Home Others Q2 2015 DDoS Trends – The Fall Of Search Engine Impersonators

Q2 2015 DDoS Trends – The Fall Of Search Engine Impersonators


bits bytes

Search engine impersonators are bots that pretend to be crawling a website in an attempt to index it and find useful links. Most website owners are more than happy to have the search engine bots (googlebot and bingbot, to name a couple) browsing their website all day long. More indexing = better chance to be at the top of the search results.

Attackers use this invitation to damage online operations by spoofing the names of the legitimate bots and taxing application, network or infrastructure resources via illegitimate requests.
Data from a year ago states: “For every 24 googlebot visits, one of them will be fake” . However, the use of this practice has almost entirely disappeared, all at once.

It is evidence to the agility of DDoS attackers. Once IP checking was rolled out with the industry leaders (bots will be tested for their signature string and if that is supposedly a reputable bot such as Google, it will test the bot for IP, to verify that it is indeed Google), this attack vector proved to be quite useless and the criminal minds orchestrating DDoS attacks have shifted their investments to more profitable schemes.

More recent data shows this clearly. According to Incapsula “threat landscape report”, search bot impersonation was detected in 60% of the DDoS attacks in 2014 but only in 1% of those in 2015!

Google Baidu bots

Google and Baidu impersonators bots – 2015 compared to 2014
(Source: Q2 2015: Incapsula global DDoS threat landscape – Full report )

Another mutation in the DDoS attack methodology is the polarization of the attack volume into both extremes: Less and less attacks are somewhere in the middle of DDoS effort. Now, they are either small, hit-and-run probes or comprehensive, intense and prolonged offensives. The reason for this obvious split in DDoS types is that the supply and demand for DDoS attacks has reached a market equilibrium that supports two type of DDoS “providers”.

On one end of the scale, we have the ad hoc criminal or group. They are both the execution and the beneficiary of their offense. They will research and probe to find a suitable victim and utilize a surprise attack, all guns blazing. They benefit from the attack being successful and try their best to ensure it is.

On the other end reside the botnet-for-hire “services”; a sort of outsourcing where the beneficiary to the crime wants to keep costs low and attack lots of small victims. In this case, it does not make sense to maintain a posse of specialized hackers because the DDoS instances are low-quality, low quantity attacks on each target. The actual attacker (the one running the scripts) is benefitting from a reputation and boasted capacity. Although, claiming a refund if the beneficiary of the attack (the purchaser) was scammed out of his money is a process of unclear procedure.

Either way, this marks an efficiency improvement in the works of DDoS criminals, very much like HP focusing on x86-64 servers and IBM focusing on mainframes, each company making good profits by addressing the right customer with the right solution, rather than competing with each other.

In the same way that the end user benefits from HP/IBM specialization, so does he suffer more by the specialization of DDoS sources, requiring increasingly capable and flexible solutions to mitigate DDoS risk.

Reports from security experts indicate a growing involvement of compromised IoT (Internet of Things) devices. More than half of all DDoS attacks are via the UDP protocol and one in twelve of those are using SSDP, making unsecured IoT devices responsible for 5% of all DDoS instances.

2015 Q2 DDoS Threat Landscape Report- The Downside of the Decline of Search Engine Impersonator Bots, and What it means for DDoS Attacks

Source + Hi-Res: Incapsula

Economically, online presence is as vital to a business as ever but increasing financial pressure sometimes unduly pushes against allocating an adequate budget for security. The main reason behind this is the failure to understand that security investments from yesteryear are not necessarily going to work in today’s threat horizon.

It is adamant that the elected security solution is flexible and scalable just as much as the flexibility and scalability employed by internet offenders discussed here.