The report highlights a decline (13%) in the overall number of DDoS attacks when compared to the previous year, however, the company’s experts noticed a trend in cybercriminals turning to longer, more sophisticated, mixed and HTTP flood attack techniques.

DDoS Attacks in Q4 2018

In the last quarter of the year, the longest DDoS attack lasted 329 hours (almost 14 days) – such a long attack was last registered at the end of 2015. In addition, the top three counties with the most DDoS attacks remain the same – with China in first place, although its share dropped significantly (from 77.67% to 50.43%), the U.S. remaining in second and third place with Australia for the second quarter in a row since reporting began.

By geographical target distribution, China continues to top the list but its share declined significantly from 70.58 percent in Q3 to 43.26 percent while all other top 10 countries increased in their shares. In second place was the U.S. (29.14%) followed with Australia (5.91%) in third.

In Q4 2018, Kaspersky Lab also witnessed changes in the countries hosting the most command & control (C&C) servers. As in the previous quarter, the U.S. remained the leader, but the UK and the Netherlands came second and third, replacing Russia and Greece respectively. Experts believe this is because of the number of active C&C Mirai servers increasing significantly in the aforementioned countries.

DDoS attacks in 2018: Duration on the rise

Although the number of attacks in 2018 decreased, Kaspersky Lab experts found that the average attack duration grew. Compared with the beginning of the year, the average length of attacks has more than doubled – from 95 minutes in Q1 to 218 minutes in Q4 2018.

Complex attacks, such as HTTP misuse, which require time and money, continue to remain lengthy. As the report revealed, the HTTP flood method and mixed attacks with HTTP component, which shares were relatively small (17% and 14%), constituted about 80 percent of DDoS attack time for the whole year.

Accounting for almost half (49%) of the DDoS attacks in 2018, the most common type of attack is actually User Datagram Protocol (UDP) flooding, but these attacks observed over the year rarely last more than five minutes.

Kaspersky Lab experts assume that the decline in the duration of UDP flood attacks illustrates that the market for easy-to-organize attacks is continuing to shrink. Protection from DDoS attacks of this type is becoming widely implemented, making them ineffective in most cases. The researchers propose that attackers launched numerous UDP flood attacks to test whether a targeted resource is not protected.

Alexey Kiselev said that when cybercriminals do not achieve their goals of earning money by launching simple DDoS attacks, they have two options, they can reconfigure the capacities required for DDoS attacks towards other sources of revenue, such as cryptomining, or malefactors who orchestrate DDoS attacks have to improve their technical skills, as their customers will look for more experienced attackers. Given this, they can anticipate that DDoS attacks will evolve in 2019 and it will become harder for companies to detect them and stay protected.

According to Kaspersky Lab researchers, as more and more organizations adopt solutions to protect themselves from simple types of DDoS attacks, 2019 will likely see attackers improve their expertise to overcome standard DDoS protection measures and bring overall complexity of this type of threat to the next level.

Kaspersky Lab recommends the following steps to protect an organization from DDOS attacks:
· Train and make IT personnel aware of how to respond to DDoS incidents.
· Ensure that the organization’s websites and web applications can handle high traffic.
· Use professional solutions to protect against all types of DDoS attacks regardless of their complexity, strength or duration.

Read the full report on Securelist: https://securelist.com/ddos-attacks-in-q4-2018/89565