30 August 2011

[Tài liệu] DDoS attacks in Q2 2011

Bài viết liên quan:

The quarter in figures

  • The most powerful attack repelled by Kaspersky DDoS Prevention in Q2: 500 Mbps
  • The average power of the attacks repelled by Kaspersky DDoS Prevention: 70 Mbps
  • The longest DDoS attack in Q2: 60 days, 1 hour, 21 minutes and 9 seconds
  • The highest number of DDoS attacks against a single site in Q2: 218.

Distribution of DDoS attacks by country

According to our statistics for Q2 2011, 89% of DDoS traffic was generated in 23 countries. The distribution of DDoS sources was fairly evenly spread among those countries, with each accounting for 3-5% of all DDoS traffic.
Distribution of DDoS attacks by country in Q2 2011
Most attacks came from the US and Indonesia with each country accounting for 5% of all DDoS traffic.
The US’s leading position is down to the large number of computers in the country. Last year, US law enforcement authorities waged a successful anti-botnet campaign which led to the closure of a number of botnets. It is quite possible that cybercriminals will try to restore the lost botnet capacities and the number of DDoS attacks will increase.
Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. In Q2 of 2011, almost every second machine (48%) on the Indonesian segment of Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, was subjected to a local malware infection attempt. Such a high percentage of blocked local infection attempts is the result of a large number of unprotected computers being used to spread malware.
Those countries responsible for less than 3% of all DDoS traffic included countries with high levels of computerization and IT security ( Japan, Hong Kong, Singapore) as well as countries where the number of computers per person is significantly lower and antivirus protection is far from perfect (India, Vietnam, Oman, Egypt, the Philippines, etc.).

Distribution of attacked websites by online activity

In Q2, online trading sites, including e-stores, auctions, buy and sell message boards etc., were increasingly targeted by cybercriminals – websites of this category accounted for a quarter of all attacks. This is hardly surprising: online trading largely depends on a website’s availability, and each hour of downtime results in lost clients and lost profits. This explains why these types of sites were targeted most often – competitors or straightforward extortion were usually behind the attacks.
Breakdown of attacked sites by areas of activity. Q2 2011
Gaming-related sites were the second most popular targets. As Kaspersky Lab’s monitoring system indicates, most attacks targeted EVE Online and its related websites. The MMORPG space-themed game had 357,000 active gamers as of late 2010. One site in particular that publishes EVE Online news experienced one of the most prolonged attacks – DDoS bots targeted it for 35 days. WoW and Lineage were also subject to some unwanted cybercriminal attention, although it was the games’ various pirate servers that suffered most.
The websites of electronic stock exchanges and banks occupy third and fourth places respectively. Cybercriminals attack trading platforms in order to cover their tracks after fraudulent transactions rather than to extort money. Typically, both the financial organizations and their clients lose money when such operations are performed. Therefore, how robust a service is against DDoS attacks is a factor that directly affects its reputation.
Interestingly, quite a substantial proportion of DDoS attacks targeted mass media sites (7%), and blogs and forums (8%), which are essentially a form of social mass media. We have already discussed the attacks on LiveJournal above. There is always someone who disagrees with a freely expressed opinion and it appears DDoS attacks are now being used as a means to silence media channels.
Governmental sites make up 1% of all attacked websites, although this statistic does not include attacks carried out by the group Anonymous using the “voluntary” botnet based on LOIC, a program used to arrange attacks. DDoS attacks are increasingly being used to lead protests against government agencies in many countries, and we can expect to see more similar attacks in the future, especially at crucial stages in the political processes of societies.

Types of DDoS attacks

In Q2, Kaspersky Lab’s botnet monitoring system intercepted over 20,000 web-borne commands to initiate attacks on different sites.
Types of DDoS attacks. Q2 2011
HTTP flood is the most popular (88.9%) method of attacking a website: a huge number of HTTP requests are sent to the targeted site over a short period. In most cases they look just like regular user requests, making it difficult to filter them out. This makes this type of DDoS attack more popular among cybercriminals than others.
SYN Flood attacks are the second most popular type of attack (5.4%). During such attacks, botnets send multiple data packages to the web server in order to establish a TCP connection. Cybercriminals manipulate packages so the server connections are left half open rather than established. Since a server can only maintain a limited number of connections at any time and botnets can generate lots of requests in short periods of time, the targeted server soon becomes unable to accept connections from regular users.
DDoS attacks on DNS servers (0.2%) were the least popular type of attack. As a result of this kind of attack DNS servers are unable to convert site names into IP addresses, so the sites serviced by the targeted server become unavailable to users. This type of attack is particularly damaging in that a single attack can render hundreds or even thousands of websites unavailable.
During a DDoS attack on one web resource, the bots received commands to send requests to an average of two web pages on the targeted site. If we compare the number of attacks delivered on site names and those on IP addresses, it can be seen that it is mostly IP addresses that are attacked: 72% of all attacks targeted IP addresses.

Breakdown of DDoS attacks by targets: site names vs. IP addresses. Q2 2011

Activity of DDoS botnets over time

Having analyzed all the available data, we can say on which days of the week cybercriminals prefer to carry out their attacks to bring down a site.

Breakdown of DDoS attacks by days of the week. Q2 2011
Weekdays see the most active use of the Internet. It is on these days that various web resources are most in demand and that DDoS attacks are likely to inflict the maximum amount of damage on websites. Another important factor is that greater numbers of computers are switched on on weekdays, so there are more active bots. As a result, cybercriminal activity peaks from Monday to Thursday – on these days an average of 80% of all DDoS attacks take place.

Source: http://www.securelist.com


Post a Comment

Để lại góp ý của bạn để blog của mình hoàn thiện hơn :))