Quarterly Global DDoS Attack Report: Q3 2012

Published October 16, 2012

Quarterly Global DDoS Attack Report: Q3 2012

What You Need to Know

The itsoknoproblembro DDoS suite has received a lot of publicity and deservedly so. This kit is periodically evolving and appears to be under the control of multiple groups.

However, the focus on the itsoknoproblembro botnet has overshadowed
other threats that increased during the third quarter of 2012, especially the rising use of reflection-based DDoS attacks:

  • This quarter’s main reflection attack offenders were RIP, DNS, SNMP and compromised gaming servers.
  • The extent of reflection attacks led DDoS security analysts to add a new classification for the RIP reflection floods. SNMP, DNS, and gaming reflections still reside under the UDP flood classification.
  • DNS reflections observed favored the use of TXT and ANY queries.
  • Compared to Q3 of 2011, the types of tracked DDoS attack types doubled from nine to 18.

The evolution of known attacks and new DDoS attack types illustrates the continued desire of attackers to search for new ways to deliver payloads against targets and bypass standard mitigation techniques.

Spotlight: Intense 20 Gbps DDoS attacks became the new norm in Q3 2012

Third quarter 2012 attacks were shorter – but more intense.

Notable distributed denial of service (DDoS) trends from July – August 2012 include the following:

  • Many of this quarter’s DDoS attacks leveraged the PHP-based bot toolkit itsoknoproblembro, which has been used in several high-profile DDoS attacks.
  • Cleanup efforts for itsoknoproblembro have been extremely difficult and taxing for security experts. Outdated web applications and inexperienced administrators only compounded the difficulty of effectively remediating this infection.
  • DDoS attacks in excess of 20 Gigabits have become commonplace. Very few enterprises in the world have a network infrastructure with the capacity to withstand bandwidth floods of this size.
  • Uncommon attack types emerged during this three-month period, including SYN PUSH, FIN PUSH, and RIP floods. RIP is a legacy routing protocol not typically used as a DDoS attack vector.
  • The inclusion of unexpected protocols in attack campaigns highlights the continued evolution and threat of DDoS toolkits.

Highlights: Q3 2012 global DDoS attack statistics

Compared to Q2 2012

  • 14 percent decline in total number of attacks
  • 11 percent increase in average attack bandwidth
  • Slight increase in average attack duration to 19 hours from 17 hours
  • Packet per second volume increase of 33 percent
  • China was joined by the United States in the top source countries for DDoS attacks

Compared to Q3 2011

  • 88 percent increase in total number of DDoS attacks
  • Significant decrease in average attack duration: 19 hours vs. 33 hours
  • 230 percent increase in average attack bandwidth

Contact Us