Distributed denial of service attackers are using more sophisticated techniques to break through defences set up by organizations, according to a security vendor report.
Application layer attackers are growing more advanced, Imperva said in a blog published Thursday, with 36.7 percent of browser-like DDoS bots discovered in the first wo months of the year capable of bypassing standard security challenges — up from 6.1 per cent in the previous quarter.
At the same time the company found network layer attacks were growing more sophisticated, with multi-vector attacks of small network packets, usually no larger than 100 bytes, pumped out at an extremely high speed to max out the forwarding capacity of a network switches.
Some attacks seen reached above 100 Mpps, the report says, with the largest peaking at 120+ Mpps. Attacks with 50+ Mpps occured on average every four days, while and an 80+ Mpps assault was recorded every eight days on average.
The analysis was based on data from 3,791 network layer and 5,267 application layer DDoS attacks in January and February on websites using Imperva Incapsula services.
“One of the more surprising trends observed in Q1 2016 was a steep increase in botnet activity from South Korea—the country of origin for 29.5 percent of all such activity,” the report says.
South Korea has been a major hub of DDoS botnet activity. In fact, for the past six months it has repeatedly ranked second in the top attacking country list, with 9.4 per cent in Q3 2015 and 12.6 percent in Q4 2015. This is, however, the first time it led Imperva’s chart.
The United States was overwhelmingly the largest target of DDoS attacks (50 per cent). The next closest was Britain with 9 per cent. Canada was fifth with 3.5 per cent.
In Q1 2016, the majority (65 per cent) of application layer attacks lasted between 30 minutes and 3 hours. The overwhelming majority of network layer attacks (81 per cent) lasted a half hour or less. Attackers often used a “war of attrition” strategy, launching repeated attacks against the same target. “This method—using multiple short bursts to apply continuous pressure on a target—is meant to exploit the inherent weaknesses of many on-demand DDoS mitigation solutions, which may require several minutes to deploy after each activation,” says the report.
A closer look at the data shows that the majority of attack traffic out of South Korea used the Nitol (52.9 per cent) and PCRat (38.2 per cent) botnets. Over 38.6 per cent of these attacks were launched against Japanese websites, while another 30.3 per cent targeted U.S.-hosted sites.
Finally, the report notes there was a steep increase in the use of the Generic!BT bot—a known Trojan used to compromise computers running Windows OS. The Trojan was first identified in 2010, and now variants are now being used to hijack devices all over the world.