Feb 7, 2018 8:56 AM PT

Kaspersky: Accidental DDoS attacks among top threats

Kaspersky Lab's Q4 2017 DDoS Intelligence Report found most DDoS attacks were sabotage and attempts to cash in on Bitcoin, but some were accidental attacks.

While most DDoS attacks in the last quarter of 2017 were politically motivated sabotage or trending attempts to profit on the soaring price of bitcoin as well as grow the size of botnets before Black Friday and Cyber Monday, not all were about making money or causing trouble.

At least one massive DDoS attack was the result of an accident due to developer error. After the Lethic spambot was modified, it created a ton of junk traffic requests to non-existent domains, and the ensuing massive DDoS attack was an accidental side effect.

No sooner had the price of bitcoin started to soar in November than DDoS attacks started hammering on the bitcoin exchange Bitfinex and the new Bitcoin Gold (BTG) cryptocurrency site in attempts to profit from bitcoin price fluctuations caused by the denial of service.

Also, Kaspersky Lab’s DDoS intelligence quarterly report found that although law enforcement was originally thought to be behind massive, well-coordinated attacks on deep web marketplaces, attacks launched in early December made it clear that “it was a full-scale cyberwar between drug cartels.”

Top DDoS-attacked countries

The good news is that both the number and duration of DDoS attacks went down in the fourth quarter despite fact that the percentage of attacks aimed at the top 10 countries grew slightly from Q3.

Q4 DDoS attacks spotted by Kaspersky were aimed at targets in 84 countries, which is down from 98 countries in Q3. China was the most-hammered country at 51.84 percent, with the U.S. as the second most favored target, followed by South Korea.

Kaspersky Lab

Top DDoS-attacking countries

As for what countries were doing the hammering, China was credited with launching 59.18 percent, followed by the U.S., launching 16 percent of DDoS attacks, and South Korea, launching 10.21 percent. At 2.7 percent, the U.K. took the fourth-place slot from Russia. Vietnam was the fifth highest country registered as launching DDoS attacks, and Russia was the sixth.

C&C server locations

The top three countries with the highest number of C&C servers were China at 5.95 percent, South Korea at 46.63 percent, and the U.S. at 17.26 percent. However, Kaspersky Lab pointed out that “in terms of number of botnet C&C servers, Russia pulled alongside this trio: its relative share matched China’s.”

Kaspersky Lab

For Q4, Canada, Turkey and Lithuania joined the list of top 10 countries with C&C servers, while Hong Kong, Great Britain and Italy were dropped from the list.

While Linux-based botnets increased slightly to 71.19 percent in Q4, and the share of Windows-based botnets fell to 28.81 percent.

Types of DDoS attacks

While SYN DDoS was still the most common attack method in Q4, those types of attacks decreased to 55.63 percent “due to less activity by the Linux-based Xor DDoS botnet.” The least-popular ICMP DDoS attacks also decreased to 3.37 percent. But the frequency of other types of DDoS attacks increased in Q4.

After SYN, UDP took the second most common attack method from the Q3 second favorite TCP method. In comparison, in Q3, UDP was the second-to-last common attack type.

The popularity of HTTP and HTTPS flooding attacks declined, but the frequency of multi-method attacks rose.

Kaspersky Lab

The longest DDoS attack observed by Kaspersky in Q4 lasted three days, or 146 hours. That’s down from 215 hours in Q3 and 277 hours in Q2. Long attacks are declining somewhat, but micro-attacks, which last no more than four hours, rose slightly.

Q4 DDoS big picture

In conclusion, Kaspersky Lab summed up:

Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. The final three months of 2017 were even calmer than the first three. Alongside the rising number of multicomponent attacks involving various combinations of SYN, TCP Connect, HTTP flooding, and UDP flooding techniques, the emerging pattern suggests a backsliding for DDoS botnets in general. Perhaps the economic climate or tougher law enforcement has made it harder to maintain large botnets, causing their operators to switch tactics and start combining components from a range of botnets.

What’s more, the last quarter showed that not only are DDoS attacks a means to make financial or political gain, but [they] can produce accidental side effects, as we saw last December with the junk traffic generated by the Lethic spam bot. Clearly, the Internet is now so saturated with digital noise that an arbitrary resource can be hit by botnet activity without being the target of the attack or representing any value whatsoever to the attackers.