Analysis of DDoS Attack Trends in the First Half of 2018

Introduction

The first half of 2018 saw continued rapid development of DDoS attacks. IoT‑based SSDP reflection amplification remained active, while Memcached‑based DDoS emerged with up to 50,000× amplification and peak traffic of 1.7 Tbps, drawing significant attention from the security community.

Global Statistics

Tencent Security Cloud‑Ding Lab analyzed the overall DDoS landscape and the evolution of the black‑market supply chain. Memcached attacks alone set a new peak of 1.7 Tbps despite many UDP ports being closed, because a small number of unprotected Memcached servers can generate massive traffic.

Industry Distribution

Fourteen major industry sectors were examined. The gaming sector, due to its high daily revenue and fast monetisation, was the most targeted, followed by healthcare, IoT, and education, which showed rising attack volumes as they became more internet‑enabled.

Attack Type Share

Reflection amplification accounted for ~55.8% of attacks, with Memcached quickly becoming a major vector. SYN Flood ranked second, shifting from botnet‑based sources to spoofed‑IP packet generators. HTTP Flood remained the primary Layer‑7 method, increasingly using proxy servers and packet generators that vary User‑Agent strings to evade detection.

Reflection Source Regional Distribution

Top‑10 reflection sources (LDAP, NTP, Memcached) were concentrated in the United States, China, and European countries. SSDP sources differed due to IoT device distribution.

C2 Server Regional Distribution

Domestic C2 servers showed a trend of migration abroad, while some high‑performance botnet operators shifted resources to cryptocurrency mining, making C2 monitoring more challenging.

Attack Family Analysis

Major families such as Xorddos, Billgates, Mayday, Dofloo, Nitol, and Darkshell dominated. Xorddos generated tens of thousands of attacks daily, primarily SYN Floods; Nitol focused on HTTP Floods but also launched SYN, ICMP, and TCP floods.

Traditional DDoS Personnel Roles

Roles included orderers (金主), guarantors, order takers (attackers), traffic sellers, botnet (肉鸡) providers, and tool developers. This division lowered technical barriers and complicated attribution.

Automation Evolution

Automation reduced the need for guarantors and manual attackers. Modern web‑based DDoS platforms provide instant ordering, payment, and attack launch within seconds, with platform operators (站长) handling management and maintenance. Packet generators now replace traditional botnets, and the platforms often integrate reflection‑amplification tools and sophisticated HTTP Flood scripts.

Conclusion & Outlook

Overall attack volume and intensity rose in H1 2018. The black‑market’s personnel and technology evolution lowered entry barriers, with many operators being teenagers. Recommendations include using cloud providers with large bandwidth and BGP resources (e.g., Tencent Cloud’s 大禹). Future trends anticipate new reflection‑amplification vectors, IoT‑driven botnets, resurgence of P2P botnets, and migration to darknet‑hosted DDoS services.