Accidental DDoS attacks by spammers, political sabotage and the owners of DDoS botnets attempting to make money from bitcoin: these are some of the trends analysed in Kaspersky Lab’s fourth quarter report for 2017 based on data from Kaspersky DDoS Intelligence.
The number of countries where the resources of DDoS botnet victims are located fell from 98 to 82 in the fourth quarter. Vietnam burst into the rating of most attacked countries, replacing Hong Kong among the leaders.

Despite minor fluctuations, all the other countries in this top 10 retained their places. Canada, Turkey and Lithuania, meanwhile, entered the top 10 countries where C&C servers controlling DDoS botnets are located, taking over from Italy, Hong Kong and the UK.

Following a sharp increase in Q3, the share of Linux botnets remained at the same level in the fourth quarter (71% vs 29% for Windows botnets). However, the percentage of SYN DDoS attacks dropped from 60% to 56% due to a decrease in activity by the Xor DDoS Linux bot. As a result, the proportion of UDP, TCP and HTTP attacks grew, although the percentage of ICMP attacks continued to fall and reached a record low for 2017 (3%).

Kaspersky DDoS Protection statistics, which include data on botnet activity as well as other sources, show a decline in the popularity of DDoS attacks using only the HTTP or HTTPS flood method — from 23% in 2016 to 11% in 2017. At the same time, the frequency of attacks simultaneously using several methods increased from 13% to 31%. This may be due to the difficulty and expense of organising HTTP(S) attacks, while blended attacks allow cybercriminals to combine effectiveness with lower costs.

When it came to the duration of DDoS attacks via botnets, the longest attack in the final months of 2017 lasted only 146 hours. The victim was a site belonging to a Chinese company that teaches how to cook traditional Asian food. However, the reasons behind the most notorious attacks in the reporting period were political (for example, DDoS attacks targeted the Czech statistical office and the site of the Spanish Constitutional Court), as well as attempts to profit from changes in the Bitcoin exchange rate (BTG websites and the Bitcoin exchange Bitfinex were subjected to attacks).

Online commerce and cybercriminals were an inevitable feature of the fourth quarter. In the run-up to the peak sales period of Black Friday and Cyber Monday, Kaspersky Lab honeypots recorded a sudden surge in the number of infection attempts on specially created bait by Linux-based DDoS bots. This may reflect the desire of cybercriminals to increase the size of their botnets prior to a period of major sales and make money out of it.

However, as Q4 showed, a DDoS attack isn’t always a way of earning money or causing trouble for the owners of Internet resources — it can also be an accidental side effect. For instance, in December, an extensive ‘DDoS attack’ on the DNS servers of the RU national domain zone was caused by a modification to the Lethic spambot. It appears that due to a developer error, the Trojan created a vast number of requests to non-existent domains and ended up producing the effect of a massive DDoS attack.

“You don’t have to be a direct target to become a victim of a DDoS attack. Today, DDoS is an instrument for applying pressure or making money illegally, and attacks can harm not just large, well-known organisations but also very small companies,” comments Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab.