Rostelecom conducted a study of DDoS attacks carried out on the Russian segment of the Internet in 2018. According to the report, in 2018 there was a sharp increase not only in the number of DDoS attacks, but also in their power. Game servers were most often in the focus of attackers' attention.
The total number of DDoS attacks in 2018 increased by 95% compared to the previous year. The largest number of attacks was recorded in November and December. Many e-commerce companies receive a significant part of the profits at the end of the year, i.e. New Year's holidays and the weeks preceding them. Competition during this period is especially aggravated. In addition, the holidays account for the peak of user activity in online games.
The longest attack recorded by Rostelecom in 2017 occurred in August and lasted 263 hours (almost 11 days). In 2018, the attack recorded in March and lasted 280 hours (11 days and 16 hours) reached record levels.
In the past year, there was a sharp jump in the power of DDoS attacks. If in 2017 this figure did not exceed 54 Gb / s, then in 2018 the most serious attack was already carried out at a speed of 450 Gb / s. This was not a single fluctuation: only twice in a year did this figure fall significantly below 50 Gb / s - in June and August.
Who gets attacked the most
The 2018 statistics confirm that the DDoS threat is most relevant for industries whose critical business processes depend on the availability of online services and applications, primarily gaming and e-commerce.
The share of attacks on game servers was 64%. According to analysts, the picture will not change in the coming years, and with the development of eSports, we can expect a further increase in the number of attacks on the industry. E-commerce enterprises consistently "hold" the second place (16%). Compared to 2017, the share of DDoS attacks on telecom increased from 5% to 10%, while the share of educational institutions, on the contrary, decreased from 10% to 1%.
Predictably enough, according to the criterion of the average number of attacks per client, the gaming segment and e-commerce occupy significant shares - 45% and 19%, respectively. More unexpected seems to be a significant increase in attacks on banks and payment systems. However, this is due rather to a very calm 2017 after the campaign against the Russian banking sector at the end of 2016. In 2018, everything returned to its place.
Attack methods
The most popular DDoS method is UDP flooding - almost 38% of all attacks are carried out using this method. It is followed by SYN flood (20,2%) and almost equally divided packet attack and DNS amplification - 10,5% and 10,1% respectively.
At the same time, a comparison of statistics for 2017 and 2018. shows that the share of SYN flood attacks has almost doubled. We assume that this is due to their relative simplicity and cheapness - such attacks do not require the mandatory presence of a botnet (that is, the cost of creating / renting / buying it).
The number of attacks using amplifiers has increased. When organizing DDoS with amplification, attackers send requests with a fake source address to servers that respond to the victim of the attack with multiply increased packets. This method of DDoS attacks may reach a new level and become very common in the near future, since it also does not require the cost of organizing or purchasing a botnet. On the other hand, with the development of the Internet of Things and the growing number of known vulnerabilities of IoT devices, we can expect the emergence of new powerful botnets, and, consequently, cheaper services for organizing DDoS attacks.
Source: habr.com