Skip to main content

Woburn, MA – February 6, 2018 – Today, Kaspersky Lab is announcing the availability of its latest Q4 2017 DDoS Intelligence Report, based on data from Kaspersky DDoS Intelligence*,

which reveals accidental DDoS attacks by spammers, political sabotage and the owners of DDoS botnets attempting to make money from Bitcoin.

In Q4 of 2017, the reasons behind the most notorious attacks were political – for example, DDoS attacks targeted the Czech statistical office and the site of the Spanish Constitutional Court). Also, there were attempts to profit from changes in the Bitcoin exchange rate (BTG websites and the Bitcoin exchange Bitfinex were subjected to attacks).

Online commerce and cybercriminals were an inevitable feature of the fourth quarter. In the weeks leading to the peak sales period of Black Friday and Cyber Monday, Kaspersky Lab honeypots recorded a sudden surge in the number of infection attempts on specially created bait by Linux-based DDoS bots. This may reflect the desire of cybercriminals to increase the size of their botnets prior to a period of major sales to make more money.

However, as Q4 also proved a DDoS attack isn’t always a way of earning money or causing trouble for the owners of internet resources – it can also be an accidental side effect. For instance, in December, an extensive ‘DDoS attack’ on the DNS servers of the RU national domain zone was caused by a modification to the Lethic spambot. It appears that due to a developer error, the Trojan created a vast number of requests to non-existent domains and ended up producing the effect of a massive DDoS attack.

While analyzing the quarterly data, experts also noticed a decrease in the number of countries where the resources of DDoS botnet victims are located fell from 98 in the third quarter to 82 in the fourth quarter. In addition, Vietnam burst into the rating of most attacked countries, replacing Hong Kong among the leaders. Despite minor fluctuations, all of the other countries in the top 10 most attacked countries list remained the same as in Q3. Meanwhile, Canada, Turkey and Lithuania entered the top 10 countries where C&C (command & control) servers controlling DDoS botnets are located, taking the previous places Italy, Hong Kong and the United Kingdom held on the list.

Following a sharp increase in Q3, the share of Linux botnets remained at the same level in the fourth quarter (71% vs. 29% for Windows botnets). However, the percentage of SYN DDoS attacks dropped from 60 percent to 56 percent due to a decrease in activity by the Xor DDoS Linux bot. As a result, the proportion of User Datagram Protocol (UDP), Transmission Control Protocol (TCP) and Hypertext Transfer Protocol (HTTP) attacks grew, although the percentage of Internet Control Message Protocol (ICMP) attacks continued to fall and reached a record low for 2017 (3%).

Kaspersky DDoS Protection statistics, which include data on botnet activity as well as other sources, showed a decline in the popularity of DDoS attacks using only the HTTP or HTTPS flood method – from 23 percent in 2016 to 11 percent in 2017. At the same time, the frequency of attacks simultaneously using several methods increased from 13 percent to 31 percent. This may be due to the difficulty and expense of organizing HTTP(S) attacks, while blended attacks allow cybercriminals to combine effectiveness with lower costs.

"You don’t have to be a direct target to become a victim of a DDoS attack,” said Kirill Ilganaev, head of Kaspersky DDoS protection at Kaspersky Lab. “Today, DDoS is an instrument for applying pressure or making money illegally, and attacks can harm not just large, well-known organizations but also very small companies. No business that depends on internet access – even partially – should be without anti-DDoS protection.”

*The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company operating in the market for over 20 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter

Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter

Media Contact:

Denise Berard


Kaspersky Lab DDoS Intelligence Quarterly Report Reveals Accidental Attacks and Cybercriminals’ Quest for Cash

Accidental DDoS attacks by spammers, political sabotage and the owners of DDoS botnets attempting to make money from Bitcoin – these are just some of the trends analyzed in Kaspersky Lab's fourth quarter report for 2017 based on data from Kaspersky DDoS Intelligence*.
Kaspersky Logo