F5 Labs continually tracks DDoS trends based on data from various sources. Among the most important are the F5 Security Operations Center (SOC), the front line for mitigating DDoS attacks on behalf of F5 Silverline customers, and F5’s Security Incident Response Team (SIRT), which assists F5 customers who are under attack. This article is a continuation of our previous DDoS trend article and is based on attack data from April through June 2018 from both sources.

Here are the 2018 Q2 DDoS trends we are seeing:

• Asia-Pacific (APAC) was the most attacked region in Q2 for the first time ever surpassing North America, which has been the top attacked region since the inception of DDoS attacks.
• Q2 was absent any excessively high volumetric attacks, yet the primary business verticals attacked were hosting and co-location service providers (typically large volumetric attacks are needed to impact these providers).
• UDP fragment attacks were the number one attack type in Q2 (as they were in Q1).
• Application-targeted DDoS attacks that don’t require high rates to impact service are holding at around 2% of the total attacks received by the SOC. However, application-targeted DDoS attacks were 30% all of F5 SIRT cases requesting assistance with DDoS attacks. So, even though the percentages might seem small, customers are clearly challenged with mitigating application targeted DDoS attacks, and this problem will only increase as businesses make the move towards virtualized, application-centric services.

Introduction

Analysts estimate there are over 8 billion IoT devices currently deployed around the world and growing to 30 billion by 2020. These additional 22 billion devices will likely be vulnerable to the same kinds of attacks that are infecting IoT devices today. Most devices are attacked because they have weak access control measures, for example, they’re accessible from anywhere on the Internet, are “protected” by vendor default credentials, and allow for brute force attacks.

The global attack surface is rising exponentially with the growth in IoT, and these “things” are now the cyber weapon of choice for attackers because they are easy to compromise, they are plentiful, and they often reside in unmanaged networks where there is little chance of malware detection and remediation. Attackers know this and are building botnets at an alarming rate out of things like IP cameras, SOHO routers, DVRs, and CCTV. Seventy-four percent of thingbots we know about today were discovered just in the last two years. That list includes Mirai, the most infamous DDoS botnet, which was forked into at least 10 other Mirai spin-off botnets that also have DDoS capabilities; Reaper, which has the capability of launching a 12 Tbps attack; and JenX, which offers 300 Gbps attacks for a mere $20. The average weekly allowance of a child in the US is $17.¹ That means a child in the US could afford to take almost any business offline with a DDoS attack (excluding service providers and major banks, which have the capacity to withstand a 300 Gbps attack).