DDoS 2014: The Emerging Trends


After months of meticulous data analysis, security provider Incapsula has released a report of the most relevant DDoS trends plaguing the internet landscape today. This article will summarize the more notable findings and explain how the cyber security industry is responding to the current threats.


Network Layer (Layers 3 and 4) DDoS attacks don’t require much finesse; they tend to rely on brute force to cause havoc on a target’s server. As with many cyber trends, developments in Network Layer DDoS can be characterized in three words: bigger, faster, stronger.

Multi-Vector Attacks

Hackers now typically attack with two or more DDoS methods to increase their chances of finding holes in their target’s defense. Over 81% of significant attacks in 2014 used more than one attack method. Sometimes hackers will start a large-scale attack with varied small strikes, just to see how the target reacts. By drawing out their target’s defense, they gain valuable information about their target’s vulnerabilities.

Combo SYN Floods

The most widely used multi-vector Network Layer attack today uses SYN packets on two fronts. First a hacker sends regular SYN packets to create a “smokescreen” effect on the target server. While the target website’s IT team is mitigating the small packets, the hackers follow up by sending large (over 250 byte) SYN packets to cause network saturation. About 75% of all large scale attacks recorded during the last 3 months involved Combo SYN.

NTP Amplification

A relatively new DDoS method on the scene, NTP Amplification takes advantage of the protocol in charge of keeping precise time on your device. The cyber defense industry is seeing NTP attacks that topped 300 Gbps, the DDoS equivalent of a tidal wave. NTP Amplification is surging in popularity; as of early February it became the internet’s most commonly used large scale attack technique.


As opposed to Network Layer attacks, Application Layer (Layer 7) DDoS requires less brawn, but more brain. The application layer is mostly reserved for users and web crawlers, so hackers realized that to gain access they needed bots of their own. As such, the trends in Application Layer DDoS are really the story of advances in bot.

Botnet Geographic Locations

From the viewpoint of hackers, the spread of global internet access means more devices have become available for their malware and Trojans. Once infected, a device becomes part of a botnet or ‘zombie army’ used in Application Layer attacks. All of this goes on unbeknownst to the owner of the device. The top 3 highest sources of malicious botnet activity are India, China, and Iran, together making up 25% of the total.

Sharing Botnets

The hacking industry makes some extra bucks by renting out their botnets to other hackers, and business is booming. Over 60% of botnet devices are used in attacks more than 20 times a month. The cyber security industry is responding by gathering data about source IP addresses, and filtering traffic based on web reputation. Bot designers have been hard at work in the last few months. They are unveiling bots capable of accepting cookies, and others that execute JS. These developments represent a leap in bot sophistication, and they are giving security providers serious problems. These are not your grandparents’ bots.


To deal with these shape-shifting threats, the top security protection companies are also stepping up their game. Along with dealing with the challenges mentioned above, the benchmarks for a strong defense company include cloud-based protection, “Always On” capabilities, reputation based methods and – of course – a large enough network infrastructure.

Your opinion regarding DDoS 2014: The Emerging Trends

Like us on Facebook