DDoS attacks increase 28% as PBot authors use decades-old PHP code

New data from Akamai Technologies reveals that distributed denial of service (DDoS) and web application attacks are on this rise following months of decline, increasing 28% in Q2 2017 from the same period last year.

According to Akamai’s Q2 2017 State of the Internet / Security Report released this week, the PBot DDoS malware has re-emerged as the foundation for the strongest DDoS attacks. The report aggregates data from the company’s global infrastructure and analyzes the cloud security and threat landscape, as well as offers insight into attack trends.

A Distributed Denial of Service (DDoS) can be described as intentionally paralyzing a server, or a computer network, by flooding it with more data than it can process. The attack comes not from a single computer, but from many individual computers used as bots. Botnets are networks of compromised personal computers (bots) that can be controlled remotely to act as one powerful system.

PBot used PHP code written decades ago, Akamai researchers discovered. PBot, essentially a mini-DDoS botnet, was capable of launching an attack at a whopping 75 gigabits per second using just 400 nodes – a returning trend, according to Martin McKeay, Akamai senior security advocate.

“Events like the Mirai botnet, the exploitation used by WannaCry and Petya, the continued rise of SQLi attacks and the re-emergence of PBot all illustrate how attackers will not only migrate to new tools but also return to old tools that have previously proven highly effective,” said McKeay.

“We aren’t certain, but our research into the Pbot malware suggests that we’re going back to a cycle where the attacks are coming from servers, rather than IoT devices,” McKeay added. “The largest attack this quarter only used 400 IP addresses, compared to the thousands used in an IoT based attack.”

Akamai saw a 28% spike in the number of DDoS attacks in the second quarter of 2017, (quarter-over-quarter) following three quarters of decline. Targets were hit an average 32 times over the quarter, with one gaming company attacked 558 times, or almost six times a day. In other words, DDoS attackers are more persistent than ever.

Other findings include:

• Egypt, once not even a blip on researchers’ radar, has become a DDoS focal point, with the most unique IP addresses used in frequent DDoS attacks and a 32% share globally
• The number of IP addresses involved in volumetric DDoS attacks dropped a staggering 98% in Q2 (from 595,000 to 11,000)
• The number of Web application attacks increased 28% year-over-year and 5% quarter-over-quarter
• 51% of web application targets this quarter used SQLi attacks, up 7% from 44% last quarter