This is one of the predictions that comes from Kaspersky’s analysis of DDoS attacks last year. It comes despite the fact that the size of attacks seems to be growing. The most powerful attack in the second half of the year was, at 600 Mbit/sec, 20% higher than the largest in the first half of the year. During the same period, the average attack strength grew by 57% to 110 Mbit/sec.
The report notes that HTTP Floods remain the most popular attack method. These attacks simply involve sending large numbers of requests simultaneously to the same web page, usually from vast numbers of compromised PCs controlled by a single botnet. But despite this simplicity, Kaspersky has detected a shift away from attacking a web page to attacks exploiting the underlying server resources. It means that the attacker can achieve the same results from a smaller number of bots.
“This is a perfectly logical progression,” comments Yury Namestnikov, a senior malware analyst at Kaspersky Lab. “Large botnets attract the attention of anti-DDoS projects and law enforcement agencies, which can make such botnets much less attractive to cybercriminals.” Simply switching to smaller botnets to protect themselves would mean that the criminals would “have to increase the power of attacks by using several botnets targeting one resource at once.”
However, the new approach means that large botnets are not required. “That is why,” concludes Namestnikov, “we are not going to see really large DDoS botnets in 2012. Our radars will show mostly medium-size botnets, which are powerful enough to take down an average website, and such botnets are going to become more numerous.”