DDoS attacks grew shorter, more complex and persistent in Q1 2017, new report suggests

Distributed denial of service (DDoS) attacks in the first quarter of 2017 were growing shorter, more complex and persistent, according to a new report released on Monday.

Redwood Shores, Calif.-based Imperva released on Monday its 2017 Q1 Global DDoS Threat Landscape Report, analyzing more than 17,000 network and application layer DDoS attacks (3,457 network layer and 14,122 application layer) mitigated by its Imperva Incapsula services during the first quarter. Imperva offers data and application security solutions that protect business-critical information in the cloud and on-premises.

On a macro level, DDoS assaults grew shorter, but also more complex and persistent, Imperva said in a statement. Eighty per cent of all attacks lasted less than an hour; 90% of all network layer attacks lasted less than 30 minutes, compared to 78.2% in the prior quarter. Forty per cent of all attacks were multi-vector assaults, compared to 29% in Q4 2016, while 19% of targets were attacked 10 times or more, up from 13.1% in Q4 2016.

In terms of worldwide botnet activity, almost 69% of all DDoS attack requests came from China (50.8%), South Korea (10.8%) and the United States (7.2%). Consistent with previous quarters, the United States, United Kingdom and Japan continued to top the list of most targeted countries, the statement added. Joining that list – for the first time in the past year – were also Singapore and Israel.

Igal Zeifman, Incapsula security evangelist at Imperva, reiterated in the statement that DDoS attacks grew more persistent in the first quarter. “Specifically, 74% of targets suffered repeat assaults during the quarter, with 19 per cent being hit 10 times or more. In both cases these numbers were the highest ever on our record,” Zeifman said. “In the most extreme case, an established U.S.-based science news website was hit 1,046 times by low-volume bursts lasting 10 minutes or less.”

Zeifman suggested that these attacks are a “sign of the times,” as launching a DDoS assault has “become as simple as downloading an attack script or paying a few dollars for a DDoS-for-hire service. Using these, non-professionals can take a website offline over a personal grievance or just as an act of cyber vandalism in what is essentially a form of Internet trolling,” he said.

Also, for the fourth quarter in a row, there was a decrease in the number of network layer assaults, which fell to 269 per week – half of what they were just a year ago. In contrast, there was another spike in the number of application layer assaults, which reached an all-time high of 1,099 per week.

For network layer assaults, perpetrators continued to use a wide variety of payloads (network packets) to carry out these assaults in the first quarter of 2017, similar to previous quarters, the statement said. ICMP floods continued to be the most prevalent attack type, appearing in 46% of all network layer assaults.

For application layer assaults, the largest attack in Q1 2017 peaked at 176,393 requests per second (RPS), exceeding last year’s high in Q3 of 173,633 RPS. The longest assault lasted “only” 19 days, compared to the 47-day DDoS barrage in Q4 2016 and the record-setting 67-day assault in Q2 2016.