DDoS Attacks See Post-Holiday Slump in Q1

In the first quarter of 2015, the number of botnet-assisted distributed denial of service (DDoS) attacks declined from the previous quarter; so did the number of victims of these attacks. At the same time though, the threat has grown to target more countries.

“Historically, most attacks target web resources located in the USA and China, as these two countries offer the cheapest prices for web hosting, and many web resources are located there,” explained Kaspersky Lab, in its quarterly DDoS threat report. “However, the 10 most frequently attacked targets also include victims from Europe and the APAC region.”

In all, DDoSers targeted web resources in 76 different countries. Interestingly, there was an increase in the number of attacks against Canadian servers, and against web resources in Russia, South Korea and France.

“In Russia, South Korea and France, the number of attacked web resources has increased compared with Q4 2014, and so did the number of attacks on all targets located in these countries,” Kaspersky explained. “In Canada, the number of attacks has increased, but the number of targets has decreased, which suggests that cyber-criminals are more actively attacking a limited number of web resources in the country.”

These stats demonstrate that botnet-assisted DDoS attacks are relevant for most diverse web resources irrespective of their geographic location. So, the threat is increasingly expanding its boundaries.

Volume-wise, in Q1 2015, there were 23,095 botnet-assisted DDoS attacks reported, which is 11% lower than the 25,929 attacks in Q4 2014. Also, there were 12,281 unique victims of DDoS attacks in Q1 2015, which is 8% lower than the 13,312 victims in the prior period.

The declines are likely tied to seasonality, Kaspersky pointed out.

“Last December saw a dramatic increase in the number of botnet-assisted DDoS attacks,” the firm said. “The number of attacks declined steadily through January and February, but then began to rise again in March. The December peak could be linked to the Christmas/New Year holidays, when the cyber-criminals redoubled their efforts to disrupt the operation of websites and services popular with users.”

But regardless of why the DDoS threat may have waned slightly, cyber-criminals who use botnets to carry out DDoS attacks are willing to persevere.

To wit: The most prolonged DDoS attack in Q1 2015 lasted for 140 hours (or about six days); and the most frequently attacked web resource (a Russian-language website for a group of investment companies) survived 21 attacks within the three month period. There were other high-volume targets: A Vietnamese wedding services provider faced 16, and a hosting provider in the US saw 15 individual attacks.

However, study shows that even a short, one-off attack may render an unprotected web resource inoperable. One such attack may cost the victim up to $444,000, Kaspersky said, not including the reputational damage associated with the unsatisfied users who failed to receive the service they expected.

It should be also pointed out that 93.2% DDoS targets in Q1 were attacked by just one family of bots. In 6.2% cases, two families of bots simultaneously participated in an attack, and three or more participated in 0.6% cases. In such cases, either the cyber-criminals simultaneously used several different bot families to perform the attack, or the clients used the services of several attackers at once.

In Q1 2015, just like in Q4 2014, bots designed to infect Linux servers were more active than those targeting Windows devices. Although there are far fewer Linux-based botnets, the number of attacks launched from them is larger than that of the attacks launched from Windows-based botnets; also, the attacks from Linux-based botnets are more powerful.

“This is because a successful infection of a Linux-based server provides the cyber-criminals with vast opportunities to manipulate network protocols,” the report noted. “In addition, infected servers typically have faster internet connections than individual computers, so more powerful attacks can be carried out.”

What’s Hot on Infosecurity Magazine?