News
Q2 2016 Global DDoS Threat Landscape Report by Imperva
November 2016 by Imperva
Imperva Incapsula’s latest Global DDoS Threat Landscape Report is based on our analysis of more than 15,000 network and application layer DDoS attacks mitigated during Q2 2016.
The data collected in the course of these events points to a number of recurring trends that intensify from quarter to quarter. The most noteworthy is the evolution of network layer attacks, which continue to increase in number, size and sophistication.
In addition, Q2 data shows that the US and UK continue to serve as top-priority DDoS targets.
Network Layer Attack Evolution
In Q2 2016, Incapsula mitigated 8,225 network layer assaults at an average of 575 per week. This represents an 11.3 percent quarterly increase, even after factoring in our user base growth.
Beyond the increase in sheer numbers, network attacks in Q2 also swelled in capacity. This escalation, driven by the rapid expansion of IoT botnets, served as a prelude to the most recent wave of mega barrages. As part of this trend, on June 14 we mitigated the largest attack to date on our record—peaking at 475 Gbps.
Fig 1 – Largest network layer attack in Q2 2016 peaked at over 470 Gbps
In addition, in Q2 we saw yet another upsurge in multi-vector attacks. In these several different payloads are used to create a more complex and difficult-to-mitigate threat. Overall, multi-vector assaults accounted for 36.1 percent of all network layer events.
Fig 2 – Distribution of network layer DDoS attacks, by number of vectors used
One of the most common combinations was the use of high rate UDP floods in conjunction with DNS amplification. Here, perpetrators attacked on two fronts at once, attempting to overwhelm switches and other edge appliances—in addition to trying to clog network pipes.
High-rate attacks, a relatively new and concerning tactic, deserve a separate
mention as they continued to become more common during the quarter.
In such scenarios, abnormally powerful botnets are used to launch small TCP and UDP payloads at an extremely high rate—one which many edge appliances can’t process. The combination can bring down a network, even in the presence of an on-edge mitigation solution and without exceeding its uplink capacity.
Fig 3 – Example of high-rate network layer attack that peaked at 180 Mpps
Generally, we consider 50 Mpps (millions of packets per second) to be a minimal criterion for a high-rate attack. In Q2 2016 we mitigated a 50+ Mpps assault every three days, compared to one every four days during the previous quarter. The largest exceeded 170 Mpps—way above what many edge appliances can handle.
22.3% of Attacks Target European Websites
In Q2 2016 Incapsula continued to see an increase in assaults against businesses in the US and UK, further solidifying their “most-attacked country” positions. The UK now has the unwanted distinction of holding the second position for the ninth month in a row.
Overall, European countries held six out of the ten positions on the top-attacked countries list. Together they accounted for 22.3 percent of all assaults.
Fig 4 – Top targeted countries
