Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Geographical of attack
In Q1 2015, 23,095 DDoS attacks were reported, targeting web resources in 76 countries. The
number of attacks was down 11% against Q4 2014 (25,929). There was an increase (76 against
66 in Q4 2014) in the number of countries where DDoS targets were located. The most DDOS
attack targeted web resources in USA , China and Canada .
As seen in the above diagram, The number of DDOS attack against the web resources in China
and USA has decrease . However, there was an increase in the number of attacks against
Canadian servers. The number of attacks against web resources in Russia, South Korea and
France also become increase .
If we consider the number of DDoS attack victims in each country, the top 10 looks the same as
the previous one. In Q1 2015, botnets attacked a total of 12,281 victims, which is 8% lower than
the 13,312 targets in Q4 2014.
Figure 2. TOP 10 countries with the highest numbers of unique DDoS victims in Q4 2014 and Q1
2015
China, the USA and Canada were the countries that faced the largest number of DDoS attacks .
What we can see in the pie chart , the most attack targets are in Government , industry and Organization .
Network-Layer DDOS
Network-layer DDoS attacks are how we classify the multitude of attacks that try to exploit your
network stack by sending either more packets than what your server can handle or more
bandwidth than what your network ports can handle.
We classify Syn Floods, Ack Floods, UDP-based amplification attacks (including DNS, SSDP,
NTP, etc) all as network-layer DDoS attacks. Based on our internal data, close to 50% of all
attacks fit in this category. The other 50% fall into the application-layer attack category.
Application layer attacks are the category that we really want to focus on this post. They can be
silent and small, especially when compared to network-layer attacks, but what many fail to
realize is that they can be just as disruptive.
A small VPS on Linode, Digital Ocean or AWS (Amazon) can easily handle a 100,000 to
200,000 packets per second SYN flood. However, the same server, running a WordPress or
Joomla CMS can barely break 500 HTTP requests per second without going down. See the
difference?
Application-layer attacks generally require a lot less packets and bandwidth to achieve the same
goal: take down a site.
The reason for that is that these attacks focus on the web application layer, which generally
includes hitting the web server, running PHP scripts and contacting the database just to load one
web page. When you think about the amplification effect we discussed before, one HTTP request
that is very cheap to execute on the client side can cause a server to execute a large number of
internal requests and load numerous files to create the page.
On application-layer attack, the amplification is CPU, memory or resource-based, not networkbased.
Layer 7 Categorization
We categorize the HTTP Floods (Layer 7 DDoS attempts) into 4 major categories:
Basic HTTP Floods: Common and simple attacks that try to access the same page over and over.
They generally use the same range of IP addresses, user agents and referrers.
Randomized HTTP Floods: Complex attacks that leverage a large pool of IP addresses and
randomized the URLs, useragents and referers used.
Cache-bypass HTTP Floods: A sub-category of the randomized HTTP Floods that also try to
bypass web application caching.
WordPress XMLRPC Floods: A sub-category that uses WordPress pingback as a reflection for
the attacks.
Now, when you think that most cloud VPS servers can barely handle 100,000 packets per
second, you can see how even the smaller of the attacks can take most servers down. Hosting
providers like Linode, Softlayer and even Amazon will null route your server IP for hours if they
detect even a small DDoS against your server.
We see each of these very often, with the majority being randomized HTTP floods, followed by
cache-bypass floods. Both are actually the most dangerous for web applications, since it forces
them to do the most work per request. This is the category break down of L7 attacks:
The rest were divided into hosting businesses, blogs, social sites and generic business sites. Most
attacks seem to be revenge or competition based, but we dont have actual data on that. Very few
of them demanded ransom for the attack to be stopped.