Kaspersky Labs has compiled data collected by its botnet monitoring and DDoS protection services and written a detailed analysis on their findings. The verdict? The second half of 2011 was a bumpy six months with distributed denial of service attacks increasing in magnitude, length and frequency.
The security firm pointed out that the bandwidth of DDoS attacks rose on average by 57 percent to 110Mbps in the second half of 2011. Kaspersky suspects this number will drop in 2012 however, as anti-DDoS measures are becoming more focused on stopping such brute force attacks.
H2 2011 in figures
In the second half of 2011, the maximum attack power repelled by Kaspersky DDoS Prevention went up 20% compared to the first half of the year, and amounted to 600 Mbit/sec, or 1,100,000 packets/sec (UDP flood with short packets of 64 bytes).
The average attack prevented by Kaspersky DDoS Prevention in the second half of 2011 was 110 Mbit/sec – an increase of 57%.
The longest DDoS attack in the second half of the year lasted for 80 days, 19 hours, 13 minutes and 5 seconds, and targeted a travel website.
The average duration of a DDoS attack was 9 hours, 29 minutes.
The largest number of DDoS attacks in the second half of 2011 – 384 in number – targeted a cybercriminal portal.
DDoS attacks were launched from computers located in 201 countries around the world.
Additionally, 16 percent of DDoS attacks originated from Russia and 12 percent from its relatively tiny neighbor Ukraine. That means 28% of all DDoS attacks originate from these two countries alone, making Eastern Europe a huge component in such attacks.
More interestingly though, attacks originating from Russia and Ukraine overwhelmingly targeted networks within their own respective borders. This is thought to be the result of anti-DDoS measures taken by Ukraine and Russia which prevent outbound DDoS attacks to other countries. What researchers see now are new botnets within these countries targeting their country's own network resources and accounts for the sharp rise of DDoS attacks from the first half of 2011.
The most frequent victims of DDoS attacks may surprise you. Government networks were only targeted 2 percent of the time while e-commerce and trading sites topped the list at 45 percent, collectively. Government targets are on the rise though and are expected to increase in correlation to political dissidence.
Gaming servers, gaming websites and financial websites were next on the list at 15 percent each. Minecraft and Lineage 2 servers were pointed out specifically as being largely targeted by DDoS attacks.
Not surprisingly, about 80 percent of all attacks in H2 2011 were based on HTTP flooding. As anti-DDoS measures become more sophisticated though, so to have the methods used to perform such attacks. Kaserpsky points out that hackers and researchers have found ways to use Google+, THC-SSL-DOS, Apache web server and other methods which can circumvent traditional DDoS-blocking technologies.
Low-Orbit Ion Cannon, an open source network stress testing tool, was made famous by Anonymous after they routinely subverted the utility for performing DDoS attacks. After law enforcement traced LOIC-based attacks back to several members, Anonymous claims to have developed a new tool named RefRef which will supposedly better conceal the origins of their DDoS attacks.