Distributed denial of service (DDoS) attacks observed in the first quarter of 2016 grew more advanced and more sophisticated, Imperva’s Global DDoS Threat Landscape Q1 2016 reveals. This should not come as a surprise, as DDoS attacks have been growing in both size and sophistication for years, but Imperva’s latest report provides a glimpse into some new tools and attack methods being used by threat actors.
According to the security firm, cybercriminals are experimenting with elaborate tools and attack methods to carry out network assaults. Imperva researchers observed changes in both application and network layer attacks and also say that there has been a shift in the activity of DDoS botnets.
When it comes to application-layer attacks, cybercriminals have increased the use of browser-like DDoS bots capable of bypassing standard security challenges by 36.6 percent, although the increase was only 6.1 percent in the previous quarter. Additionally, attackers are trying new ways of executing application layer assaults, such as a HTTP/S POST flood in an 8.7 gigabits per second Layer 7 attack.
Researchers also note that the frequency of attacks continued to increase in the first quarter of 2016, as 50 percent of the attacked sites were targeted more than once. Moreover, they found that 31.8 percent of websites were targeted between two and five times, up from only 26.7 percent before.
Out of 5,267 application layer attacks during the timeframe, 87.8 percent lasted for more than 30 minutes, with the longest lasting for 36 days (and is ongoing). The largest attack that Imperva saw peaked at 100,100 requests per second. Additionally, they found that 18.9 percent of DDoS bots could bypass cookie challenges, and 17.7 percent of them could bypass both cookie and JS challenges.
In the network layer DDoS attacks segment, the security company observed a 33.9 percent increase in multi-vector attacks, as perpetrators tend to combine high Gbps and high Mpps attack vectors. The largest attack witnessed peaked at 200+ gigabits per second, with the highest attack rate reaching 120+ million packets per second.
Imperva says that it mitigated a total of 3,791 network layer attacks in the first three months of the year, and that the longest lasted 48.5 hours. The security company also notes that it encountered multiple 100+ Gbps assaults, and that 50+ Mpps attacks occurred every four days and an 80+ Mpps assault was recorded every eight days, on average.
During the three-month period, researchers also observed an increase in botnet activity in South Korea, which was the origin of 29.5 percent of DDoS botnet attacks, with most of the attacks originating from Nitol (52.9 percent) and PCRat (38.2 percent) botnets. Over 38.6 percent of these attacks were launched against Japanese websites, while another 30.3 percent targeted US-hosted sites, researchers say.
In addition to an increase in the use of Nitol in the first quarter of the year, Imperva observed a steep growth in the use of Generic!BT bot, a Trojan that usually compromises computers running Windows OS. First identified in 2010, the malware’s variants are now used in DDoS attacks from 7,756 unique IPs located in 52 countries, most of which are located in Russia (52.6 percent) and Ukraine (26.6 percent).
Related: Sweden Military Servers Hacked, Used in 2013 Attack on US Banks
Related: DB Networks Unveils Layer 7 Database Security for OEMs

More from SecurityWeek News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- In Other News: China Blames NSA for Hack, AI Jailbreaks, Netography Spin-Off
- SecurityWeek to Host Cyber AI & Automation Summit
- US Marks 22 Years Since 9/11 Terrorist Attacks
- In Other News: LastPass Vault Hacking, Russia Targets Ukraine Energy Facility, NXP Breach
- Webinar Today: Scaling Software Supply Chain Security
- In Other News: Hacking Encrypted Linux Computers, Android Fuzzing, Skype Leaking IPs
- Webinar Today: ZTNA Superpowers CISOs Should Know
Latest News
- Progress Software Patches Critical Pre-Auth Flaws in WS_FTP Server Product
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Lumu Raises $30 Million for Threat Detection and Response Platform
- Government Shutdown Could Bench 80% of CISA Staff
- Moving From Qualitative to Quantitative Cyber Risk Modeling
- Cisco Warns of IOS Software Zero-Day Exploitation Attempts
- Russian Zero-Day Acquisition Firm Offers $20 Million for Android, iOS Exploits
- Sysdig Launches Realtime Attack Graph for Cloud Environments
