DDoS attacks in Q1 2020 – 10 minute mail

News overview

Since the beginning of 2020, due to the COVID-2019 pandemic, life has shifted almost entirely to the Web — people worldwide are now working, studying, shopping, and having fun online like never before. This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services, and gaming and educational platforms.

For instance, attackers in mid-March tried to disable the website of the US Department of Health and Human Services (HHS). The purpose of the attack was seemingly to deprive citizens of access to official data about the pandemic and measures taken against it. At the same time, unknown cyber actors spread misinformation in social networks and via text and e-mail about the introduction of a nationwide quarantine in the US. The attempt failed: the HHS website continued to function, despite the increased load.

The victim of another DDoS attack was the large Paris-based group of hospitals Assistance Publique-Hôpitaux de Paris. Cybercriminals attempted to disable the infrastructure of medical institutions. As a result, remote hospital workers were unable to use programs and corporate e-mail for some time. However, the attackers failed to paralyze the entire organization.

The food delivery services Lieferando (Germany) and Thuisbezorgd (Netherlands) found themselves in a more awkward situation. DDoS attacks on both companies meant that although they could accept orders, they could not process them and had to return customers’ money. What’s more, the cybercriminals targeting Lieferando demanded 2 BTC (a shade over US$13,000 at the time of writing) to halt the DDoS.

The German distance-learning platform Mebis was attacked on the very first remote school day. The service, which enables teachers in the federal state of Bavaria to exchange materials, homework, and tests with schoolchildren, was down for several hours.

Online games, whose popularity has soared under quarantine, were hit repeatedly. In particular, attackers flooded the servers of Battle.net and Eve Online with junk traffic, the latter facing nine straight days of bombardment. Belarusian company Wargaming also came under fire: players of World of Tanks, World of Warships, and other titles had problems with server speeds for several days. However skeptical users claimed that the problems had nothing at all to do with cybercriminals.

Australian authorities in late March reported a DDoS attack on the MyGov social services portal, but a couple of hours after the major announcement they were forced to admit they had made a mistake. It turned out that the site could not cope with the influx of perfectly genuine requests from citizens out of work as a result of the pandemic.

Besides DDoS attacks directly or indirectly related to the all-conquering coronavirus, this quarter saw a continuation of politically motivated attacks. In the second half of January, for instance, unknown cyber actors made two attempts to bring down the websites of government agencies and emergency services in Greece. Among the resources taken temporarily offline were the websites of the prime minister, several ministries, the fire service, and the police. The Turkish group Anka Neferler Tim claimed responsibility for the first attack, but the Greek authorities are not rushing to any final conclusions, especially since the perpetrators of the second attack have yet to announce themselves.

This year will see the next US presidential election, and the runup to it, as always, is accompanied by DDoS attacks. For example, a voter registration and information website was hit in early February. The attackers employed the PRSD (pseudorandom subdomain attack) technique to send numerous requests to non-existent subdomains of the site. However, the DDoS attempt failed: the resource was protected against attacks of this kind.

Financial institutions were not spared either. In February, the cryptocurrency exchanges OKEx and Bitfinex were subjected to sophisticated DDoS attacks. The first has assured that it handled the incident without detriment to users, while the second was forced offline for an hour. According to Bitfinex management, this was necessary to set up specialized protection. Whether the incidents were just similar or related is not known.

The BitMEX crypto exchange likewise announced a DDoS attack this quarter — not once but twice. Its access problems coincided with a sharp drop in the value of bitcoin, which prompted a wave of suspicion among customers. Some believe that the exchange intentionally went offline to prevent a mass sell-off. BitMEX later promised to pay compensation, but only to 156 users who had lost deals in the ETH/USD pair.

As in the previous quarter, ransomware attacks by well-known APT groups made the news. In late February, Australian financial institutions received e-mails demanding large sums in the cryptocurrency Monero. The attackers introduced themselves as the Silence group, and threatened DDoS attacks for non-payment. Earlier, e-mails with similar threats had been received by companies from Singapore, Turkey, South Africa, and other countries. The ransomers went by the various names of Cozy Bear, Fancy Bear, Anonymous, Carbanak, and Emotet in the hope that victims would google them and be scared into compliance.

Unlike these international ransomware groups, a teenager from Odessa who last year tried to DDoS a company that had refused to coooperate was caught by police in January 2020. The youngster wanted to force a Ukrainian internet service provider to hand over information about a customer. On being refused, he attempted to disable the company’s network. The attack was reported to be quite powerful.

Overall, the past quarter was fairly rich in arrests. In February, Arthur Dam was detained in the US charged with carrying out four DDoS attacks on the website of congressional candidate Bryan Caforio in 2018, taking it offline for a total of 21 hours. The prosecution noted that Dam’s wife worked for Caforio’s rival Katie Hill, who ultimately won the vote.

Another cybercriminal was detained in Krasnodar in mid-March for attacking the online store of a company in Cherepovets, Russia. Although he had carefully masked the source of the DDoS attack, cyber police managed to trace him. The individual claimed that he had simply wanted to demonstrate his skills and offer his services to the company to defend against DDoS attacks. However, the idea failed even before his arrest, since he was unable to bring down the site.

This guy is by no means the only “double agent” in the DDoS world. In New Jersey, Tucker Preston, founder of BackConnect, a DDoS mitigation firm, admitted to a similar crime. From December 2015 to February 2016, Preston hired third parties to bombard the New Jersey-based servers of an unnamed organization with junk traffic. The offense carries up to ten years in jail and a maximum fine of US$250,000.

The owners of a website allegedly used to launch custom DDoS attacks could also be forced to fork out. Video game publisher Ubisoft filed a lawsuit against the resource after a string of attacks on the servers ofTom Clancy’s Rainbow Six Siege. According to the developer, the site — which purportedly helps clients test their own security — actually specializes in DDoSing games. Ubisoft is seeking the closure of the resource and damages from the owners.

This quarter has been dominated by the coronavirus pandemic, which has shaken up many things in the world, including the DDoS market. Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: we observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but we did not expect this kind of surge.

Comparison of the total number of DDoS attacks in Q1 2020 and Q1 and Q4 2019; Q1 2019 is taken as the 100% reference value (download)

Duration of DDoS attacks in Q1 2020 and Q1 and Q4 2019; Q1 2019 is taken as the 100% reference value (download)

Against a backdrop of overall growth, the share of smart attacks remained virtually unchanged over the past year: the first quarters of 2019 and 2020 were at the same level, around 42%. This points to a rise in interest in DDoS attacks on the part of both professionals and amateurs: the number of overall attacks is growing at the same pace as the number of smart attacks, so the proportion has not changed.

Share of smart attacks in the total number of DDoS attacks in Q1 2020 and Q1 and Q4 2019 (download)

Interestingly, the number of DDoS attacks on educational and administrative web resources tripled compared to the same period in 2019. Moreover, such attacks in Q1 2020 amounted to 19% of the total number of incidents, against just 11% a year ago.

The upswing in cybercriminal interest in such resources could be linked to the spread of COVID-19, which has created more demand for distance-learning services and official sources of information. Since the start of 2020, the pandemic has affected all industries. So it is logical for it to impact the DDoS market too. Going forward, this effect may become even more pronounced.

Although it is difficult to predict anything at a time of such global instability, it can be assumed that the attacks will not decrease: many organizations are now switching to remote working, and with that the set of viable targets is increasing. If earlier the target in most cases was companies’ public resources, now key infrastructure elements, such as corporate VPN gateways or non-public web resources (mail, corporate knowledge base, etc.), may be at risk. This is opening up new niches for attack organizers, and could lead to DDoS market growth.

Statistics

Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • In Q1 2020, most C&C servers were still registered in the US (39.93%), while most bots were in Brazil.
  • In terms of the dynamics of the number of attacks overall, this quarter was very similar to the last — with peaks of more than 230 attacks on February 14 and 15 and a drop to 16 attacks on January 25.
  • DDoS attackers were most active on Mondays, and more likely to rest on Wednesdays.
  • SYN flooding is still the most popular type of attack (and even strengthened its position with 92.6% of all attacks), while ICMP attacks unexpectedly jumped ahead of all other varieties into second place.
  • Windows botnets continue to gain popularity: the share of attacks using them grew by 3 p.p. to 5.64%.

Geography of unique IP addresses used in attacks

This quarter, we decided to look at the distribution by country of botnets and their component bots. To do so, we analyzed the location of the unique IP addresses from which attacks on our honeypots were registered.

First place in the TOP 10 countries by number of bots goes to Brazil, with 12.25% of unique IP addresses. In second place, less than one percentage point behind, is China (11.51%), while third position — by a much wider margin — is taken by Egypt (7.87%). The remaining TOP 10 countries scored from 6.5% to 2.5% of the total number of bot IP addresses. The rating also featured several Asian countries (Vietnam (6.41%) in fourth; Taiwan (3.96%) in seventh; India (3.65%) in eighth), plus Iran (5.56%) in fifth place, Russia (4.65%) in sixth, and the US (3.56%) in ninth. The TOP 10 is rounded out by Turkey, the source of 2.86% of unique addresses used for attacks.

Distribution of botnets by country, Q1 2020 (download)

Curiously, this distribution only partially correlates with the attack statistics. Whereas China has long occupied top spot in the ranking by number of attacks, and Vietnam is a regular visitor to the TOP 10, the leader of the rating by number of unique IPs, Brazil, has only been in the TOP 20 once this past year, taking 20th position in Q1 2019. More often than not, it appears only in the bottom third of the TOP 30, not unlike Iran, which closes off the TOP 5 by number of bots. As for Egypt (3rd place by number of bots), it is the source of very few registered attacks, so it generally lies outside even the TOP 30.

Botnet distribution geography

If individual attack devices are mainly located in South America, Asia, and the Middle East, C&C servers, as in the previous quarter, are more often registered in the US and Europe. First place by number of C&Cs is retained by the US, where in Q1 2020 almost 40% of the total were registered (down 18.5 p.p. against the end of last year). Second place is occupied by the Netherlands (10.07%), which climbed up from eighth, and third goes to Germany (9.55%), which last quarter was nowhere to be seen in the TOP 10. As we saw above, of the TOP 3 countries by number of C&C servers, only the US hosted a significant number of bots.

Fourth position by number of C&Cs went to another European country, this time France (8.51%), climbing two rungs up the ladder. China showed the exact opposite trend, falling from third to fifth (3.99% vs 9.52% in Q4 2019). Canada (2.95%) took sixth place, up from ninth, while seventh position was shared by Russia, Romania (back in the TOP 10 after a quarterly break), and newcomer Croatia. Each of these countries scored 2.43% of the total number of C&C servers. The TOP 10 is rounded out by another newcomer, Singapore, on 2.08%.

Distribution of botnet C&C servers by country, Q1 2020 (download)

Dynamics of the number of DDoS attacks

The dynamics of the number of attacks in Q1 2020 are in many ways similar to what we saw at the end of 2019. The peak indicators did not exceed 250 attacks per day (the hottest were February 14 and 15, that is, on and just after St Valentine’s Day (242 and 232 attacks, respectively), as well as the 3rd and 10th of that same month). The calmest days of the quarter were January 25 and March 18, when the number of attacks fell short of 20 a day (recall that the quietest day of Q4 2019 saw only 8 registered attacks).

Dynamics of the number of DDoS attacks in Q1 2020 (download)

In the past quarter, the number of attacks on Mondays increased significantly — by almost 4 p.p. If in the previous reporting period this day accounted for only about 14% of attacks, it now commands close to 18%. The calmest day of the quarter was Wednesday (a fraction over 11% of attacks, down 3.7 p.p. on the previous quarter), lagging only slightly behind (by 1.5 p.p.) the previous rating’s anti-leader in terms of attack intensity, Thursday.

Distribution of DDoS attacks by day of the week, Q4 2019 and Q1 2020 (download)

Types of DDoS attacks

The past quarter has seen some noticeable changes in the distribution of DDoS attacks by type: ICMP flooding added 2 p.p. and confidently moved from last to second place (3.6% against 1.6% in the previous reporting period). Accordingly, HTTP flooding finished bottom with its lowest score since January 2019 (a mere 0.3%). UDP and TCP flooding once again swapped places. The only non-mover was the top-placed SYN flooding, whose share continued to grow and reached a record high of 92.6% for the observation period (beating the previous record of 84.6% set last quarter).

Distribution of DDoS attacks by type, Q1 2020 (download)

Windows botnets are becoming more popular. If in the last reporting period they snatched just 0.35 p.p. from their Linux cousins, this time they took a 3 p.p. slice (up from 2.6% to 5.64% of attacks). That said, they are still far being a serious competitor: 9 out of 10 attacks continue to deploy Linux botnets (94.36%).

Ratio of Windows/Linux botnet attacks, Q4 2019 and Q1 2020 (download)

Conclusion

Q1 2020 did not bring any major shocks. The TOP 10 countries by number of C&C servers welcomed two new entries (Croatia and Singapore) and saw the return of two familiar faces (Romania and Germany). Although we observed some growth in Windows botnets and ICMP floods, this did not significantly affect the overall picture. Only the distribution of attacks by day of the week changed substantially, but even that points only to a redistribution of efforts, not a quantitative shift. The rise in the number of DDoS attacks on St Valentine’s Day followed by a lull was also a predictable seasonal phenomenon.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

DDoS attacks in Q4 2019 – 10 minute mail

News overview

In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using ARMS were registered back in June 2019, and by early October the protocol was being used by DDoS-as-a-service providers; such attacks have since become widespread. According to the BinaryEdge portal, at the beginning of the quarter, nearly 40,000 systems running macOS with ARMS were available online.

Q4 was also marked by the growing number of peer-to-peer (P2P) botnets. Unlike the classic sort, these are independent of C&C servers, and thus more difficult to neutralize. In Q4 2019, researchers at 360 Netlab told about two new such botnets. The first, nicknamed Roboto, attacks Linux servers through a known vulnerability in the Webmin remote administration application. Experts note that the botnet has yet to carry out a DDoS attack, although it does have the functionality. The second P2P network, Mozi, is aimed at IoT devices and distributed using the DHT protocol, which is applied in distributed networks, such as BitTorrent, to quickly set up a P2P network. Mozi’s authors seemingly borrowed part of the code from the Gafgyt malware, which was designed to create a “classic” botnet.

Gafgyt’s developers also updated their creation. Researchers from Palo Alto Networks detected a new version of the malware that attacks Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A routers. The new version of the bot has even learned to wipe competitors from infected devices.

While some cybercriminals are updating their arsenal, others are using already proven tools and methods. For instance, in October and November 2019, researchers observed a wave of TCP reflection attacks. This method involves sending requests to legitimate services under the guise of the victim, who is then flooded with responses, so the IP addresses of the attackers do not light up. Over the past two years, such attacks have been on the rise. In October, the betting website Eurobet fell victim to cybercriminals, followed by several other sports betting organizations. Later that same month, a flurry of TCP reflection attacks hit financial and telecommunications companies in Turkey. Also named among the targets were Amazon and SoftLayer (a subsidiary of IBM).

Q4 saw attacks on Internet service providers in South Africa continue. In late October, cybercriminals overwhelmed Echo Service Provider — which serves the local providers Afrihost, Axxess, and Webafrica — with junk traffic. Clients of these organizations experienced downtime when connecting to foreign segments of the Internet. The attack reoccurred approximately one month later, and this time the list of victims included the providers RSAWEB and Cool Ideas.

Among the DDoS attacks launched against commercial organizations, worth highlighting is the campaign in October against financial institutions in South Africa, Singapore, and Scandinavia. The attackers sent emails to the victims, threatening to disable their systems and demanding a ransom; and to prove their intent, they carried out a short demonstration DDoS attack. For added effect, they posed as the infamous APT group Fancy Bear, inviting victims to look online for information about their past exploits. When the media reported the attacks, the ransomers renamed themselves Cozy Bear.

Curiously, the media failed to mention a single large-scale DDoS attack timed to coincide with the runup to the festive period. But political incidents did get coverage. For instance, on November 11 and 12, a month before the UK general election, attackers tried to disable the campaign site of the Labour Party.

In December, media outlets in Kyrgyzstan that had reported an investigation into the expenses of the wife of a former official suffered from DDoS attacks. A total of seven organizations were temporarily taken down by the hired hands of the disgruntled party. Another news portal later joined the list of victims, but perhaps for a different reason.

The Minecraft server of the Vatican (that’s right) was bombarded with junk traffic immediately after launch, in what could be described as an ideological attack. The purpose of the server was to create a “less toxic environment” for players, but the project attracted not only peace-loving players. The Vatican is now beefing up its protection. Ubisoft too was engaged in DDoS fire-fighting. The developer adopted a complex of measures to protect the servers of its video game Rainbow Six Siege, which had been on the receiving end of regular attacks. As a result, according to the company, the number of incidents decreased by 93%.

Law enforcement agencies were conspicuous in the struggle against DDoSers. For instance, in early November, Chinese authorities announced the arrest of a group which controlled a botnet of more than 200,000 infected sites. The operation took place in 20 cities; 41 people were detained. In the second half of the same month, the US sentenced Sergey Usatyuk to 13 months’ imprisonment for running DDoS-for-hire services together with an unknown accomplice in Canada. The cybercriminals had been active from 2015 to 2017. In the first 13 months of the operation, the service was used by 386,000 clients and 3.8 million DDoS attacks were carried out.

As we predicted, Q4 saw an increase in the number of attacks relative to the previous reporting period. Although the rise in the total number of incidents was modest, smart attacks grew by a quarter, which is a fair amount. What’s more, not only the number of attacks increased, but their average duration. This was expected, since Q4 is a period of retail warfare, and we observe an increase in attacks from October to December every year.

If we compare the Q4 indicators with those for the same period last year, we see a near doubling in 2019. The end of 2018 was really very calm; we only noticed renewed growth in the attack market after a significant drop, which we wrote about in last year’s report. Back then, we correctly predicted a further rise in the number of attacks. This is clearly seen when comparing full data for 2018 and 2019.

Comparison of the number and duration of DDoS attacks in Q3 and Q4 2019, as well as Q4 2018; the Q4 figures were taken as the 100% reference value (download)

Overall, in 2019 we observed clear growth in all indicators compared to 2018. The total number of smart attacks saw particularly significant growth, as did their average duration. Last year, we forecast a rise in DDoS attacks, but did not expect such a leap.

The maximum duration of attacks also climbed, but not as significantly. In calculating the indicators, we excluded from the statistics an abnormally long attack carried out in Q3 2019, because it was an outlier case that would have unfairly distorted the annual figures.

Comparison of the number and duration of DDoS attacks in 2018 and 2019; the 2019 figures are taken as the 100% reference value (download)

Although Q4 saw an increase in the number and duration of DDoS attacks relative to the previous reporting period, we link this to the specifics of the quarter, not to a market trend. Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth. There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth. Nor have any serious vulnerabilities that would facilitate attacks been found recently. Looking at the trends of past years, we expect a slight decline in Q1 2020, yet will hazard a prediction that in absolute terms it will still be higher than the same period for 2019. Last year was an interesting one in the world of DDoS attacks. Let’s hope that 2020 decides to be boring.

Statistics

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • China again took first place in terms of number of attacks, although its share slightly decreased (58.46% against 62.97% in Q3).
  • Two newcomers entered the Top 10: Japan (straight in at number three with 4.86%) and Vietnam (0.68%), while South Africa and the Netherlands dropped out.
  • The Top 3 countries by number of targets traditionally coincides with leaders by number of attacks: China (53.07%), the US (22.01%), and Japan (6.14%).
  • The past quarter was characterized by a low number of attacks: the most active days saw just over 250 attacks, and the quietest only eight.
  • DDoS botnet activity was distributed fairly evenly throughout the quarter itself and on individual days of the week, with the safest and most dangerous days differing by just 2.5 p.p.
  • The three longest attacks lasted more than 20 days (494, 492, and 486 hours), which is almost twice as long as last quarter’s leader.
  • Among the attack types, SYN flooding (6%) still leads. The share of TCP-based attacks continued to grow and overtook UDP flooding, while ICMP flooding showed a significant increase.
  • The ratio of Windows and Linux botnets remained virtually unchanged, with the latter still responsible for the overwhelming majority (97.4%) of attacks.
  • The number of C&C servers in absolute terms more than halved. In the US, the absolute number changed slightly less, leading to a sharp increase in the country’s share in the overall picture (58.33% up from 47.55%), while the Netherlands this quarter fell from second position to the foot of the table.

Attack geography

In the past quarter, China held on to the lead in terms of number of attacks, although its share continued to decline (this time by 4.5 p.p. down to 58.46%). The US position did not change either, remaining in second place, with 17.49% of all attacks (almost the same as last quarter’s 17.37%). Third position enjoyed no such stability: Hong Kong, the previous occupier, fell two places to fifth (3.73% against 5.44%), making way for Romania (fourth place with 4.56%, up almost 3.5 p.p.) and Japan, which not only entered the Top 10 for the first time in a year, but shot straight into third place (4.86% against last quarter’s 0.2% and 18th place).

Another newcomer to the ranking is Vietnam. Having narrowly failed to reach the Top 10 in Q3 (11th place), at the end of the year the country experienced a rise of 0.13 p.p. in its share of attacks, enough to cross the threshold. South Africa flew out of the Top 10 almost as swiftly as it had flown in, swapping fourth place for 15th. Slightly less sharp, but also significant, was the drop in the share of attacks on targets in the Netherlands, relegating the country to 14th position.

There were no major changes in the rest of the Top 10, only some shuffling of places. Romania rose from sixth place to fourth with 4.56%; South Korea from eighth to seventh (0.94%), and Canada tenth to eighth (0.83%). The UK (1.01%) and Singapore (0.72%), meanwhile, fell slightly — from fifth to sixth and seventh to ninth, respectively.

Distribution of DDoS attacks by country, Q3 and Q4 2019 (download)

The geography of unique targets is traditionally similar to the distribution of the attacks themselves. The Top 3 in both cases is identical. The share of targets in China also fell against Q3, down to 53.07%; the US still accounts for around a fifth of targets (22.01%), while Japan’s share increased 20-fold to 6.14%.

The Top 5 was again rounded out by Romania and Hong Kong, but in reverse order: this time fourth place went to the latter (4.14%), and fifth to the former (1.95%). The UK (1.53%) retains sixth place in both categories. It is followed by Canada (0.93%) and Vietnam (0.84%). Propping up the Top 10 are Australia (0.82%), up from 14th place over the quarter, and Singapore (0.78%). As such, this quarter’s newcomers — Japan, Australia, and Vietnam — squeezed out the leaders by number of unique targets — South Africa, the Netherlands, and France, which occupied 14th, 12th, and 11th places this quarter, respectively.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q4 was even calmer than the preceding quarter. Even on the stormiest days (November 24 and December 11), the number of attacks barely exceeded 250 (recall that last year’s likewise relatively calm Q4 experienced a maximum of 457 attacks per day — almost twice as many). The total number of days that saw more than 200 attacks was also small — besides those already mentioned, October 6 and 7 and November 25 were also quite turbulent. Meanwhile, the quietest day, October 13, set a new record with only eight attacks recorded (the previous record-holder being May 25, 2018, with 13 attacks).

Curiously, this year there were no typical Q4 peaks on Black Friday and over Christmas: both periods were reasonably calm, and the attacks throughout the quarter were distributed fairly evenly.

Dynamics of the number of DDoS attacks in Q4 2019 (download)

The attack distribution by day of the week also flattened out considerably: the difference between the calmest and most dangerous day was only about 2.5 p.p. (having approached 7.7 p.p. in the previous reporting period). Attack organizers this quarter were particularly busy on Tuesdays (15.46%), and preferred to put their feet up on Thursdays (12.98%). The former first- and second-placed Monday (down 3.5 p.p.) and Sunday (up nearly 2.5 p.p.) showed the biggest change against the preceding quarter.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2019 (download)

Duration and types of DDoS attacks

While the number of attacks fell, their duration rose significantly compared to the previous quarter. As such, the three longest attacks in the three-month period were ongoing for more than 20 days (494, 492, and 486 hours), while in the quarter before not a single one lasted 12 days. Nevertheless, the record for duration remains an attack carried out in Q2 2019 (506 hours, more than 21 days).

The average attack duration stayed approximately unchanged, while the share of the longest attacks (more than 140 hours) fell by a third to just 0.08%. Meanwhile, the share of the shortest attacks (up to 4 hours) also dropped in relative terms, decreasing by 2.5 p.p. to 81.86%.

But the proportion of attacks lasting 100–139 hours grew slightly (0.14%), as did attacks lasting 10–19 and 5–9 hours (5.33% and 10.19%, respectively). The two middle groups — attacks lasting 20–49 and 50–99 hours — fell insignificantly to 2.05% and 0.36%, respectively.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2019 (download)

The share of SYN flooding this quarter amounted to 84.6%, while UDP attacks surrendered second place to TCP, but only by a whisker (5.8% of all attacks against the latter’s 5.9%). The popularity of TCP attacks thus continues to grow (recall that last quarter they moved past HTTP flooding). The bottom two places did not change, although the shares of both types in the total number of attacks increased slightly: HTTP gained 0.5 p.p. (2.2%), while ICMP added 1.1 p.p. (1.6%).

Distribution of DDoS attacks by type, Q4 2019 (download)

Linux botnets did not partake in the growth trend: this quarter their share marginally decreased to 97.4% (against 97.75% in the previous quarter). Accordingly, the share of Windows botnets grew by the same amount (0.35 p.p.) to 2.6%.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2019 (download)

Botnet distribution geography

In Q4 last year, the vast majority of botnets (58.33%) were registered in the US (up from 47.55% in the previous quarter). At the same time, the absolute number of C&C servers in the country almost halved.

The UK (14.29%) moved to runner-up spot, and China retained third (9.52%, roughly 3 p.p. higher than the quarter before). Fourth and fifth places this quarter went to Russia (3.57%) and Iran (2.38%), which climbed from 11th place. The combined share of other countries in the distribution of botnets is below 2%.

The most significant drop in the number of C&C servers was observed in the Netherlands, down from 45 to just one. In Germany and Vietnam, both in last quarter’s Top 10, no active botnets were registered this quarter.

Distribution of botnet C&C servers by country, Q4 2019 (download)

Conclusion

Q4 2019 saw stability in some areas and sharp changes in others. For instance, in the geographical distribution, Japan broke straight into the Top 3, while two of the previous quarter’s newcomers, contrary to the norm, secured a footing in the Top 10. At the same time, the geographical distribution of unique targets traditionally mirrors the distribution of the total number of attacks.

Another notable difference between Q3 and Q4 last year was the number and chronology of attacks. Thus, at the end of the year, the distribution by month, as well as by day of the week, was far more uniform. To the surprise of experts, the traditional peaks on Black Friday and over the Christmas and New Year season did not materialize. The duration of the longest attack almost doubled, coming dangerously close to the record set in Q2 2019.

Tellingly, in the last quarter of the year, the number of both attacks and C&C servers fell sharply, while the number of extra-long attacks (over 400 hours) was the highest ever recorded in the history of our observations. This is perhaps evidence of an upward trend in the number of complex and meticulously planned attacks, albeit at the expense of the total number of attacks.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

DDoS attacks in Q4 2019 – 10 minute mail

News overview

In the past quarter, DDoS organizers continued to harness non-standard protocols for amplification attacks. In the wake of WS-Discovery, which we covered in the previous report, cybercriminals turned to Apple Remote Management Service (ARMS), part of the Apple Remote Desktop (ARD) application for remote administration. The first attacks using ARMS were registered back in June 2019, and by early October the protocol was being used by DDoS-as-a-service providers; such attacks have since become widespread. According to the BinaryEdge portal, at the beginning of the quarter, nearly 40,000 systems running macOS with ARMS were available online.

Q4 was also marked by the growing number of peer-to-peer (P2P) botnets. Unlike the classic sort, these are independent of C&C servers, and thus more difficult to neutralize. In Q4 2019, researchers at 360 Netlab told about two new such botnets. The first, nicknamed Roboto, attacks Linux servers through a known vulnerability in the Webmin remote administration application. Experts note that the botnet has yet to carry out a DDoS attack, although it does have the functionality. The second P2P network, Mozi, is aimed at IoT devices and distributed using the DHT protocol, which is applied in distributed networks, such as BitTorrent, to quickly set up a P2P network. Mozi’s authors seemingly borrowed part of the code from the Gafgyt malware, which was designed to create a “classic” botnet.

Gafgyt’s developers also updated their creation. Researchers from Palo Alto Networks detected a new version of the malware that attacks Huawei HG532, Realtek RTL81XX, and Zyxel P660HN-T1A routers. The new version of the bot has even learned to wipe competitors from infected devices.

While some cybercriminals are updating their arsenal, others are using already proven tools and methods. For instance, in October and November 2019, researchers observed a wave of TCP reflection attacks. This method involves sending requests to legitimate services under the guise of the victim, who is then flooded with responses, so the IP addresses of the attackers do not light up. Over the past two years, such attacks have been on the rise. In October, the betting website Eurobet fell victim to cybercriminals, followed by several other sports betting organizations. Later that same month, a flurry of TCP reflection attacks hit financial and telecommunications companies in Turkey. Also named among the targets were Amazon and SoftLayer (a subsidiary of IBM).

Q4 saw attacks on Internet service providers in South Africa continue. In late October, cybercriminals overwhelmed Echo Service Provider — which serves the local providers Afrihost, Axxess, and Webafrica — with junk traffic. Clients of these organizations experienced downtime when connecting to foreign segments of the Internet. The attack reoccurred approximately one month later, and this time the list of victims included the providers RSAWEB and Cool Ideas.

Among the DDoS attacks launched against commercial organizations, worth highlighting is the campaign in October against financial institutions in South Africa, Singapore, and Scandinavia. The attackers sent emails to the victims, threatening to disable their systems and demanding a ransom; and to prove their intent, they carried out a short demonstration DDoS attack. For added effect, they posed as the infamous APT group Fancy Bear, inviting victims to look online for information about their past exploits. When the media reported the attacks, the ransomers renamed themselves Cozy Bear.

Curiously, the media failed to mention a single large-scale DDoS attack timed to coincide with the runup to the festive period. But political incidents did get coverage. For instance, on November 11 and 12, a month before the UK general election, attackers tried to disable the campaign site of the Labour Party.

In December, media outlets in Kyrgyzstan that had reported an investigation into the expenses of the wife of a former official suffered from DDoS attacks. A total of seven organizations were temporarily taken down by the hired hands of the disgruntled party. Another news portal later joined the list of victims, but perhaps for a different reason.

The Minecraft server of the Vatican (that’s right) was bombarded with junk traffic immediately after launch, in what could be described as an ideological attack. The purpose of the server was to create a “less toxic environment” for players, but the project attracted not only peace-loving players. The Vatican is now beefing up its protection. Ubisoft too was engaged in DDoS fire-fighting. The developer adopted a complex of measures to protect the servers of its video game Rainbow Six Siege, which had been on the receiving end of regular attacks. As a result, according to the company, the number of incidents decreased by 93%.

Law enforcement agencies were conspicuous in the struggle against DDoSers. For instance, in early November, Chinese authorities announced the arrest of a group which controlled a botnet of more than 200,000 infected sites. The operation took place in 20 cities; 41 people were detained. In the second half of the same month, the US sentenced Sergey Usatyuk to 13 months’ imprisonment for running DDoS-for-hire services together with an unknown accomplice in Canada. The cybercriminals had been active from 2015 to 2017. In the first 13 months of the operation, the service was used by 386,000 clients and 3.8 million DDoS attacks were carried out.

As we predicted, Q4 saw an increase in the number of attacks relative to the previous reporting period. Although the rise in the total number of incidents was modest (only 8%), smart attacks grew by a quarter (27%), which is a fair amount. What’s more, not only the number of attacks increased, but their average duration. This was expected, since Q4 is a period of retail warfare, and we observe an increase in attacks from October to December every year.

If we compare the Q4 indicators with those for the same period last year, we see a near doubling in 2019. The end of 2018 was really very calm; we only noticed renewed growth in the attack market after a significant drop, which we wrote about in last year’s report. Back then, we correctly predicted a further rise in the number of attacks. This is clearly seen when comparing full data for 2018 and 2019.

Comparison of the number and duration of DDoS attacks in Q3 and Q4 2019, as well as Q4 2018; the Q4 figures were taken as the 100% reference value (download)

Overall, in 2019 we observed clear growth in all indicators compared to 2018. The total number of smart attacks saw particularly significant growth (+43%), as did their average duration (+44%). Last year, we forecast a rise in DDoS attacks, but did not expect such a leap.

The maximum duration of attacks also climbed, but not as significantly. In calculating the indicators, we excluded from the statistics an abnormally long attack carried out in Q3 2019, because it was an outlier case that would have unfairly distorted the annual figures.

Comparison of the number and duration of DDoS attacks in 2018 and 2019; the 2019 figures are taken as the 100% reference value (download)

Although Q4 saw an increase in the number and duration of DDoS attacks relative to the previous reporting period, we link this to the specifics of the quarter, not to a market trend. Seems like the DDoS market have re-stabilized — we see no prerequisites for either a fall or further growth. There have been no high-profile arrests or closures of specialized websites for quite some time, and the cryptocurrency market is not showing explosive growth. Nor have any serious vulnerabilities that would facilitate attacks been found recently. Looking at the trends of past years, we expect a slight decline in Q1 2020, yet will hazard a prediction that in absolute terms it will still be higher than the same period for 2019. Last year was an interesting one in the world of DDoS attacks. Let’s hope that 2020 decides to be boring.

Statistics

Methodology

Kaspersky Lab has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q4 2019.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

  • China again took first place in terms of number of attacks, although its share slightly decreased (58.46% against 62.97% in Q3).
  • Two newcomers entered the Top 10: Japan (straight in at number three with 4.86%) and Vietnam (0.68%), while South Africa and the Netherlands dropped out.
  • The Top 3 countries by number of targets traditionally coincides with leaders by number of attacks: China (53.07%), the US (22.01%), and Japan (6.14%).
  • The past quarter was characterized by a low number of attacks: the most active days saw just over 250 attacks, and the quietest only eight.
  • DDoS botnet activity was distributed fairly evenly throughout the quarter itself and on individual days of the week, with the safest and most dangerous days differing by just 2.5 p.p.
  • The three longest attacks lasted more than 20 days (494, 492, and 486 hours), which is almost twice as long as last quarter’s leader.
  • Among the attack types, SYN flooding (6%) still leads. The share of TCP-based attacks continued to grow and overtook UDP flooding, while ICMP flooding showed a significant increase.
  • The ratio of Windows and Linux botnets remained virtually unchanged, with the latter still responsible for the overwhelming majority (97.4%) of attacks.
  • The number of C&C servers in absolute terms more than halved. In the US, the absolute number changed slightly less, leading to a sharp increase in the country’s share in the overall picture (58.33% up from 47.55%), while the Netherlands this quarter fell from second position to the foot of the table.

Attack geography

In the past quarter, China held on to the lead in terms of number of attacks, although its share continued to decline (this time by 4.5 p.p. down to 58.46%). The US position did not change either, remaining in second place, with 17.49% of all attacks (almost the same as last quarter’s 17.37%). Third position enjoyed no such stability: Hong Kong, the previous occupier, fell two places to fifth (3.73% against 5.44%), making way for Romania (fourth place with 4.56%, up almost 3.5 p.p.) and Japan, which not only entered the Top 10 for the first time in a year, but shot straight into third place (4.86% against last quarter’s 0.2% and 18th place).

Another newcomer to the ranking is Vietnam. Having narrowly failed to reach the Top 10 in Q3 (11th place), at the end of the year the country experienced a rise of 0.13 p.p. in its share of attacks, enough to cross the threshold. South Africa flew out of the Top 10 almost as swiftly as it had flown in, swapping fourth place for 15th. Slightly less sharp, but also significant, was the drop in the share of attacks on targets in the Netherlands, relegating the country to 14th position.

There were no major changes in the rest of the Top 10, only some shuffling of places. Romania rose from sixth place to fourth with 4.56%; South Korea from eighth to seventh (0.94%), and Canada tenth to eighth (0.83%). The UK (1.01%) and Singapore (0.72%), meanwhile, fell slightly — from fifth to sixth and seventh to ninth, respectively.

Distribution of DDoS attacks by country, Q3 and Q4 2019 (download)

The geography of unique targets is traditionally similar to the distribution of the attacks themselves. The Top 3 in both cases is identical. The share of targets in China also fell against Q3, down to 53.07%; the US still accounts for around a fifth of targets (22.01%), while Japan’s share increased 20-fold to 6.14%.

The Top 5 was again rounded out by Romania and Hong Kong, but in reverse order: this time fourth place went to the latter (4.14%), and fifth to the former (1.95%). The UK (1.53%) retains sixth place in both categories. It is followed by Canada (0.93%) and Vietnam (0.84%). Propping up the Top 10 are Australia (0.82%), up from 14th place over the quarter, and Singapore (0.78%). As such, this quarter’s newcomers — Japan, Australia, and Vietnam — squeezed out the leaders by number of unique targets — South Africa, the Netherlands, and France, which occupied 14th, 12th, and 11th places this quarter, respectively.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2019 (download)

Dynamics of the number of DDoS attacks

Q4 was even calmer than the preceding quarter. Even on the stormiest days (November 24 and December 11), the number of attacks barely exceeded 250 (recall that last year’s likewise relatively calm Q4 experienced a maximum of 457 attacks per day — almost twice as many). The total number of days that saw more than 200 attacks was also small — besides those already mentioned, October 6 and 7 and November 25 were also quite turbulent. Meanwhile, the quietest day, October 13, set a new record with only eight attacks recorded (the previous record-holder being May 25, 2018, with 13 attacks).

Curiously, this year there were no typical Q4 peaks on Black Friday and over Christmas: both periods were reasonably calm, and the attacks throughout the quarter were distributed fairly evenly.

Dynamics of the number of DDoS attacks in Q4 2019 (download)

The attack distribution by day of the week also flattened out considerably: the difference between the calmest and most dangerous day was only about 2.5 p.p. (having approached 7.7 p.p. in the previous reporting period). Attack organizers this quarter were particularly busy on Tuesdays (15.46%), and preferred to put their feet up on Thursdays (12.98%). The former first- and second-placed Monday (down 3.5 p.p.) and Sunday (up nearly 2.5 p.p.) showed the biggest change against the preceding quarter.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2019 (download)

Duration and types of DDoS attacks

While the number of attacks fell, their duration rose significantly compared to the previous quarter. As such, the three longest attacks in the three-month period were ongoing for more than 20 days (494, 492, and 486 hours), while in the quarter before not a single one lasted 12 days. Nevertheless, the record for duration remains an attack carried out in Q2 2019 (506 hours, more than 21 days).

The average attack duration stayed approximately unchanged, while the share of the longest attacks (more than 140 hours) fell by a third to just 0.08%. Meanwhile, the share of the shortest attacks (up to 4 hours) also dropped in relative terms, decreasing by 2.5 p.p. to 81.86%.

But the proportion of attacks lasting 100–139 hours grew slightly (0.14%), as did attacks lasting 10–19 and 5–9 hours (5.33% and 10.19%, respectively). The two middle groups — attacks lasting 20–49 and 50–99 hours — fell insignificantly to 2.05% and 0.36%, respectively.

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2019 (download)

The share of SYN flooding this quarter amounted to 84.6%, while UDP attacks surrendered second place to TCP, but only by a whisker (5.8% of all attacks against the latter’s 5.9%). The popularity of TCP attacks thus continues to grow (recall that last quarter they moved past HTTP flooding). The bottom two places did not change, although the shares of both types in the total number of attacks increased slightly: HTTP gained 0.5 p.p. (2.2%), while ICMP added 1.1 p.p. (1.6%).

Distribution of DDoS attacks by type, Q4 2019 (download)

Linux botnets did not partake in the growth trend: this quarter their share marginally decreased to 97.4% (against 97.75% in the previous quarter). Accordingly, the share of Windows botnets grew by the same amount (0.35 p.p.) to 2.6%.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2019 (download)

Botnet distribution geography

In Q4 last year, the vast majority of botnets (58.33%) were registered in the US (up from 47.55% in the previous quarter). At the same time, the absolute number of C&C servers in the country almost halved.

The UK (14.29%) moved to runner-up spot, and China retained third (9.52%, roughly 3 p.p. higher than the quarter before). Fourth and fifth places this quarter went to Russia (3.57%) and Iran (2.38%), which climbed from 11th place. The combined share of other countries in the distribution of botnets is below 2%.

The most significant drop in the number of C&C servers was observed in the Netherlands, down from 45 to just one. In Germany and Vietnam, both in last quarter’s Top 10, no active botnets were registered this quarter.

Distribution of botnet C&C servers by country, Q4 2019 (download)

Conclusion

Q4 2019 saw stability in some areas and sharp changes in others. For instance, in the geographical distribution, Japan broke straight into the Top 3, while two of the previous quarter’s newcomers, contrary to the norm, secured a footing in the Top 10. At the same time, the geographical distribution of unique targets traditionally mirrors the distribution of the total number of attacks.

Another notable difference between Q3 and Q4 last year was the number and chronology of attacks. Thus, at the end of the year, the distribution by month, as well as by day of the week, was far more uniform. To the surprise of experts, the traditional peaks on Black Friday and over the Christmas and New Year season did not materialize. The duration of the longest attack almost doubled, coming dangerously close to the record set in Q2 2019.

Tellingly, in the last quarter of the year, the number of both attacks and C&C servers fell sharply, while the number of extra-long attacks (over 400 hours) was the highest ever recorded in the history of our observations. This is perhaps evidence of an upward trend in the number of complex and meticulously planned attacks, albeit at the expense of the total number of attacks.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.