The document analyzes DDoS attack patterns and trends in Russia from 2011 to 2012, reporting over 2,500 attacks with peaks in intensity and duration. Key statistics include a maximum attack bandwidth of 56 Gbps and a botnet size reaching 200,000 bots. It highlights that attacks are often motivated by financial gain, political purposes, or botnet promotion, with a notable increase in attack frequency during weekends.

1. DDoS Attacks, Russia, 2011-
2012: Patterns and Trends
Artyom Gavrichenkov
ximaera@highloadlab.com

2. Statistics

2011-2012: > 2500 attacks

17% – ICMP/UDP/SYN/ACK flood

40 attacks > 1 Gbps
2

3. Statistics

Max. attack duration before December,
2011: 486 hours
3

4. 4

5. 5

6. Statistics

Max. attack duration, 2011-2012: 1228 hours
6

7. 7/x

8. One botnet from Southern Asia

2011, December, http://slon.ru: ~200000 bots

2012, May, http://tvrain.ru: ~182000 bots

~500 IP addresses in common
8

9. Abuse from Indonesia
"what is your ip address 178.248.233.23. you've
done ip flooding / ddos to my server. please
stop to all conveniently. thx
178.248.233.23.80 > x.x.x.x.56834: S ack
178.248.233.23.80 > x.x.x.x.3821: S ack
178.248.233.23.80 > x.x.x.x.4947: S ack
178.248.233.23.80 > x.x.x.x.4948: S ack
178.248.233.23.80 > x.x.x.x.32935: S ack
9

10. Statistics

Max. registered bandwidth:
56 Gbps (July, 2011)

Max. botnet size:
200000 bots (December, 2011)

4 attacks from multiple botnets
simultaneously

Attacks often utilize the newest
vulnerabilities
10

11. http://www.nic.ly/ 11

12. Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday
0 100 200 300 400 500 600
12

13. ISPs

Weekends often see larger attacks

ISP tech. support in Russia works better
on workdays

ISPs and IXPs often totally ignore abuses
13

14. January
February
March
April
May
June
July
August
September
October
November
0 20 40 60 80 100 120 140 160
December excluded as untypical (legislative election)
14

15. Attack Goals

Money

Politics

Botnet promotion

Protest
+ B1TC01N$: BKDR_BTMINE.DDOS
15