DDoS attacks now resemble APTs

DDoS attacks are beginning to resemble advanced persistent threats, evidenced by long durations, repetition and changing attack vectors aimed at evading simple, signature-based defense systems, according to Imperva.


At the other end of the spectrum, there is increased evidence that inexpensive botnet-for-hire services are being used to perpetrate attacks. With these tools costing as little as $19.99 per month, and available for online purchase using Bitcoin, the barrier to mounting attacks has dropped significantly.

The longest attack seen during the research period was 64 days, with many other sustained attempts to bring down sites observed. The researchers also noted a shift in DDoS bot populations, with more and more impersonator bots assuming non-generic identities, in an effort to bypass rudimentary signature-based security solutions.

The long durations and advanced, signature evading methods suggest DDoS is beginning to resemble APTs.


Once targeted by an application layer attack, a website will likely be attacked again once every 10 days on average, with 17 percent of sites attacked more than five times, 10 percent attacked more than 10 times, and several sites that were attacked every day, during the 72-day research period.

During the research period, seventy-one percent of all network layer attacks lasted under three hours, and over 20 percent last over five day​s.

Nimrod Luria, CTO at Sentrix, believes that the approaches to DDoS protection have remained stagnant. “SYN floods are primarily prevented by means of blacklists/signatures or heuristic algorithms and are based on the assumption that we recognize the attack pattern in order to block it. This protection method preserves the unmatched battle between defender and attacker: the attacker is free to attack at will, while the defender must defend all points. This leaves organizations unprotected against new attacks that security systems are not familiar with.”

“A more effective approach to DDoS protection would be contextual, based on understanding the protected website and the actions that legitimate users are entitled to perform on these websites,” Luria concluded.

More about

Don't miss