China is the world’s largest source of DDOS attacks, but its share is falling

By Eliza Gritsi
3 min read

Last month, the CEO of encrypted messaging service Telegram said that a distributed denial of service (DDOS) attack on the platform was coming from devices in China. The country was revealed to to be the biggest source of DDOS attacks globally in a recent report by security provider Nexusguard.

But according to our statistical analysis and input from experts, the fact that most compromised devices come from China does not necessarily indicate that attackers work from China, nor that security practices are worse there than in other countries.

China was the top source of DDOS attacks for the first quarter of 2019, while the US was a close second. Their overall share is decreasing, as countries like Vietnam and Brazil -which didn’t even make the top 10 two years ago- now take the fourth and sixth spots respectively.

China surpassed the US as the top source of DDOS attacks in 2017. Data from Nexusguard Q1 2019 DDOS report (Image credit: TechNode/Eliza Gkritsi)

DDOS attacks essentially overwhelm web servers with bogus traffic, hindering them from processing requests from real users.

Nowadays, “devices which perpetrate these attacks are unwilling victims,” Nexguard Product Director of Enterprise Security Solutions Donny Chong told TechNode. Hackers take over others’ devices and use them to overwhelm websites with traffic.

Theoretically, it is possible to find who is controlling the devices. In practice, however, it might prove difficult. “The IP address of who is controlling the devices can be spoofed,” said Chong, which makes it harder to track the origin of the hack.

Attacks of the denial of service (DNS) type often use IP spoofing. According to the Nexusguard report, DNS attacks accounted for around 43% of all DDOS attacks in the first quarter.

These so-called botnets are traded on the dark corners of the internet and, in the case of China, on WeChat and QQ groups, Chong said.

In other words, the devices that perpetrate the attack often do not reveal who is behind it, nor where the hacker is based, and hacked devices from all around the world are traded online.

Vietnam and Brazil are increasingly the source of DDOS attacks, whereas Germany’s share has fallen. Data from Nexusguard Q1 2019 DDOS report (Image credit: TechNode/Eliza Gkritsi)

But why are devices in the US and China making up almost two-fifths of the total used in DDOS attacks, and why are countries like Vietnam becoming more common sources?

Using data from Nexusguard’s report and the World Bank, TechNode found that a larger online population correlates to a higher incidence of compromised devices used in such attacks.

Dmitry Kurbotov, CTO of Russian cybersecurity company Positive Technologies told TechNode that the proliferation of smartphones and IoT devices have given hackers plenty of unwilling victims to choose from. “This is simply where most devices are,” he said.

Countries like Vietnam have been developing, and so people are buying more internet-connected devices. “Citizens are getting more exposed to security risks,” Chong said.

Apart from the larger pool of devices, Chong added that security practices and awareness differ from country to country, and these have a large impact on device safety. “We believe it is linked to IT security awareness and the issue of privacy,” he said.

A wifi router, for example, can be used as a launching platform for a hacker carrying out a DDOS attack. But many people “do not apply basic security practices when they buy these devices,” said Kbutrov. These include setting up strong passwords or switching off some management interfaces.

In addition, in some countries, when a new device is purchased, the network operator may enhance security controls. Kbutrov said that in some countries “the network operator says we’ll provision the ‘box’ but we will manage it for you. So maybe they will hide the management ports [from the user]” he said.

The share of DDOS sources a country has globally is more closely related to the number of broadband subscriptions. (Image credit: TechNode/Eliza Gkritsi)

But there is no clear evidence that China is doing something wrong to protect its devices, and the higher share of DDOS sources could just be a result of the sheer number of devices.

Based on data from Nexusguard and the World Bank, TechNode found that a country’s share of global DDOS attacks is most strongly correlated to the number of broadband subscriptions. This could be because wifi routers are often more vulnerable to attacks than smartphones, for reasons ranging from device settings to security habits of users.

Smartphone usage and the total online population are positively correlated to the percentage share of source of DDOS attacks, but the relation is weaker.

Because of gaps in security awareness across countries, the issue of compromised devices is harder to solve in some countries compared with others, said Chong.

In preventing cyber attacks, “the role of security awareness is huge. It’s like the safety instructions when you cross the road,” Kbutrov said.