Distributed denial of service (DDoS) attacks observed in the first quarter of 2016 grew more advanced and more sophisticated, Imperva’s Global DDoS Threat Landscape Q1 2016 reveals. This should not come as a surprise, as DDoS attacks have been growing in both size and sophistication for years, but Imperva’s latest report provides a glimpse into some new tools and attack methods being used by threat actors.
According to the security firm, cybercriminals are experimenting with elaborate tools and attack methods to carry out network assaults. Imperva researchers observed changes in both application and network layer attacks and also say that there has been a shift in the activity of DDoS botnets.
When it comes to application-layer attacks, cybercriminals have increased the use of browser-like DDoS bots capable of bypassing standard security challenges by 36.6 percent, although the increase was only 6.1 percent in the previous quarter. Additionally, attackers are trying new ways of executing application layer assaults, such as a HTTP/S POST flood in an 8.7 gigabits per second Layer 7 attack.
Researchers also note that the frequency of attacks continued to increase in the first quarter of 2016, as 50 percent of the attacked sites were targeted more than once. Moreover, they found that 31.8 percent of websites were targeted between two and five times, up from only 26.7 percent before.
Out of 5,267 application layer attacks during the timeframe, 87.8 percent lasted for more than 30 minutes, with the longest lasting for 36 days (and is ongoing). The largest attack that Imperva saw peaked at 100,100 requests per second. Additionally, they found that 18.9 percent of DDoS bots could bypass cookie challenges, and 17.7 percent of them could bypass both cookie and JS challenges.
In the network layer DDoS attacks segment, the security company observed a 33.9 percent increase in multi-vector attacks, as perpetrators tend to combine high Gbps and high Mpps attack vectors. The largest attack witnessed peaked at 200+ gigabits per second, with the highest attack rate reaching 120+ million packets per second.
Imperva says that it mitigated a total of 3,791 network layer attacks in the first three months of the year, and that the longest lasted 48.5 hours. The security company also notes that it encountered multiple 100+ Gbps assaults, and that 50+ Mpps attacks occurred every four days and an 80+ Mpps assault was recorded every eight days, on average.
During the three-month period, researchers also observed an increase in botnet activity in South Korea, which was the origin of 29.5 percent of DDoS botnet attacks, with most of the attacks originating from Nitol (52.9 percent) and PCRat (38.2 percent) botnets. Over 38.6 percent of these attacks were launched against Japanese websites, while another 30.3 percent targeted US-hosted sites, researchers say.
In addition to an increase in the use of Nitol in the first quarter of the year, Imperva observed a steep growth in the use of Generic!BT bot, a Trojan that usually compromises computers running Windows OS. First identified in 2010, the malware’s variants are now used in DDoS attacks from 7,756 unique IPs located in 52 countries, most of which are located in Russia (52.6 percent) and Ukraine (26.6 percent).