In the second quarter of 2018, DDoS botnets attacked online resources in 74 countries

Woburn, MA – July 24, 2018 — / — Today, Kaspersky Lab is announcing the availability of its latest Q2 2018 DDoS Intelligence Report, based on data from Kaspersky DDoS Intelligence*, which includes observations from the company’s experts on botnet-assisted DDoS attacks, cybercriminals recalling old vulnerabilities – such as using cameras and printers for DDoS attacks – as well as the expansion of targets with gaming and cryptocurrency as a major focus.

For the first time in the history of DDoS Intelligence reports, Hong Kong found itself among the top three most attacked countries, coming in second – its share increased fivefold and accounted for 17 percent of all botnet-assisted DDoS attacks. The most attacked resources in Hong Kong were hosting services and cloud computing platforms. In addition, China and the U.S. remained first and third respectively, while South Korea dropped down to fourth.

In the list of top 10 countries hosting the most active command & control (C&C) servers, the U.S. took the lead, accounting for almost half (45%) of all active botnet C&C servers in Q2. Meanwhile, Vietnam joined the list while Hong Kong dropped off.

In addition, activity by Windows-based DDoS botnets decreased almost sevenfold, while the activity of Linux-based botnets grew by 25 percent. This resulted in Linux bots accounting for 95 percent of all DDoS attacks in Q2, which also caused a sharp increase in the share of SYN flood attacks – up from 57 percent to 80 percent.

During the reporting period, cybercriminal strategies evolved and delved deep into the past. Attackers used some very old vulnerabilities in their efforts; for example, experts reported DDoS attacks involving a vulnerability in the Universal Plug-and-Play protocol known since 2001. Also, the Kaspersky DDoS Protection team observed an attack organized using a vulnerability in the CHARGEN protocol that was described as far back as 1983. Despite the considerable length of service and the protocol’s limited scope, many open CHARGEN servers can be found on the internet as mostly printers and copiers.

However, the mastering of old techniques has not prevented cybercriminals from continuing to create new botnets. For example, in Japan, 50,000 video surveillance cameras were used to carry out DDoS attacks in Q2.

One of the most popular methods of monetizing DDoS attacks remains the targeting of cryptocurrencies and currency exchanges. In Q2, Verge cryptocurrency suffered an attack on some mining pools over the course of several hours, resulting in $35 million XVGs being stolen in the ensuing confusion. This was the same tactic used in a hack the month before, which led to the loss of 250,000 XVGs.

Along with cryptocurrency, gaming platforms continue to be a target as well, particularly during eSports tournaments. Moreover, according to Kaspersky Lab, DDoS attacks affect not only game servers (which is often done to extort a ransom in return for not disrupting the competition) but also the gamers themselves who connect from their own platforms. An organized DDoS attack on a team’s key players can easily result in that team losing and being eliminated from a tournament. Cybercriminals use similar tactics to monetize attacks on the streamer market – channels streaming broadcasts of video games. Competition in this segment is intense, and by using DDoS attacks, cybercriminals can interfere with online broadcasts and, consequently, a streamer’s earnings.

“There can be different motives for DDoS attacks – political or social protest, personal revenge, competition,” said Alexey Kiselev, project manager on the Kaspersky DDoS Protection team. “However, in most cases, they are used to make money, which is why cybercriminals usually attack those companies and services where big money is made. DDoS attacks can be used as a smokescreen to steal money or to demand a ransom for calling off an attack. The sums of money gained as a result of extortion or theft can amount to tens or hundreds of thousands and even millions of dollars. In that context, protection against DDoS attacks looks like a very good investment.”

*The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab.

About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

Kaspersky Lab Media Contact:
Denise Berard

Source: Kaspersky Lab



Tags: ,