DDoS botnets already smarter, fiercer in 2014: Imperva Incapsula

A flurry of distinctive new distributed denial of service (DDoS) attacks in the first few months of this year led security firm Imperva Incapsula to rethink the methodology behind its latest DDoS Threat Landscape Report as it sought to characterise a “much more complex breed of DDoS offenders” expected to grow the DDoS threat significantly this year.

“Perpetrators are looking to raise the stakes by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions,” the report notes. “As a result, in 2014, many IT organisations will need to re-think their security strategies to respond to the latest Layer 3- and Layer 7 DDoS threats.”

The volume of DDoS bot attacks shot up over the past 90 days, surging by 240 per cent compared with the same period in 2013. That equated to over 12 million DDoS bot sessions on a weekly basis, with more than half coming from India (9.59 per cent), China (9.20 per cent), and Iran (7.99 per cent). Indonesia (4.29 per cent), the US (4.26 per cent) and Thailand (4.20 per cent) filled out the top six.

More than 81 percent of threats followed multiple attack vectors – including 39 per cent that use three or more different attack methods simultaneously. NTP reflection was the most common large-scale attack method in February, but combo SYN flood attacks – which combine regular SYN packets and large SYN packets (over 250 bytes) were used in 75 per cent of attacks, making it the most common network attack overall.

However, a “significant increase” in the number of NTP amplification attacks was noted in January and February of this year, with those attacks becoming the most commonly used attack vector for large-scale network DDoS attacks.

Botnets were being more frequently used to attack multiple targets, with 29 per cent of compromised devices attacking more than 50 targets each month and 1.2 per cent of devices attacking more than 200 different targets during the same period. The majority of devices – 60.4 per cent – attacked more than 20 targets per month.

As well as being more prolific, the company's analysis suggested that botnet authors are intentionally engineering them to bypass conventional JavaScript and cookie-based challenges that are normally used to filter bots. Nearly 30 per cent of sessions that Imperva Incapsula encountered were able to accept and store cookies, allowing them to trick DDoS sensors that have relied on their non-responsiveness to filter them out in the past.

Other DDoS bots are spoofing their identities, portraying themselves as Baidu and Googlebot impersonators. One-third of bots the company analysed pretend to be Baiduspider/2.0 searchbots, with 16.0 per cent pretending to be Microsoft Internet Explorer 6 systems and 11.7 per cent emulating Googlebot/2.1.

“These represent the easiest of all application layer challenges,” the report notes, “due to the highly predictable behaviour patterns of real search engine bots as well as their predetermined points of origin.”

Other targeted bot attacks, however, were becoming more common as their authors experiment with new tactics. In the second half of 2013, the company reports that it began to encounter more-complex DDoS agents including browser-based bots that “were immune to generic filtering methods and could only be stopped by a combination of customised security rules and reputation-based heuristics.”

Protection against DDoS attacks is part of the impetus that is driving Australia's fast-growing security market, which was recognised last week as Australian security specialists took out three of four categories in Imperva's Asia Pacific and Japan Partner Awards.

The company's internal awards recognise the success of channel partners in building out the regional footprint of Imperva solutions, which are focused on protecting physical and cloud-based Web applications and data assets.

Dimension Data Australia was chosen as System Integrator of the Year for 2013, reflecting its success in installing the solutions in the largest number of client sites. Also pipping regional competitors was Digital Networks Australia, an Imperva distributor that was given the Imperva Excellence Award. Matthew Hales, channel sales manager at Digital Networks Australia, was acknowledged as Product Manager of the Year.

Join the CSO newsletter!

Error: Please check your email address.

More about Digital Networks AustraliaDigital Networks AustraliaDimension DataImpervaIntegratorMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place