A shift from quantity to quality: 2018 saw cyber criminals dropping basic DDoS operations
10 February2019
The Kaspersky Lab DDoS Q4 Report covering statistics of the last quarter and the whole of 2018 highlights a 13%decline in the overall number of DDoS attacks when compared with the statistics from the previous year. However, the duration of mixed and HTTP flood attacks is growing, which suggests that malefactorsare turning to more sophisticated DDoS attack techniques.
Thelow cost of DDoS-as-hire makes such attacks one of the most affordable cyber weapons for evil competitors or internet trolls. Businesses, regardless of their size or industry, can face this threat and suffer revenue and reputation losses in case legitimate users and customers cannot access company’s web resources.Despite the number of DDoS attacks falling in 2018,it’s too early to rejoice as the decrease of the amount of attacks does not mean a decrease in their severity.According to Kaspersky Lab researchers, as more and more organizations adopt solutions to protect themselves from simple types of DDoS attacks, 2019 will likely see attackers improve their expertise to overcome standard DDoS protection measures and bring overall complexity of this type of threat to the next level.
Although the number of attacks is decreasing, analysis from Kaspersky Lab experts has found that the average attack duration is growing. Compared with the beginning of the year, the average length of attacks has more than doubled – from 95 minutes in Q1 to 218 minutes in Q4. It is notable that UDP flood attacks (when the attacker sends a large number of UDP packets to the target’s server ports in order to overwhelm it and make it unresponsive for clients), which area ccounting for almost half (49%) oftheDDoS attacks in 2018, were very short and rarely lasted more than 5 minutes.
Kaspersky Lab expertsassume that the decline in the duration of UDP flood attacks illustrates that the market for easier to organize attacksis shrinking.Protection from DDoS attacks of this type is becoming widely implemented, making them ineffective in most cases. The researchers propose that attackers launched numerous UDP flood attacksto test whether a targeted resource is not protected.If it immediately becomes clear that attempts are not successful, malefactors stop the attack.
At the same time, more complex attacks (such as HTTP misuse) which require time and money,will remain long. As the report revealed, HTTP flood method and mixed attacks with HTTP component, which shares were relatively small (17% and 14%), constitute about 80% of DDoS attack time of the whole year.
“When most simple DDoS attacks do not achieve their aim,those people earning money by launching such attacks have twooptions.They can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining. Alternatively, malefactors who orchestrate DDoS attacks have to improve their technical skills, as their customers will look for more experienced attackers. Given this, we can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected,”– comments Alexey Kiselev, Business Development Manager on the Kaspersky DDoS Protection team.
Regarding results from the last quarter, the longest DDoS attack in Q4 lasted 329 hours (almost 14 days) – sucha long attack was last registered at the end of 2015.
The top three counties which had the most conducted DDoS attack remain the same. China is again infirst place but its share dropped significantly from 77.67% to 50.43%. The US remains second and third place is still occupied by Australia.
By target distribution, China still tops the list, but its share declined to 43.26% (70.58% in Q3).
In Q4, there have also been changes in the countries hosting the most C&C servers. As in the previous quarter, the US remained the leader, but theUK and the Netherlands came second and third, replacing Russia and Greece respectively. This is likely because of the number of active C&C Mirai servers increasing significantly in the aforementioned countries.
Kaspersky Lab recommends the following steps to protect an organization from DDOS attacks:
- Train personnel to respond to such incidents in a proper way;
- Ensure that a company’s websites and web applications can handle high traffic;
- Use professional security solutions to protect against attacks.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at