April 02, 2014

Last week, Incapsula released a report analyzing the latest trends on the DDoS front. The report exposes advancements in both network and application layers.

While the Incapsula report analyses in detail the different trends and types of DDoS attacks and their volumes, I would like to look into one of the really interesting aspects of their findings – the application DDoS attacks that are originating in botnets.

Last year we wrote extensively about the trend on CMS hacking for industrialized cybercrime where attackers use botnets in order to onboard infected machines into botnets and then use those as platforms for network and application attacks. For DDoS attacks, it just makes sense. When a hacker has the power of masses with a large botnet, there are great opportunities to disrupt service. When servers are being infected rather than user’s computers – its even worst, just because of the bandwidth and computing power that becomes available to the hacker.

Incapsula’s research demonstrates our findings from last year, with a large portion of the attacks coming from botnets. During 2013, Incapsula witnessed an increase of 240% in attack volume, and it is important to mention that many of them used the Wordpress CMS platform as the bot attack platform.

 

Incp1
 Figure: DDoS botnets geographic distribution 

 

DDoS bots become more complex

A few months ago we demonstrated in a Threat Advisory on a JBoss vulnerability, how easy it is to hijack a server for malicious intent,. but the hacker code was always quite simple in terms of abilities.

Incapsula, using its unique bot analysis mechanism, was able to isolate an interesting trend. The bots, while still primarily primitive, are evolving. More and more bots are advanced to a point where they can interact with the application itself mimicking a user.

 

Incp2

Figure: DDoS botnets geographic distribution

 

At the very least, this shows the direction that industrialized hackers are going. Realizing the potential in bots, hackers move to develop more advanced bots that can bypass classic solutions by incorporating the ability to disguise as a user or as a browser.

Here are some of Incapsula’s bot-related findings:

  • More than 25% of all botnets are located in India, China and Iran
  • 29% of botnets attack more than 50 targets a month
  • 29.9% of DDoS bots can hold cookies
  • 46% of all spoofed user-agents are fake Baidu Bots (while 11.7% are fake Googlebots)

Where can I learn more ?

  1. The Incapsula DDoS report, Here
  2. Incapsula’s infographic, Here

 

 

Share:

Posted by Barry Shteiman at 01:43:42 AM


Tags:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.