The graph above shows that the slight increase from last year is owed to September, which accounts for the lion’s share of all attacks (about 5 times more compared to 2017). July and August, quite the opposite, turned out quieter versus last year. In 2017, no such disproportion was observed.
DDoS attacks defeated by Kaspersky DDoS Protection in September in proportion to Q3 total in 2017 and 2018 (download)
DDoS upsurge exactly in September is a fairly common thing: the primary target, year after year, is the education system, attacks being directed at the web resources of schools, universities and testing centers. The attack on one of England’s leading schools – Edinburgh University, which began on September 12 and lasted for nearly 24 hours, made the biggest headlines this year.
The onsets of this sort are often blamed on enemies of state, but these allegations are unfounded, according to statistics. Thus, in the course of our private investigations we discovered that attacks mostly occur during term time and subside during vacations. The British non-profit organization Jisc got almost the same result: by collecting statistics about attacks on universities it learned that there were fewer attacks when students were on vacation. The same is true for daily out-of-class hours: the main DDoS disturbances are experienced by schools during the period from 9:00 AM to 4:00 PM.
This, of course, may suggest that the perpetrators simply synchronize their actions with the daily pulse of the universities… But the simpler the explanation, the more likely it is: in all probability these attacks, too, are devised by the young ones, who may have quite a few “good” reasons to annoy their teachers, other students, or schools in general. Consistent with this assumption, our experts were able to find traces of DDoS attack preparations in the social networks; while our colleagues from Great Britain have come across a rather amusing case of their own: an attack targeting dorm servers was launched by a student in an attempt to defeat his online game adversary.
In all appearance, these cyclical outbursts will recur in the future – either until all educational institutions have secured themselves with impenetrable defenses, or until all students and their teachers have developed a whole new awareness of DDoS attacks and their consequences. It should be mentioned, however, that while most attacks are being organized by students, it does not mean that there aren’t any “serious” ones.
For example, launched in September, the DDoS campaign against the American vendor Infinite Campus, which provides the parent portal service for many school in its district, was so powerful and protracted as to come into notice of the US Homeland Security. It can hardly be explained by schoolchildren’s efforts alone.
Anyway, while the reasons behind the September upturn are most likely connected with the coming of the new school year, it is a bit tougher to explain the downturn. Our experts believe that most botnet owners have reconfigured their capacities towards a more profitable and relatively safer source of revenue: cryptocurrency mining.
DDoS attacks have gone a lot cheaper of late, but only for the customers. As to the organizers, their costs still run high. At the very least, one has to purchase the processing power (sometimes even to equip a data center), write a Trojan of one’s own or modify an existing one (such as the ever popular Mirai), use the Trojan to assemble a botnet, find a customer, launch the attack, etc. Not to mention that these things are illegal. And the law enforcement is up to every move: the downing of Webstresser.org followed by a chain of arrests is a case in point.
On the other hand, cryptocurrency mining is almost legal these days: the only illegal aspect is the use of someone else’s hardware. Mining, with certain arrangements in place, being too light on the donor system to become apparent to its owner, there is not much of a chance of having to deal with cyberpolice. A cybercriminal can also repurpose the hardware they already own for mining thus escaping the attention of law enforcement altogether. For example, there were recent reports of a new botnet of MikroTik routers, originally created as a cryptocurrency mining tool. There is also indirect evidence that owners of many botnets with deservedly unsavory reputation have now reconfigured them to mining. Thus, the DDoS activities of the successful botnet yoyo have dropped very low, although there was no information about it having been dismantled.
There is a formula in logic which reads: correlation does not imply causation. In other words, if two variables change in a similar way, such changes do not necessarily have anything in common. Therefore, while it appears logical to link the growth in cryptocurrency mining with the slack in DDoS attacks in this year, this cannot claim to be the ultimate truth. Rather a working assumption.
Statistics
Methodology
Kaspersky Lab has a long history of combatting cyberthreats, including DDoS attacks of various types and complexities. The company’s experts monitor botnets using Kaspersky DDoS Intelligence system.
A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes the commands the bots receive from their management and control servers. To initiate protection it is not necessary to wait until a user device gets infected or until the attackers’ commands get executed.
This report contains DDoS Intelligence statistics for Q3 2018.
For the purpose of this report, a separate (one) DDoS attack is that during which the intervals between the botnet’s busy periods do not exceed 24 hours. For example, if the same resource was attacked by the same botnet a second time after a pause of 24 hours or more, two attacks are recorded. Attacks are also considered to be separate if the same resource is queried by bots belonging to different botnets.
The geographic locations of victims of DDoS attacks and command servers are registered based on their IPs. The report counts the number of unique DDoS targets by the number of unique IP addresses in the quarterly statistics.
DDoS Intelligence statistics is limited to botnets detected and analyzed by Kaspersky Lab to date. It should also be remembered that botnets are but one of the tools used for DDoS attacks, and this section does not cover every single DDoS attack over the given period.
Quarter summary
- As before, China tops the list for the highest number of attacks (78%), the US has reclaimed its second position (12.57%), Australia comes in third (2.27%) – higher than ever before. For the first time, South Korea has left the top 10 list, even though the entry threshold got much lower.
- Similar trends are observed in distribution of unique targets: South Korea has dropped to the very bottom of the rating list; Australia has climbed to the third position.
- In terms of number, DDoS attacks effected using botnets had their main peaks in August; the quietest day was observed in early July.
- The number of sustained attacks has declined; however, short ones with duration of under 4 hours grew 17.5 p.p. (to 86.94%). The number of unique targets has increased by 63%.
- The share of Linux botnets has grown only slightly from the last quarter. In this context, the by-type distribution of DDoS attacks has not changed much: SYN flood still comes first (83.2%).
- The list of countries hosting the greatest number of command servers has changed a great deal over the last quarter. Countries like Greece and Canada, previously way out of the top 10, are now high up in the list.
Attacks geography
The top line is still occupied by China, its share having soared from 59.03% to 77.67%. The US reclaimed its second position, even though it has grown the negligible 0.11 p.p. to 12.57%. This is where the surprises begin.
First off, South Korea has tumbled out of the top 10 for the first time since monitoring began: its share shrank from 3.21% last quarter to 0.30% for a downhill ride from fourth to eleventh position. Meanwhile Australia has climbed from sixth to third place: now it accounts for 2.27% of the total number of outgoing DDoS attacks. This suggests that the growth trend for the continent, which has emerged over the past few quarters, is still there. Hong Kong descended from second to fourth position: its share plummeted from 17.13% to 1.72%.
Other than South Korea, Malaysia, too, has left the top ten; these two were replaced by Singapore (0.44%) and Russia (0.37%) – seventh and tenth places respectively. Their shares have grown but little from Q2, yet because of China’s leap the admittance threshold became somewhat less demanding. The example of France demonstrates this very well: in Q2 France was tenth with 0.43% of the total number of DDoS attacks; this quarter its share reduced to 0.39% but the country still has made it to the eighth place.
Likewise, the combined percentage of all the countries from outside the top 10 has dropped from 3.56% to 2.83%.
DDoS attacks by country, Q2 and Q3 2018 (download)
Similar processes are taking place in the unique targets rating of countries: China’s share grew 18 p.p. to 70.58%. The first five positions for the number of targets look basically the same as those for the number of attacks, but the top 10 list is a bit different: South Korea is still there, although its share shrank a great deal (down to 0.39% from 4.76%). In addition, the rating list lost Malaysia and Vietnam, replaced by Russia (0.46%, eighth place) and Germany (0.38%, tenth place).
Unique DDoS targets by country, Q2 and Q3 2018 (download)
Dynamics of the number of DDoS attacks
The beginning and end of Q3 were not abundant in attacks, yet August and early September feature a jagged graph with plenty of peaks and valleys. The biggest spikes occurred on August 7 and 20, which indirectly correlates with the dates when universities collect the applicants’ papers and announce admission score. July 2 turned out the quietest. The end of the quarter, although not very busy, was still marked with more attacks than its beginning.
Dynamics of the number of DDoS attacks in Q3 2018 (download)
The day of week distribution was fairly even this quarter. Saturday now is the most “dangerous” day of the week (15.58%), having snatched the palm from Tuesday (13.70%). Tuesday ended up second to last in terms of the number of attacks, just ahead of Wednesday, currently the quietest day of the week (12.23%).
DDoS attacks by day of week, Q2 and Q3 2018 (download)
Duration and types of DDoS attacks
The longest attack in Q3 lasted 239 hours – just short of 10 days. Just to remind you, the previous quarter’s longest one was on for almost 11 days (258 hours).
The share of mass, protracted attacks considerably declined. This is true not only for the “champions”, which lasted upward of 140 hours, but also for all the other categories down to 5 hours. The most dramatic decline occurred in the 5 to 9 hours duration category: these attacks were down to 5.49% from 14.01%.
Yet short attacks of under 4 hours grew almost 17.5 p.p. to 86.94%. At the same time, the number of targets grew 63% from the last quarter.
DDoS attacks by duration, hours, Q2 and Q3 2018 (download)
The distribution by type of attack was almost the same as the previous quarter. SYN flood has kept its first position; its share grew even more to 83.2% (from 80.2% in the second quarter and 57.3% in Q1). UDP traffic came in second; it also edged upward to settle at 11.9% (last quarter the figure was 10.6%). Other types of attacks lost a few percentage points but suffered no change in terms of relative incidence: HTTP is still third, while TCP and ICMP – fourth and fifth respectively.
DDoS attacks by type, Q2 and Q3 2018 (download)
Windows and Linux botnets have split in about the same proportion as the last quarter: Windows botnets have gone up (and Linux ones down) by 1.4 p.p. This correlates pretty well with the attack type variation dynamics.
Windows vs. Linux botnets, Q3 2018 (download)
Botnet distribution geography
There was some shakeup in the top ten list of regions with the largest number of botnet command servers. The US remained first, although its share declined from 44.75% last quarter to 37.31%. Russia climbed to the second place, having tripled its share from 2.76% to 8.96%. Greece came in third: it accounts for 8.21% of command servers – up from 0.55% and from its position way outside the top ten the previous quarter.
China, with 5.22%, is only fifth, outplayed by Canada which scored 6.72% (several times more than its own figure in Q2).
At the same time, there was a major increase in the combined share of the countries outside the top ten: up almost 5 p.p., it now stands at 16.42%.
Botnets command servers by country, Q3 2018 (download)
Conclusion
No major high-profile attacks were reported over the last three months. In contrast with the summer slowdown, the September’s upsurge of attacks on schools was particularly noticeable. It has become a part of the cyclic trend Kaspersky Lab has observed for many years.
Another conspicuous development is the shrinking number of protracted attacks paired with growing number of unique targets: botnet owners may be replacing large-scale offensives with small attacks (sometimes referred to in English-speaking media as “crawling” ones), often indistinguishable from the “network noise”. We have seen preludes to such change of paradigm over the previous quarters.
The top ten lineup in terms of the number of C&C botnets is being abruptly reshuffled for the second quarter in a row. It may be that the attackers try to expand into new territories or attempt to arrange for geographic redundancy of their resources. The reasons for that may be both economical (electricity prices, business robustness when exposed to unforeseen circumstances) and legal – anti-cybercrime action.
The statistics for the last two quarters has led us to believe that certain transformation processes are currently unfolding in the DDoS community, which may seriously reconfigure this field of cybercriminal activities in the near future.