of all Multi Vector Attacks) However... 1 Large SYN I NTP Amp. In Feb 2014 we see a shift towards NTP amplification. This may point to a new trend in Network DDOS attacks. Dec 2013 Jan 2014 Feb 2014 Application (Layer 7) Attacks Last 90 Days Number of DDOS bot visitors has increased by more than 240% during the last 12 months. China USA 4.26% Iran 7.99% 9.2% India 9.59% 12 Million unique DDOS Indonesia 4.29% bots hit Incapsula's network every week. Top Attack Originating Countries are: India, China, Iran, Indeonesia and USA. The Bots are Getting Number of Targets Per Compromised IP Address Smarter Under 20 10.8% 60.4% Accept Cookies Over 20 Over 50 21.7% 29.9% Primitive Bots 69.3% Over 100 5.9% Execute JavaScript 0.8% Over 200| 1.2% 28.8% of compromised machines 29.9% of DDOS bots will bypass Cookie Challenges attack more than 50 different targets a month. Brought to you by Incapsula www. Incapsula.com Gigabits / second lan 2013 Feb 2013 - Mar 2013 Apr 2013 May 2013 Jun 2013 Percentage of attacks Jul 2013 Aug 2013 Sep 2013 Oct 2013 Nov 2013 Dec 2013 Jan 2014 Feb 2014