74% of DDoS Targets Suffer Repeat Attacks

New report sees spike in application layer DDoS attacks

Imperva Incapsula recently published their quarterly DDoS Threat Landscape Report, a thorough analysis of over 17,000 network and application layer DDoS assaults. We caught up with Igal Zeifman, Incapsula security evangelist at Imperva to find out about the results and growing trends in DDoS attacks.

What were the most interesting findings in your report this quarter?

The most interesting, and one of the more consistent trends we saw was an increase in the number of application layer attacks, which was accompanied by a decrease in network layer assaults.

To put it in numbers, in Q1 the number of application layer attacks we mitigated reached an all-time high of 1,099 per week, almost doubling over the course of the year. In contrast, the number of network layer attack fell to 269 per week, compared to 568 in Q2 2015.

The trend is fueled by the prevalence of scripts and botnet-for-hire services that enable non-professionals to launch DDoS assaults. The existence of these tools lowers the bar and introduces new attackers into the mix, many of whom see DDoS attack as a way to settle personal disputes or to simply troll random victims.


What trends are you seeing with regards to the sophistication of DDoS attacks in general?

While we see a lot of non-sophisticated attacks originating from botnet-for-hire services, we also have evidence of a persistent evolution in the attack tools used by career offenders. These include an increase in the number of multi-vector attacks, which spiked to over 40 percent in Q1 2017, up from “just” 29 percent in the prior quarter.

We are seeing a higher number of attacks using small payloads to inflate the number of packets being spewed by botnets every second, with forwarding rates reaching as high as 200 and even 300 millions of packets per second.

Such tactics exploit a nuanced flow in some DDoS mitigation equipment, which was built to handle huge traffic throughputs but is incapable of processing mass amounts of small packets. They also attest to the offenders’ high level of understanding regarding DDoS mitigation solutions.


Geo data suggests China carried the most attacks. Is that unquestionable data or could there be instances of VPN/re-routing used to carry out attacks?

That’s a good question. Most likely some of the attacking requests were being rerouted via proxies, but in our experience that’s usually done to mask their Chinese origins.

From the offenders’ perspective, rerouting through China would be counterproductive because–for non-Chinese businesses–that would make it easy to distinguish between attack traffic and regular traffic flow.


If anything, the amount of traffic from China is likely even higher than we have seen. Having said that, we sampled over 22 billion requests so the odd use of a VPN would not significantly change the numbers.

80% of attacks lasted less than an hour. Is that a sign of increased resilience or is there another trend at play?

Interestingly, the decrease in attack duration is yet another side-effect of the growing use of botnet-for-hire services. When subscribing to such a service, you get an option to launch several short lived bursts, usually for a total duration of half an hour or an hour per month. In some cases you can launch a several minute-long “trial” attack, just to see how it works.

This is why there are so many more attacks occurring nowadays and why so many of them don’t last for very long.

Over 70% of those targeted suffered multiple attacks. How should a company that sufferers regularly strategize their security?

Many DDoS mitigation solutions are hands-off managed security services.  Once they’re in place, your organization doesn’t really need to make any adjustments. The worst that can happen is some of your IT staff get a few extra email notifications a day detailing the attacks that were mitigated.

On the other hand, if you are still handling mitigation internally or using a security service that requires manual activation, repeat attacks would force you to strategize and likely reconsider your current mitigation tools.

The last thing you want is for your IT team to waste their time mitigating repeat attacks that can occur on a daily or even hourly basis, including nights, weekends and holidays.


It’s often said more recent DDoS attacks could be to hide a breach. What can companies do to protect their assets at the first sign of trouble?

It’s true that DDoS is often used as a smokescreen for attackers trying to breach your security perimeter, or to extract data on their way out.

Your options for protecting your assets depends on the specific scenario you’re forced to deal with. From a mitigation point of view, however, it’s universally important to isolate DDoS traffic from legitimate movement within a network, allowing you to focus on other abnormal activities.

Effective mitigation of DDoS attacks is not just preventing a website or a service from going down. It’s about doing so in a transparent manner with a minimal amount of disturbances to service operators and users.

Imperva Incapsula are a market leader in DDoS protection. How are you helping your customers guard against these types of attacks?

We offer a comprehensive DDoS protection solution that mitigates DDoS assaults on the edge of your network. The service can be deployed in multiple ways, both via BGP announcements and DNS rerouting to secure different types of web and network assets from all kinds of attacks.

Besides offering complete protection, we also invest a lot of time into developing our technology to make the mitigation process as transparent, fast and hands-off as possible.

Our ability to successfully bank on that promise is what made our services initially stand. Today it is the main driving force behind our rapid growth.

Can you leave us with three pieces of DDoS resilience advice?

Yes, here are three things you should ask about when scoping a DDoS mitigation solution.

First, ask about response times. The rule of thumb with DDoS attacks is: seconds to go down and hours to recover. This means you’re going to need a solution that can auto-activate and be immediately effective.

Second, ask about processing power and not just network capacity. There are many services out there that can handle high Gbps attacks but have no ability to process 200+ Mpps. As mentioned, we have seen a growing number of high-Mpps assaults and we expect to see even more in the future.

Lastly, ask about SLA. Everyone promises the moon, but if the contract doesn’t offer you five nines uptime (99.999%) then you probably should keep looking.

Read Imperva’s blog post about the study