The last three months of 2016 saw significant progress in DDoS attacks. Methods are becoming more sophisticated, the array of devices exploited by botnets is becoming more diverse, and attackers are showcasing their capabilities by selecting larger and more visible targets. All this, and more, is analysed by the experts at Kaspersky Lab in their report on DDoS attacks for the fourth quarter of 2016. 
During this period, Kaspersky Lab's DDoS Intelligence system reported DDoS attacks assisted by bots in 80 countries, compared to 67 countries in the previous quarter. There was also a change in the top 10 countries with the highest number of victims of such attacks, with Germany and Canada replacing Italy and the Netherlands. Three Western European countries (Netherlands, UK and France) remained among the top 10 countries with the highest number of hosted C&C servers for the second consecutive quarter, followed by Bulgaria and Japan in the fourth quarter.
The longest DDoS attack in the fourth quarter lasted for 292 hours (or 12.2 days), a record for 2016. The last quarter also saw a record number of DDoS attacks in a single day - specifically 1,915 attacks on 5 November.
Overall, the fourth quarter of 2016 was rich in notable DDoS attacks against a wide range of targets, including Dyn's Domain Name System, German Telekom and of some of Russia's largest banks. Companies were among the first victims of a new trend, namely DDoS attacks launched through huge botnets composed of vulnerable IoT devices, of which the Mirai is a prime example. The approach used by the creators of Mirai has been the basis for many other botnets created from "infected" IoT devices.
The increasing number of attacks using IoT devices was just one of the main trends that emerged in the fourth quarter. Throughout the quarter, there was a significant decrease in the number of enhanced DDoS attacks, which were popular in the first half of 2016. This figure was reduced thanks to better protection against such attacks and also due to the reduced number of vulnerable servers available to digital criminals.
The niche released by the enhanced attacks is covered by application-level attacks, including WordPress Pingback attacks. Detecting application-level attacks poses a much greater challenge because they mimic the activities of real users. The fact that these attacks make more frequent use of encryption only serves to increase the level of risk. Encryption dramatically increases the effectiveness of DDoS attacks, complicating the process of filtering out the "undesirables" among the many legitimate requests due to the need to decrypt them.
Experts at Kaspersky Lab predict that the trend towards increasingly sophisticated DDoS attacks and a greater number of IoT botnets will continue in 2017.
"IoT devices have the potential to launch DDoS attacks of any complexity, including application-level and encrypted attacks. Given the effectiveness of IoT botnets, as well as the growing number of inadequately protected IoT devices, we can reasonably predict the increase in the number of these attacks, as well as their power and complexity. This means that companies need to take care of their protection beforehand, and carefully select the protection solution for filtering DDoS attacks," comments Kirill Ilganaev, Head of Kaspersky DDoS Protection at Kaspersky Lab.
