Where Do Most DDoS Attacks Come From?

Geographical of attack
In Q1 2015, 23,095 DDoS attacks were reported, targeting web resources in 76 countries. The
number of attacks was down 11% against Q4 2014 (25,929). There was an increase (76 against
66 in Q4 2014) in the number of countries where DDoS targets were located. The most DDOS
attack targeted web resources in USA , China and Canada .

Figure 1. The 10 most frequently attacked countries in Q4 2014 and Q1 2015

As seen in the above diagram, The number of DDOS attack against the web resources in China
and USA has decrease . However, there was an increase in the number of attacks against
Canadian servers. The number of attacks against web resources in Russia, South Korea and
France also become increase .
If we consider the number of DDoS attack victims in each country, the top 10 looks the same as
the previous one. In Q1 2015, botnets attacked a total of 12,281 victims, which is 8% lower than
the 13,312 targets in Q4 2014.

Figure 2. TOP 10 countries with the highest numbers of unique DDoS victims in Q4 2014 and Q1
2015
China, the USA and Canada were the countries that faced the largest number of DDoS attacks .

What we can see in the pie chart , the most attack targets are in Government , industry and Organization .

Analyzing Popular Layer 7 Application DDoS Attacks

Network-Layer DDOS
Network-layer DDoS attacks are how we classify the multitude of attacks that try to exploit your
network stack by sending either more packets than what your server can handle or more
bandwidth than what your network ports can handle.
We classify Syn Floods, Ack Floods, UDP-based amplification attacks (including DNS, SSDP,
NTP, etc) all as network-layer DDoS attacks. Based on our internal data, close to 50% of all
attacks fit in this category. The other 50% fall into the application-layer attack category.
Application layer attacks are the category that we really want to focus on this post. They can be
silent and small, especially when compared to network-layer attacks, but what many fail to
realize is that they can be just as disruptive.
A small VPS on Linode, Digital Ocean or AWS (Amazon) can easily handle a 100,000 to
200,000 packets per second SYN flood. However, the same server, running a WordPress or
Joomla CMS can barely break 500 HTTP requests per second without going down. See the
difference?
Application-layer attacks generally require a lot less packets and bandwidth to achieve the same
goal: take down a site.
The reason for that is that these attacks focus on the web application layer, which generally
includes hitting the web server, running PHP scripts and contacting the database just to load one
web page. When you think about the amplification effect we discussed before, one HTTP request
that is very cheap to execute on the client side can cause a server to execute a large number of
internal requests and load numerous files to create the page.
On application-layer attack, the amplification is CPU, memory or resource-based, not networkbased.

Layer 7 Categorization
We categorize the HTTP Floods (Layer 7 DDoS attempts) into 4 major categories:

Basic HTTP Floods: Common and simple attacks that try to access the same page over and over.
They generally use the same range of IP addresses, user agents and referrers.

Randomized HTTP Floods: Complex attacks that leverage a large pool of IP addresses and
randomized the URLs, useragents and referers used.

Cache-bypass HTTP Floods: A sub-category of the randomized HTTP Floods that also try to
bypass web application caching.

WordPress XMLRPC Floods: A sub-category that uses WordPress pingback as a reflection for
the attacks.

Now, when you think that most cloud VPS servers can barely handle 100,000 packets per
second, you can see how even the smaller of the attacks can take most servers down. Hosting
providers like Linode, Softlayer and even Amazon will null route your server IP for hours if they
detect even a small DDoS against your server.
We see each of these very often, with the majority being randomized HTTP floods, followed by
cache-bypass floods. Both are actually the most dangerous for web applications, since it forces
them to do the most work per request. This is the category break down of L7 attacks:

Application-Layer Attack Sizes

Over the last 6 months, we have been categorizing all HTTP floods that we see in the wild. Any
attack that lasts more than 30 minutes and generates at least 1,000 HTTP requests per second is
getting cataloged. We will share what we are seeing so far this year:
I. Attack duration
On average, the attack duration for the HTTP floods is 34 hours, with the longest one lasting for
a continuous 71 hours. This means more than a day offline for most targets (i.e., website[s]). We
see a lot of very short attacks, lasting 5-15min, but these arent added to the stats.
II. Attack size
On average, the attacks generate 7,282 HTTP requests per second. That number is a bit skewed
because of some very large attacks, so the median probably gives a better number here. The
median is 2,822 HTTP requests per second.
The peak attack generated over 49,795 HTTP requests per second.

III. Botnet Size

Most attackers leverage botnets for their attacks. The benefit of layer 7 attacks that come from
botnets is that we can see the real IPs being used since they cant be stopped.
On average, the attackers botnet leveraged 11,634 different IP addresses, with a median of
2,274 IP addresses
The largest botnet used 89,158 different IP addresses.
IV. Victim Profiles
We wont dive much into the profile of the victims, but overall they were divided into these four
major business categories:

The rest were divided into hosting businesses, blogs, social sites and generic business sites. Most
attacks seem to be revenge or competition based, but we dont have actual data on that. Very few
of them demanded ransom for the attack to be stopped.