3.3 DDoS Attack Duration
3.3.1 Attack Duration Distribution
In 2018, the average duration of a DDoS attack was 42 minutes, down 17% from 2017. This indicates that DDoS attacks were upgraded in industrialization, weaponization, and efficiency and DDoS-as-aService gained momentum for fast growth. We noticed that the longest DDoS attack in 2018 lasted around 12 days, far shorter than attacks detected in previous years.In 2018, short-burst attacks were on a rise. DDoS attacks shorter than 30 minutes accounted for 77% of the total number of DDoS attacks, up 33% from 2017, with the average traffic rising 1.5 times. This tells us that attackers are attaching more and more importance to cost and efficiency as they knock target services offline and cause delays & jitters with high waves of enormous volumes within short periods. In the long run, repeated burst attacks, which are more cost effective, will greatly aggravate the quality of target services.
The decreasing duration of individual attacks makes it possible for attackers to accept more tasks, which characterizes Botnet-as-a-Service and DDoS-as-a-Service.7 In the past, to create botnets, attackers actively created and spread malware to infect devices and then manipulated these devices to launch large-scale DDoS attacks as required. In this case, when to attack totally depended on the attackers’ working time. A successful attack also required accumulation of botnet resources. Therefore, it is not hard to understand why improvements in antivirus software as well as new endpoint technologies led to the decline of massive laptop/workstation/server botnet-based DDoS attacks. To reverse the trend, Botnet-as-a-Service and DDoS-as-a-Service have emerged as premier rental services. In other words, they grant users without botnet resources and technical skills the ability to use a certain number of bots in a given time for a price and can deliver custom services adapted to the scale required and parameters configured by users. Thanks to the widespread use of automatic payment platforms and cryptocurrency, users can conveniently get mercenary-like attack resources by means of online payment. Such botnets not only provide the agility of launching attacks anytime and anywhere, but also make it interesting and satisfying for users to commit DDoS attacks on a whim. Imagine disgruntled employees or people in the midst of a divorce launching retaliatory attacks against the companies related to the people of their ire. All these factors contribute to a lower level of skills required for launching massive DDoS attacks and make it easier to make profits from botnets.
3.3.2 Attack Time Profiling
3.3.2.1 Attack Activities Within One Day
During the day from 0:00 to 24:00, the hours of 10:00–22:00 are busy for online services and the peak period of DDoS attacks, when 70% of attacks are spotted. The coincidence of busy hours of online service access with the peak period of DDoS attacks indicates that attackers time their attacks for maximum effect and impact.
7ᅠhttp://blog.nsfocus.net/gafgy-botnet-baas/
3.3.2.2 Attack Activities Within One Week
In a week from Monday to Sunday, DDoS activities are evenly distributed in the seven days. Most likely reason for this is that current network service providers usually serve customers 24/7. Thus, the odds of being attacked are the same for all the seven days.
to be continued
