Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
4/26/2018
09:00 AM
Sara Boddy
Sara Boddy
Partner Perspectives
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Europe and Asia Take on More DDoS Attacks

While North American targets have historically been on the receiving end of the majority of DDoS attacks since their inception, that trend changed in 2017.

lan Meller, Justin Shattuck, and Damien Rocha also contributed to this article

In case you haven't noticed, 2017 was somewhat of a milestone in the DDoS industry: it was absent a major world record-setting DDoS event. The bad news is that in 2018, DDoS attacks are slamming back in full force. The number of attacks mitigated globally by F5 from 2016 to 2017 increased by 26%. Q1 historically receives the lowest number of attacks. Based on F5's Q1 2018 attack count, the number of DDoS attacks will exceed 33% growth in 2018.

Taking Q1 2018 into account, the amount of DDoS attacks against targets in the Asia Pacific (APAC) region are increasing faster than any other region of the world. North America (N-AMER), Europe, the Middle East and North Africa (EMEA) have been steadily increasing year over year but did not see the same Q1 2018 growth as APAC.

North American targets have received the majority of DDoS attacks since their inception. This trend changed in 2017 when DDoS attacks targeting North America dropped below 50%, while EMEA-targeted DDoS attacks rose above a third, and APAC grew from 8% in 2016 to 17% in 2017. In Q1 2018, businesses in APAC received almost as many attacks as businesses in North America.

The Q1 2018 attacks are only one quarter in comparison to the annual averages of 2016 and 2017. If attacks against North America decline in Q2, as they have done the past 2 years, the trend of North America declining in overall percentage of attacks received will continue to drop. Attacks against EMEA entities increased in Q2 in 2016 and 2017, indicating there is a good chance EMEA’s percentage of the total will continue to rise, potentially surpassing North American targets for the first time.

Online gaming businesses were the top DDoS target in Q1 2018, followed by financial services and hosting providers. Collectively those industries received 76% of the DDoS attacks in Q1 2018. Web hosting providers and financial organizations have always been top DDoS attack targets, and that trend continued in 2017. Why? Because those two industries directly translate downtime into dollars lost. Therefore, blackmail DDoS attacks is a very lucrative for attacks as paying the ransom is an effective way to stop the pain.

The gap between the traditional top targets and other various industries including technology providers, ISP’s, online gaming, and business service providers is steadily closing. Every year we continue to see a broader scope of DDoS targets with the growth in DDoS-for-hire services at extremely affordable rates, and availability of DDoS tools to the common script kiddie.

DDoS Attacks by Type
UDP fragmented attacks are becoming increasingly popular with DDoS attackers that use multiple vectors in their attacks to “fill up the pipe” by maximizing the packets and fragments being sent through it.

When breaking down the DDoS attacks into volumetric, reflection, or application attack categories, volumetric attacks have always been the majority. Applications, as opposed to the traditional network, are a rising DDoS attack vector. Application attacks are more precise and require traffic scrubbing, versus the typical blocking of unwanted port traffic at the network layer. As the internet moves towards a virtualized application environment, we expect DDoS attacks targeting applications to take a larger slice of the pie in the future.

F5 has already mitigated multiple attacks greater than 250 Gbps in 2018. The interesting thing about these attacks is that it was clear the attackers had done their homework. They knew the prefixes they were targeting as they targeted multiple hosts in the same /24 subnet simultaneously, while constantly changing the target hosts. As mitigations were applied, the attackers continued to target other prefixes. In total, 3 different /24 subnets were targeted.

The top 10 source traffic countries remained the same throughout all attacks, which could indicate that the attacks were launched from the same systems over the four-day period. This type of attack behavior is consistent with IoT devices in which compromises and subsequent attacks go undetected or, in less likely scenarios, compromised systems owned by businesses (that don’t know they have been compromised) and are being used to launch attacks.

The largest source of the attacks came from the US, which is not typical. This is an indicator of a significant number of vulnerable systems (potentially compromised memcached systems or IoT devices) in the US being targeted to launch DDoS attacks from.

With the rise in IoT devices, cloud computing and online databases, more vulnerable systems are becoming available to attackers to launch devastating DDoS attacks than ever before. When defending against modern cyber threats, no business is immune to damaging DDoS attacks. If you cannot afford downtime, get a DDoS strategy in place now so you don’t have to scramble to put one in place while you’re under attack.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks' threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ishanm
100%
0%
ishanm,
User Rank: Apprentice
4/27/2018 | 2:24:03 AM
F5 is strong
In a our recent research for Top DDoS Companies we were studying F5 too. It's true that the attacks have grown immensely but it was necessary for businesses to learn why cyber security is necesarry even if you fix vulnerabilties on the go. Everyone is vulnerable to DDoS.
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.
CVE-2019-18197
PUBLISHED: 2019-10-18
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclo...
CVE-2019-4409
PUBLISHED: 2019-10-18
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entere...