[Report] DDoS attacks in H2 2011
Distribution of DDoS attack sources by country
During the six-month period, our systems detected attacks on computers in 201 countries across the globe. However, 90% of all DDoS traffic came from 23 countries.
Distribution of DDoS traffic sources by country – H2 2011
The geographical distribution of DDoS attack sources has changed. At the end of the first half of 2011, the top positions in the ranking were occupied by the United States (11%), Indonesia (5%) and Poland (5%). The second half of the year has produced several new leaders: Russia (16%), Ukraine (12%), Thailand (7%) and Malaysia (6%). The contribution of zombie computers from 19 other countries ranges between 2% and 4%.
In Russia and Ukraine, we detected new botnets created using programs sold on underground forums. Curiously, these botnets were attacking targets located in the same countries as the botnets. Before this, we mostly detected attacks in which the bots and the servers they attacked were located in different countries.
The evident change in traffic distribution, as well as Russia and Ukraine joining the leaders, was in part due to the active use of certain anti-DDoS measures. Specifically, one method of blocking DDoS attacks is filtering traffic based on the source countries. The idea is very simple: when a DDoS attack is detected, this triggers a system that rejects all data packets except those coming from a specific country. As a rule, only users from the country where the majority of the site's audience is located are allowed access to the resource. This is why cybercriminals have to create botnets in specific countries and use them to attack resources in these same countries to prevent their traffic from being filtered.
At the same time, those botnets which operate based on the "classical" approach, when attacks are conducted using resources outside the country where the under-fire server is located, remain operational. Thailand and Malaysia are good examples of countries where there are large numbers of unprotected computers, while it appears that bot masters receive relatively few orders to attack websites in these countries. This means that the region is a good place for cybercriminals to set up botnets.
The countries accounting for 2-4% of all DDoS attacks also changed from the first half of the year. This group includes only three countries with high levels of computer penetration and IT security: Ireland (2%), the United States (3%) and Poland (4%). The remaining generators of junk traffic were infected computers in developing countries, where the number of computers per capita is much smaller, while IT security is not particularly strong: Mexico (4%), India (4%), Pakistan (4%), Belarus (3%), Brazil (3%) etc.
Read more >>