[Tài liệu] DDoS attacks in Q2 2011
The quarter in figures
- The most powerful attack repelled by Kaspersky DDoS Prevention in Q2: 500 Mbps
- The average power of the attacks repelled by Kaspersky DDoS Prevention: 70 Mbps
- The longest DDoS attack in Q2: 60 days, 1 hour, 21 minutes and 9 seconds
- The highest number of DDoS attacks against a single site in Q2: 218.
Distribution of DDoS attacks by countryAccording to our statistics for Q2 2011, 89% of DDoS traffic was generated in 23 countries. The distribution of DDoS sources was fairly evenly spread among those countries, with each accounting for 3-5% of all DDoS traffic.
The US’s leading position is down to the large number of computers in the country. Last year, US law enforcement authorities waged a successful anti-botnet campaign which led to the closure of a number of botnets. It is quite possible that cybercriminals will try to restore the lost botnet capacities and the number of DDoS attacks will increase.
Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. In Q2 of 2011, almost every second machine (48%) on the Indonesian segment of Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, was subjected to a local malware infection attempt. Such a high percentage of blocked local infection attempts is the result of a large number of unprotected computers being used to spread malware.
Those countries responsible for less than 3% of all DDoS traffic included countries with high levels of computerization and IT security ( Japan, Hong Kong, Singapore) as well as countries where the number of computers per person is significantly lower and antivirus protection is far from perfect (India, Vietnam, Oman, Egypt, the Philippines, etc.).
Distribution of attacked websites by online activityIn Q2, online trading sites, including e-stores, auctions, buy and sell message boards etc., were increasingly targeted by cybercriminals – websites of this category accounted for a quarter of all attacks. This is hardly surprising: online trading largely depends on a website’s availability, and each hour of downtime results in lost clients and lost profits. This explains why these types of sites were targeted most often – competitors or straightforward extortion were usually behind the attacks.
The websites of electronic stock exchanges and banks occupy third and fourth places respectively. Cybercriminals attack trading platforms in order to cover their tracks after fraudulent transactions rather than to extort money. Typically, both the financial organizations and their clients lose money when such operations are performed. Therefore, how robust a service is against DDoS attacks is a factor that directly affects its reputation.
Interestingly, quite a substantial proportion of DDoS attacks targeted mass media sites (7%), and blogs and forums (8%), which are essentially a form of social mass media. We have already discussed the attacks on LiveJournal above. There is always someone who disagrees with a freely expressed opinion and it appears DDoS attacks are now being used as a means to silence media channels.
Governmental sites make up 1% of all attacked websites, although this statistic does not include attacks carried out by the group Anonymous using the “voluntary” botnet based on LOIC, a program used to arrange attacks. DDoS attacks are increasingly being used to lead protests against government agencies in many countries, and we can expect to see more similar attacks in the future, especially at crucial stages in the political processes of societies.
Types of DDoS attacksIn Q2, Kaspersky Lab’s botnet monitoring system intercepted over 20,000 web-borne commands to initiate attacks on different sites.
SYN Flood attacks are the second most popular type of attack (5.4%). During such attacks, botnets send multiple data packages to the web server in order to establish a TCP connection. Cybercriminals manipulate packages so the server connections are left half open rather than established. Since a server can only maintain a limited number of connections at any time and botnets can generate lots of requests in short periods of time, the targeted server soon becomes unable to accept connections from regular users.
DDoS attacks on DNS servers (0.2%) were the least popular type of attack. As a result of this kind of attack DNS servers are unable to convert site names into IP addresses, so the sites serviced by the targeted server become unavailable to users. This type of attack is particularly damaging in that a single attack can render hundreds or even thousands of websites unavailable.
During a DDoS attack on one web resource, the bots received commands to send requests to an average of two web pages on the targeted site. If we compare the number of attacks delivered on site names and those on IP addresses, it can be seen that it is mostly IP addresses that are attacked: 72% of all attacks targeted IP addresses.
Breakdown of DDoS attacks by targets: site names vs. IP addresses. Q2 2011
Activity of DDoS botnets over timeHaving analyzed all the available data, we can say on which days of the week cybercriminals prefer to carry out their attacks to bring down a site.
Breakdown of DDoS attacks by days of the week. Q2 2011