Kaspersky Lab is announcing the availability of its latest Q4 2017 DDoS Intelligence Report, based on data from Kaspersky DDoS Intelligence, which reveals accidental DDoS attacks by spammers, political sabotage and the owners of DDoS botnets attempting to make money from Bitcoin.
In Q4 of 2017, the reasons behind the most notorious attacks were political – for example, DDoS attacks targeted the Czech statistical office and the site of the Spanish Constitutional Court). Also, there were attempts to profit from changes in the Bitcoin exchange rate (BTG websites and the Bitcoin exchange Bitfinex were subjected to attacks).
Online commerce and cybercriminals were an inevitable feature of the fourth quarter. In the weeks leading to the peak sales period of Black Friday and Cyber Monday, Kaspersky Lab honeypots recorded a sudden surge in the number of infection attempts on specially created bait by Linux-based DDoS bots. This may reflect the desire of cybercriminals to increase the size of their botnets prior to a period of major sales to make more money.
However, as Q4 also proved a DDoS attack isn’t always a way of earning money or causing trouble for the owners of internet resources – it can also be an accidental side effect. For instance, in December, an extensive ‘DDoS attack’ on the DNS servers of the RU national domain zone was caused by a modification to the Lethic spambot. It appears that due to a developer error, the Trojan created a vast number of requests to non-existent domains and ended up producing the effect of a massive DDoS attack.
While analyzing the quarterly data, experts also noticed a decrease in the number of countries where the resources of DDoS botnet victims are located fell from 98 in the third quarter to 82 in the fourth quarter. In addition, Vietnam burst into the rating of most attacked countries, replacing Hong Kong among the leaders. Despite minor fluctuations, all of the other countries in the top 10 most attacked countries list remained the same as in Q3. Meanwhile, Canada, Turkey and Lithuania entered the top 10 countries where C&C (command & control) servers controlling DDoS botnets are located, taking the previous places Italy, Hong Kong and the United Kingdom held on the list.
Following a sharp increase in Q3, the share of Linux botnets remained at the same level in the fourth quarter (71% vs. 29% for Windows botnets). However, the percentage of SYN DDoS attacks dropped from 60 percent to 56 percent due to a decrease in activity by the Xor DDoS Linux bot. As a result, the proportion of User Datagram Protocol (UDP), Transmission Control Protocol (TCP) and Hypertext Transfer Protocol (HTTP) attacks grew, although the percentage of Internet Control Message Protocol (ICMP) attacks continued to fall and reached a record low for 2017 (3%).
Kaspersky DDoS Protection statistics, which include data on botnet activity as well as other sources, showed a decline in the popularity of DDoS attacks using only the HTTP or HTTPS flood method – from 23 percent in 2016 to 11 percent in 2017. At the same time, the frequency of attacks simultaneously using several methods increased from 13 percent to 31 percent. This may be due to the difficulty and expense of organizing HTTP(S) attacks, while blended attacks allow cybercriminals to combine effectiveness with lower costs.
"You don’t have to be a direct target to become a victim of a DDoS attack,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab. “Today, DDoS is an instrument for applying pressure or making money illegally, and attacks can harm not just large, well-known organizations but also very small companies. No business that depends on internet access – even partially – should be without anti-DDoS protection.”