Quarterly Global DDoS Attack Report: Q4 2012

Published January 17, 2013

Quarterly Global DDoS Attack Report: Q4 2012

What You Need to Know

There are two ways of dealing with DDoS attacks: filtering the attack and/or disabling the attacking botnet. Botnet takedowns have unique complications:

  • Some botnets have resilient Command and Control architectures where individual bots can become Command and Control servers.
  • In consequence, the individual bots themselves must ultimately be identified and removed.

For some botnets, like the BroDoS botnet, the rate of bot takedowns has entered into a steady state against the rate that bots are added back into the network.

  • Initially the rate of bot takedowns was quite high as the easy bots (those in USA and many European countries) were removed.
  • The rate of takedowns is highest when established cooperation, relationships and common languages exist. The rate of takedowns is lower when more ISPs need to be contacted across many more regions and languages.
  • Taking down 1,000 bots installed on 500 ISP networks across many countries requires a significant amount of time and effort. Contacts and relationships need to be built ‑ and there is still no guarantee of participation or help in the takedown effort.
  • Despite continued efforts in bot takedowns, many new botnets are likely emerge.

Due to limited manpower and the scale of the problem, there will remain a significant number of active bots for the foreseeable future.

Spotlight: 50+ Gbps DDoS attacks become common, plus a look at how Brobot infections keep changing, and attack trends

DDoS attacks increase in scale and diversity while botnets like Itsoknoproblembro prove to be difficult to take down

Notable distributed denial of service (DDoS) trends from October – December 2012 include the following:

  • The itsoknoproblembro (BroDoS) toolkit was primarily used against financial services firms in Q4, though it was also used against businesses in other sectors.
  • Digital forensics by DDoS cybersecurity analysts found that malware other than BroDoS was used to generate equally large bandwidth DDoS attacks.
  • Third quarter attacks of 20 Gbps were surpassed by even larger attacks of 50+ Gbps against clients in the financial services, e-Commerce and Software as a Service (SaaS) industries.

Highlights: Q4 2012 global DDoS attack statistics

Compared to Q4 2011

  • 19 percent increase in total number of DDoS attacks
  • 15 percent rise in total number of infrastructure attacks
  • 30 percent rise in total number of application attacks
  • 6 percent decline in average attack duration to 32 hours from 34
  • 13 percent increase in average attack bandwidth from 5 Gbps to nearly 6 Gbps

Compared to Q3 2012

  • 26 percent increase in total number of DDoS attacks
  • 17 percent increase in total number of infrastructure attacks
  • 72 percent rise in total number of application attacks
  • 67 percent increase in average attack duration to 32 hours from 19 hours
  • 20 percent increase in average attack bandwidth from 5 to 6 Gbps
  • China retains its position as the top source country for DDoS attacks

Contact Us