Key findings from the report include: - Overall, the number of DDoS attacks decreased
- A “Pulse wave” assault, a new form of attack that was identified by Imperva researchers earlier this year, was the largest attack of the quarter
- The number of repeat attacks escalated and US websites were targeted more than any other sites around the world
- Increased botnet activity was observed coming from Turkey, Ukraine and India
Igal Zeifman, Incapsula security evangelist at Imperva, explained:
“For the fifth consecutive quarter, we saw a decrease in the number of network layer assaults, which dropped to a 196 per week from 296 in prior quarter. We also saw a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099.
There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend. Conversely, the persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape. There are several possible reasons for this shift, one of which is the ever increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.
The largest network layer assault we mitigated in Q2 2017 peaked at 350 Gbps and was carried out using a new "pulse wave" tactic that we encountered on multiple occasions throughout the quarter, which enables an offender to pin down multiple targets with alternating high-volume bursts.
In the second quarter of the year, 75.9 percent of targets were subjected to multiple attacks—the highest percentage our research has ever recorded. Notably, US-hosted websites bore the brunt of these repeat assaults—38 percent were hit six or more times, out of which 23 percent were targeted more than 10 times. This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out. What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target.
Even with mitigation solutions in place, such repeat assaults have a potential of becoming a war of attrition - an equivalent of laying siege on an impenetrable target. The prevalence of such attacks highlights the need for an automation of DDoS mitigation solutions, enabling them to deal with a slew of attacks without wearing down the IT team or causing any noticeable disruption to legitimate service users.
“In Q2 we saw increased botnet activity out of Turkey, Ukraine and India. In Turkey, we recorded over 3,000 attacking devices that generated over 800M attack requests, more than double what we saw last quarter. In Ukraine and India, we recorded 4,300 attacking devices, representing a roughly 75 percent increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion attack requests for the quarter.”
