Insight into Global DDoS Threat Landscape

DDoS attacks remain one of the biggest internet security threat globally, the DDoSMon system detected roughly 20,000 attacks per day over the past period. This page contains the observations and insights derived from the various DDoS attacks that detected by the DDoSMon and our Botnet tracking system. It represents a unique view into the attack trends unfolding online, including attack statistics and behavioral trends for latest DDoS attacks.

Overview
The number of DDoS attacks keeps stabilized in last couple days, nearly 20,000 attacks be detected per day. The 80 and 443 port are the most frequently attack target, In addition, China and United States are the most heavily attacked countries.

DDos Attack Trends
Top 10 Port Targeted by DDoS Attacks
Top 10 TLD Targeted by DDoS Attacks
Top 10 Targeted Countries/Regions
DDoS Attack Durations

DDoS Attack Vectors
While UDP-based attacks continued to dominate the types of attacks deployed, the number of TCP-based attacks increased. TCP floods, largely consisting of TCP SYN and TCP ACK floods, were the second most common attack vector, making up 30 percent of attack types. Relative to the network layer attacks, we see the application attacks been relatively less, because our data mainly based on the network layer.

Attack protocol frequency
Attack vectors frequency
Attack Vectors Trends

UDP Reflection & Amplification Attacks
UDP reflection and amplification flood attacks continue to lead in last days, making up nearly 70% percent of total attacks in our observation. The most common UDP floods mitigated were Domain Name System (DNS) reflection attacks, followed by Network Time Protocol (NTP) and Simple Service Discovery Protocol (SSDP) reflection attacks. Comparatively, the largest percentage of the abused reflector be leveraged in UDP attacks are from the ISP in China

Frequency of Protocols Used for Reflection
Trends of Protocols Used for Reflection
Abused Reflector Source IP Count
Top 10 Reflection Source IP Count by ASN
Top 10 Abused NTP Reflectors
Top 10 Abused SSDP Reflectors
Top 10 Abused CHARGEN Reflectors
Top 10 Abused DNS Reflectors

DDoS Botnet
Our botnet tracking stytem have captured nearly 95k C2 servers(IP + Port) and logged nearly 1.1B DDoS related instructions.
The most activity botnet family in our system are elknot.xor(AKA. Linux/BillGates), ldx(AKA. Xor.DDoS) and bld. Besides the traditional PC side botnet, dozens of attacks from the Mirai IoT botnets are detected and Mirai botnet is becoming a more and more powerful menace.

DDos Botnet Attack Unique Target
Most Activity Botnet Family
Top 10 Botnet Attack Port
Top 10 Botnet Attack Vectors
Distribution of botnet C2 by country/region
Distribution of botnet attack target by country/region