Distributed denial of service (DDoS) attacks continue to rise in EMEA, with mitigated incidents growing 64% in 2017.
According to customer data from F5’s Poland-based Security Operations Center (SOC), EMEA accounts for over 51% of reported global DDoS attacks.
Reflecting the spike in activity, F5 reported a 100% growth for EMEA customers deploying Web Application Firewall (WAF) technology in the past year. Meanwhile, anti-fraud solutions adoption increased by 76% and DDoS by 58%.
A key discovery was the relative drop in power for single attacks. Last year, the SOC logged multiple attacks of over 100Gbps, with some surpassing 400Gbps. In 2017, the top attack stood at 62Gbps. This suggests a move towards more sophisticated Layer 7 DDoS attacks that are potentially more effective and have lower bandwidth requirements.
At the same time, 66% of reported DDoS attacks were multi-vector and required sophisticated mitigation tools and knowledge.
“DDoS threats are on the rise in EMEA compared to the rest of the world, and we’re seeing notable changes in their scope and sophistication compared to 2016,” says Martin Walshaw, senior network engineer at F5.
“Businesses need to be aware of the shift and ensure, as a matter of priority, that the right solutions are in place to halt DDoS attacks before they reach applications and adversely impact on business operations. EMEA is clearly a hotspot for attacks on a global scale, so there is minimal scope for the region’s decision-makers to take their eyes off the ball.”
Q1 2017 started with a bang, with F5 customers facing the widest range of disruptive attacks recorded to date. User Diagram Protocol (UDP) floods stood out, representing 25% of all attacks. Attackers typically send large UDP packets to a single destination or random ports, disguising themselves as trustworthy entities before stealing sensitive data. The next most common attacks were DNS Reflection (18%) and SYN Flood attacks (16%).
Q1 was also the peak for Internet Control Message Protocol (ICMP) attacks, whereby cybercriminals overwhelm businesses with rapid “echo request” (ping) packets without waiting for replies. In stark contrast, Q1 2016 attacks were a 50/50 split between UDP and Simple Service Discover Protocol (SSDP) floods.
Q2 proved equally challenging, with SYN floods moving to the front of the attack pack (25%), followed by Network Time Protocol and UDP floods (both 20%).
The attackers’ momentum continued into Q3, with UDP floods leading the way (26%). NTP floods were also prevalent (rising from 8% during the same period in 2016, to 22%), followed by DNS reflection (17%).
2017 wound down with more UDP flood dominance (25% of all attacks). It was also the busiest period for DNS reflection, which accounted for 20% of all attacks (compared to 8% in 2017 during the same period).
Another key discovery during Q4 — and one that vividly underlines cybercriminals capacity for agile reinvention — was how the Ramnit Trojan dramatically extended its reach. Initially built to hit banks, F5 Labs found that 64% of its targets during the holiday season were US based e-commerce sites. Other new targets included sites related to travel, entertainment, food, dating and pornography. Other observed banking Trojans extending their reach include Trickbot, which infects its victims with social engineering attacks, such as phishing or malvertising, to trick unassuming users into clicking malware links or downloading malware files.
“Attack vectors and tactics will only continue to evolve in EMEA,” says Walshaw. “It is vital that businesses have the right solutions and services in place to safeguard apps wherever they reside. 2017 showed that more internet traffic is SSL/TLS encrypted, so it is imperative that DDoS mitigation solutions can examine the nature of these increasingly sophisticated attacks. Full visibility and greater control at every layer are essential for businesses to stay relevant and credible to customers.
“This will be particularly important in 2018 as the EU General Data Protection Regulations come into play.”