Cyber security company Imperva has released its latest quarterly DDoS Threat Landscape Report, which details the changes in DDoS attack patterns during Q4 2015.
The report was compiled using data from 3,997 network layer and 5,443 application layer DDoS attacks mitigated by the Imperva Incapsula services from October 1 through November 29, 2015, which we refer to as Q4 or the fourth quarter.
Some of the key findings from the report revealed that in the last quarter of 2015, UK websites suffered a 21 percent increase in DDoS attacks in comparison to previous quarters throughout the year.
Other findings from the study include:
- Most notably, the second half of 2015 saw a surge in the use of DDoS-for-hire services. In a nutshell, these services allow anyone with a PayPal account to launch DDoS attacks of medium to high volume lasting between 30 and 60 minutes.
- DDoS-for-hire has been around for a while. Recently, however, increased availability of these tools, coupled with media attention and lackluster regulation, put the “industry” on an accelerated growth path, leading to a surge in the number of DDoS attacks.
- Consequently, in Q4 2015, we saw a 25.3 percent increase in the frequency of network layer attacks against our clients. This was in addition to the 108.5 percent increase we reported in Q3 2015.
- Predominantly, these were short high-volume bursts, which are best exemplified by the largest network layer assault we dealt with in Q4—a 40 minute-long SYN flood that peaked at 325 Gbps and 115 Mpps. This makes it one of the largest DDoS attacks mitigated by any DDoS protection provider to date.
- Overall, 82.9 percent of network layer attacks in Q4 2015 lasted under 30 minutes. Often we saw these bursts repeatedly launched against the same target in the span of several hours.
Largest network layer attack peaked at 325 Gbps/115 Mpps
Botnet activity: Surge in attacks against Japan and UK
Similar to previous quarters, US-based websites drew the bulk of DDoS attacks in Q4 2015, becoming the target of 47.6 percent of all botnet traffic. This time, they were followed by the UK and Japan—both of which were targeted by significantly more DDoS attacks than they were in Q3 2015.
Specifically, the number of DDoS attacks against UK-based websites rose from 2.5 percent to 23.2 percent. In Japan, the number of attacks increased from 1.2 percent to 8.6 percent.
| Targeted Countries | Attacking Countries | ||
| United States | 47.6% | China | 39.8% |
| United Kingdom | 23.2% | South Korea | 12.6% |
| Japan | 8.6% | United States | 11.7% |
| Netherlands | 6.8% | Vietnam | 5.8% |
| France | 4.6% | Turkey | 4.2% |
| Canada | 3.2% | Netherlands | 2.9% |
| Germany | 2.5% | Spain | 1.5% |
| Ireland | 1.5% | India | 1.5% |
| Brazil | 0.6% | Brazil | 1.4% |
| Russia | 0.3% | Russia | 1.3% |
Top attacked and attacking countries
On the attacker’s side, China, South Korea, the US and Vietnam continued to lead the list, with variant of Nitol, PCRat and Dirtjumper being the most commonly used attack malware.
| Nitol | 33.3% |
| PCRat | 32.8% |
| DirtJumper | 5.3% |
Most common DDoS malware types
