Security Experts:

Number of Botnet-Powered DDoS Attacks Dropped in Q1: Kaspersky

Kaspersky Lab has published a report detailing the botnet-assisted distributed denial-of-service (DDoS) attacks launched by malicious actors in the first quarter of 2015.

A report published by IBM in March revealed that DDoS attacks were among the most common types of cyberattacks last year. These incidents are closely monitored by companies that provide DDoS protection services, such as Akamai’s Prolexic and Corero. The reports from such companies detail DDoS trends based on the attacks launched against their customers.

Kaspersky Lab has taken a different approach. The security firm has analyzed botnet-powered attacks by using data from its DDoS Intelligence system, which focuses on the commands that arrive to botnets from command and control (C&C) servers. The system doesn’t require the presence of a bot on a victim device, or the execution of commands from the C&C server.

Kaspersky has determined that the number of DDoS attacks reported in the first quarter of 2015 (23,095) is lower by 11 percent compared to the fourth quarter of 2014 (25,929). The number of unique victims was 12,281 in Q1, which is 8 percent lower compared to the previous quarter.

It’s worth noting that Kaspersky classifies a single attack as an incident in which a web resource was targeted with botnet activity breaks lasting less than 24 hours. The same botnet attacking the same resource after a 24-hour break is viewed as a separate attack. Two botnets targeting the same resource are regarded as individual attacks.

When it comes to the geographical distribution of victims, the security firm found that DDoS attacks targeted resources located in 76 countries, the most affected being China, the United States, and Canada.

“Historically, most attacks target web resources located in the USA and China, as these two countries offer the cheapest prices for web hosting, and many web resources are located there. However, the 10 most frequently attacked targets also include victims from Europe and the APAC region,” Kaspersky said in its report. “These statistics demonstrate that botnet-assisted DDoS attacks are relevant for most diverse web resources irrespective of their geographic location. Moreover, this threat is increasingly expanding its boundaries.”

As for duration, the longest attack in the first three months of 2015 lasted for roughly 6 days, but most of the operations lasted for less than 24 hours. In comparison, in the fourth quarter of 2014, some attacks lasted as much as two weeks, Kaspersky said.

The largest number of C&C servers were spotted by Kaspersky in the US, China and the UK, but researchers noted that the location of these servers is not usually related to the physical location of the attackers, or the geographical distribution of the botnets they control.

The security firm also reported that the number of attacks from Linux machines was higher compared to attacks from Windows devices, despite the fact that Linux-based botnets are far fewer. Malicious actors often abuse Linux servers for DDoS because they allow them to launch more powerful attacks.

“Besides, Linux-based botnets have much longer lives than Window-based botnets do. This is because Linux-based botnets are more difficult to detect and deactivate, since Linux servers are much less likely than Windows-based servers and devices to be equipped with dedicated security solutions,” researchers explained.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.