We heard your feedback.
First of all, the numbers that everyone is most interested in:
There were 2,057 DDoS attacks in the Q1 of 2018, 1839 attacks in Q2 and 2,367 attacks in Q3, for a total of 6,263 DDoS attacks as of September 30th, 2018.
Now that's out of the way, the next most important thing to acknowledge is about our reporting period. In the last State of the Internet Security report we moved from reporting the attack count from quarterly to semiannual. This was not well received and confused readers. We've heard the concerns and are moving back to a quarterly cadence for reporting these numbers. The SOTI Security report will be released twice a year, however we'll be publishing the majority of the statistical data and plots every quarter.
There was a noticeable downturn in the number of attacks (1,839) in the second quarter of 2018. While there's no definitive evidence of why attacks dropped off, there's a high likelihood that arrests made in April of the alleged organizers of the Webstressor site are at least partially to be credited. Unluckily, with count of attacks rising to 2,367 in the third quarter, it appears that the relief was short lived. The plots below look at the second and third quarter of 2018.
Volumetric attacks, driven by protocol reflection, remains the overwhelming majority of the attack traffic. Attacks at network layers 3 and 4 are responsible for over 99% of DDoS attacks, with application layer denial attacks being an uncommon occurrence. UDP fragments remain the single biggest type of attack traffic seen by Akamai, primarily because they are a side-effect of other types of UDP traffic.
CLDAP reflection attacks made a major jump (10%) in popularity during the second and third quarter, increasing to 19% of attacks seen by Akamai. This increase caused DNS, NTP and CharGen attacks to drop considerably in usage. The increase in usage of CLDAP may be driven by decreased effectiveness of DNS reflection as more organizations put automated tools in place for these attacks.
Looking at the attack vectors by week, we see that DDoS attacks remained low most of the spring and summer and then started climbing again early in the third quarter. A large football (or soccer, if you're from the U.S.) event in July was the likely cause of a spike in the middle of the month. On the other hand, the increase into August did not have a single driving event, but instead signaled an overall, general increase in DDoS attacks. We anticipate attacks will further increase in the holiday season and the end of the year.
Akamai is examining changing the way we report DNS floods in our reporting. It is more accurate to consider the majority of these attacks DNS reflection attacks and we are working to better report them for both your education and our own.