Distributed Denial of Service (DDoS) protection services provider Prolexic Technologies reports that despite an uptick in overall DDoS attacks in second quarter of 2012, the company registered a decline in the number of application layer (Layer 7) attacks against its client base.
The company reported in its Quarterly Global DDoS Attack Report, which was released today. While the data is limited to that collected from Prolexic clients, the overall trends in the report may be of value to non-clients in evaluating DDoS attack vectors.
"Even though the total number of DDoS denial of service attacks increased 10% this quarter, the Prolexic Security Engineering & Response Team (PLXsert) logged an 8% decline in application layer DDoS attacks, which accounted for 19% of all attacks. Infrastructure attacks (Layer 3 and 4) against bandwidth capacity and routing infrastructures totaled 81%," Prolexic reports.
The researchers assume the decline in the application layer attacks is attributable to the higher likelihood of the attackers being identified due to the exposure of the botnet IP address, causing offenders to shift tactics to less risky methodologies.
“Q2 data showed a return to traditional infrastructure attacks and is likely a reflection of changing tools for launching DDoS attacks. With Layer 7 attacks, the risk of detection and eventual take down by law enforcement increases because these attacks disclose the IP address of the attacking botnet and this may be another reason for their decline this quarter,” said Stuart Scholly, president of Prolexic.
Of the various Layer 7 attack types, the popular GET Flood denial of service attacks showed the sharpest decline, having accounted for twenty-two percent of all DDoS attack campaigns in Q2 2011, but only fourteen percent in the Q2 2012.
"PLXsert also identified a rise in popularity for certain types of infrastructure-directed DDoS attacks: ICMP, SYN, and UDP floods. In Q2 2011, these attack types accounted for 55% of attacks mitigated by Prolexic. In Q1 2012, they accounted for 59% and this quarter, the total percentage has increased to 67%," the company reports.
Prolexic also found that DDoS attacks were distributed fairly evenly across all industry sectors.
“No industry was spared this quarter, illustrating that denial of service is a global, mainstream problem that all online organizations must face... While Layer 7 attacks show a slight decline overall, organizations cannot afford to be complacent because you never know when one will strike,” said Scholly.
As for the origins of DDoS attack traffic, China leads the pack at thirty-three percent, followed by Thailand at twenty-three percent, and the United States with eight percent. Other highlights from the Q2 2012 Global DDoS Attack Report include:
Compared to Q1 2012 Data:
- 10% increase in total number of attacks
- 8% rise in Layer 3 and 4 infrastructure attacks
- Average attack duration declines to 17 hours from 28.5
- China retains its position as the main source country for DDoS attacks
Compared to Q2 2011 Data:
- 50% increase in total number of DDoS attacks
- 11% increase in infrastructure (Layer 3 & 4) attacks
- Shorter average attack duration: 17 hours vs. 26 hours
- 63% higher packet-per-second (pps) volume