Breakdown of DDoS Trends Going in 2022

Share This News

DDoS attacks have reached new levels of sophistication by making use of multiple attack vectors and by using botnets spanning around the globe. These attacks are targeting all industries and have the potential to negatively affect more people and organizations than ever before. Cheap and easy access to tools necessary to launch DDoS attacks paired with their efficiency make them a troubling threat. In this article, we will discuss these DDoS attack trends and more going into 2022 so that you can gauge your company’s security preparedness with current risks.

To do this we will analyze data from various vendor sources. Individual vendor’s DDoS attack data can be helpful to view, but they are limited in scope due to relying on data gathered only from their clients. By viewing multiple sources, we are able to get a more accurate composite view of DDoS trends.

Increases in attack sizes and numbers

PeerWise calculated that there were approximately 13.2 million DDoS attacks in 2021. This number represents a 31% increase in DDoS attacks in 2021 as compared to 2020. Every quarter of the year besides Q2 saw huge increases in DDoS attacks compared to the corresponding quarter in 2020. 2021’s Q4 experienced the largest increase with 465% more attacks than in Q4 2020.

The size of these attacks grew as well. While attacks are measured differently depending on what they target the most frequently used attacks are volumetric and these are measured in bps (bits per second). A record breaking attack size in 2015 was 334 Gbps. This record was broken the following year with a 602 Gbps attack. This record doubled again in 2018 with a 1.35 tbps attack against Github. In 2021 a new record DDoS attack hit Microsoft Azure topping out at 3.47 Tbps.

An application DDoS attack that broke records also was reported in 2021 by Cloudflare. They stopped a 17.2 million HTTP rps (requests per second) attack in July. This represented a total of 68% of their average HTTP rps across all clients.

Sourced from Cloudflare

In a trend that is all too common in the cybersecurity space, blackhat hackers and security teams are constantly in a battle to see whose capabilities will outdo the other. This coupled with rapidly increasing technological capabilities mean that the sizes of attacks will only continue to grow in the coming years.

Ransom-related DDoS (RDDoS) attacks

Ransom-related DDoS attacks have also followed this upward trend. There was a 29% year over year increase in RDDoS attacks in 2021. A NISC survey found 44% of all the organizations they surveyed were targeted by a ransom-related DDoS attack. This was even larger than the number of organizations who saw a ransomware attack. Cloudflare found slightly lower, but still concerning numbers. In December 2021 they found one of every three organizations they surveyed were targeted by a RDDoS attack. In another survey, only 24% of cybersecurity professionals said they were very confident in their organization’s ability to handle a RDDoS attack. 70% of companies targeted by a RDDoS attack were targeted more than once.

RDDoS attacks are sometimes used as a part of a “triple extortion.” This is a three part extortion effort. The first part involves data encryption. Hackers infiltrate a network and encrypt valuable data. From here they can demand ransom in exchange for the decryption key. A double extortion adds data theft to the mix. In addition to encrypting data, they also steal data which they demand ransom for or else they will make this confidential data available to the public. The third element which makes an attack a triple extortion is a DDoS element. After the first two steps a hacker launches a DDoS attack on the target. This adds additional stress and immediacy to the target in an attempt to pressure them into paying the ransom.

An example of a ransom letter is displayed below.

Source from radware

Voice-over-IP providers were a frequently targeted industry by RDDoS attacks in 2021. These technologies focus on communication over the internet (such as a Zoom call or Whatsapp). The reason these providers are targeted so frequently is because a clear connection is critical for the providers success. If your Zoom calls constantly lag, you may search for an alternative way to handle online meetings.

Attacks on VoIP providers utilize multi-vector Layer 7 (application layer) and Layer 3 & 4 attacks. Most attacks take advantage of vulnerabilities in UDP and the SIP protocol. Spoofed DNS reflection and other amplification and reflection vectors are used.

Ransomware and ransom DDoS payments in 2021 exceeded the total amount paid in the last decade. The overall success rate of ransom DDoS attacks and the relatively low cost of performing these attacks suggest that the trend of increased RDDoS attacks will continue to rise.

Frequency, length, and average sizes of attacks

There is a growing trend of short persistent DDoS attacks. This can be attributed in part to RDDoS attacks where attackers issue short attacks first as a demonstration of their capabilities. The trend can also be attributed to a growing awareness among attackers that many companies’ mitigation services take time to respond to. By hitting a target with frequent but short attacks it does not allow for on-demand mitigation services to help.

Data from all the vendors we analyzed show that the vast majority of attacks are less than an hour. Microsoft’s 2021 Digital Defense Report found 84% of DDoS attacks lasted less than an hour and 96% lasted less than 4 hours. More than a quarter of attacks lasted 5 minutes or less.

Sourced from Microsoft

Imperva’s report broke the attacks down into network DDoS attacks and application DDoS attacks. Both network and application layer attacks mainly lasted an hour or less. Almost a quarter of network attacks lasted 2 minutes or less. About 23% of network attacks lasted over an hour.

The attack durations for application attacks were once again predominately less than an hour, however about 44% of attacks lasted over an hour. This discrepancy could be due to the fact that application DDoS attacks tend to require some more sophistication on the part of the hacker. Hackers utilizing an application attack may have the tools to perform longer lasting attacks.

In many cases shorter attacks are used because they are able to ignore on-demand DDoS protection services from “activating” due to a gap in response time. As seen in the example of the ransom note shown earlier in the article, some hackers find it beneficial to enact longer attacks in order to most effectively extort a company. A continued attack puts increased pressure on the company to pay.

We discussed large record breaking DDoS attacks earlier, but it is important to note that not all attacks are large in size. Looking at application attacks, measured in requests per second (rps), Imperva found only about 6% of attacks were greater than 10,000 rps. Cloudflare’s data on network layer DDoS attacks show that over 90% of attacks reach a size of less than 50,000 packets per second (pps).

Sourced from Cloudflare

Of the attacks launched on Cloudflare customers by the meris botnet, one of the largest and most dangerous botnets, the average attack peaked at 106 thousand rps and the median request was smaller still than that. This is much lower than the largest attack recorded which peaked at over 17 million rps.

Sourced from BrightTalk, presentation put together by Cloudflare

Smaller sized attacks should not be ignored. These attacks may not seem threatening, but they can cause problems for companies that do not have adequate DDoS protections. Many companies have a capacity smaller than 1 gbps. DDoS attacks smaller than 500 mbps can cause problems for these companies.

The size of attacks do not necessarily correlate to the duration of attacks. The 17.2 million rps attack against Cloudflare that was discussed at the beginning of the article lasted only a minute. These short but powerful attacks can be crippling to companies who are not fast enough at mitigating them.

Unless something changes in most companies’ mitigation strategies this trend of short but persistent attacks will continue. At the moment many companies rely on on-demand cloud DDoS protection. While there may be a time and place for these, they do have a disadvantage of often not being able to respond to short lived threats quick enough.

Attack vectors

Going into 2021, we can see that many more volumetric attacks were used than application or protocol attacks. This trend continued through 2021, and volumetric attacks are still the most commonly used. For more details on what these kinds of attacks entail, see our DDoS attack rundown.Sourced from f5 labs

Getting into specific attack vectors used, UDP floods, TCP floods (particularly TCP ACK floods), and SYN floods were among the most common vectors used. This data comes from Microsoft Azure, Cloudflare, Radware, and NetScout. Slight variations in data can be seen between vendors. Because of the large client pool of Cloudflare, consisting of over 1,000,000 companies, they are perhaps the most accurate representation of attacks. They gave quarterly updates on the breakdown of network layer attack vectors they saw in 2021. Across all quarters besides Q4, they saw over 50% of attacks using SYN floods. In Q4 SYN floods were still the most common, making up about 37% of attacks. The percentage peaked in Q1, where they found that almost 60% of attacks were SYN flood attacks.

Sourced from Cloudflare

To look at attack vectors across all types of DDoS attacks Microsoft Azure, which hosts over 200,000 companies across all industries, can also give a good representation of attacks. Microsoft experienced UDP flood attacks in greatest numbers. This was followed by TCP ACK floods.

TCP ACK floods were the most common attack vector detected by NetScout. TCP based flood attacks have increased in popularity, being used 19% more than typical volumetric attacks in 2021. A possible explanation for this is their capabilities to quickly overwhelm stateful devices such as firewalls and VPN gateways; two tools companies rely on to increase security for remote workers.

The application targeted the most for both Microsoft and Radware was HTTP. This equated to 70% of the attack volume on applications against Radware, followed by 18.4% of attacks targeting HTTPS. For Microsoft more than 35% of attack volume targeted HTTPS and 10% targeted HTTP.

Sourced from radware

When we talk about vectors used in attacks it is necessary to take into consideration the rising trend of attacks utilizing multiple vectors. In 2020 the largest multivector attack used 26 vectors. In the first half of 2021 alone there were 15 attacks reported by NetScout using between 27 and 31 vectors.

Sourced from NetScout

While the attack counts for 2021 listed in this graph only came from the first half of 2021, there is an observable trend that multivector attacks are approximately doubling each year. Multivector attacks can make defending DDoS more complicated as there are multiple different applications, networks, or protocols being targeted at once.

Multivector attacks are nothing new. A DDoS report from A10’s Q1 2010 discusses how 60% of the DDoS attacks they experienced were multivector, 42% used two vectors and 17% used three or more. Nowadays most DDoS attacks meant to do real damage will utilize multiple vectors. In the coming years single vector DDoS attacks will likely be a thing of the past. Trends suggest more and more attack vectors are being utilized. NetScout has taken to calling the attacks that use the most number of vectors “omnivector” attacks. The omnivector attacks of today will likely look as antiquated as reading about sophisticated three vector attacks in 2010.

Sourced from f5 labs

This chart provided by f5 labs does a good job of illustrating the divergence seen in the last two years of single vector and multivector attacks. Going into 2021 there was a noticeable split where single-vector attacks declined while multivector attacks sharply inclined.

DDoS Attacks by industry

Industries are not constant across all vendors, but the data they collected can give a good idea of which industries are most at risk. The technology industry remains one of the most targeted industries. Imperva and Radware data sets have technology/computing ranking number one in terms of number of attacks.

Sourced from Cloudflare

Cloudflare has manufacturing as number one, which is unusual. They found a 641% increase QoQ in the number of attacks on this industry. They speculate this could have been very large specific attacks which shifted the data so heavily onto this industry.

Sourced from NetScout

NetScout’s methodology of collecting data is a bit different as they look at different verticals instead of more standard industry categories. They found Telecommunications carriers to be the most targeted. Other vendors’ data corroborates this, as they also found telecommunications to be among the most targeted industries. By volume, Imperva found telecommunications and gaming to be the second and third most attacked industries preceded only by retail. Cloudflare found similar statistics, particularly with ransom DDoS attacks.

DDoS Attacks by geographic location

When looking at DDoS attacks by region, it is important to note where the attacks were launched as well as where the targets were located. Cloudflare found that in each quarter of 2021 China was by far where most DDoS activity originated from. 3 out of every thousand HTTP requests that originated in China were part of an HTTP DDoS attack.

Sourced from Cloudflare

NetScout evaluated all of the unique devices they found that were vulnerable to abuse. This allowed them to illustrate key density zones. They then plotted the recently observed attacks over time to show how hackers abuse these devices. The graphic below shows that the majority of these abusable devices reside in Germany, the United States, Russia, and China.

Sourced from NetScout

The countries most targeted by DDoS attacks vary some depending on which vendor’s data you are looking at. The one commonality between all data sets is that the United States was the most targeted country in 2021. European countries are also high on the list.

Sourced from Microsoft

Modern landscape for initiating attacks

For-hire services to initiate DDoS attacks, also known as booters or stressers, have been around for some time. In 2018 there were sweeping FBI and Europol raids to shut booters down. Fifteen of these sites were shut down in 2018 including the largest booter site – webstresser.org. That site had 136,000 users and had launched 4 million DDoS attacks.

On the effectiveness of these raids, a 2019 whitepaper titled “DDoS hide and seek: on the effectiveness of a booter service takedown” examined whether DDoS attacks subsided after the leading booter sites were shut down. Their conclusion was that there was minimal effect due to new booters taking the place of the old ones.

The paper says, “we learned that despite the seizure of fifteen domains, many alternative booter sites exist and seizing the front-end of booter services does not improve the situation for DDoS victims, as the underlying infrastructure of reflectors probably remains online and can be used without disruption.”

In 2019 a bulletproof hosting service was taken down. 5 servers operating out of Amsterdam that were used by tens of IoT botnets were seized. In 2020 another 15 booters were shut down. Despite these efforts DDoS-for-hire services continue to thrive. There have been slight changes over how they look now than they did then, but the principles of their operations remain the same.

In the past booters used to advertise through stunt hacks and public advertising on social media platforms. Darknet forums were much more common then than they are now. Today the advertising landscape is slightly changed, but booter services are no harder to find. Simple searches on any search engine, including Google, will bring up these services. They are able to get away with this by a legal gray area, where in theory they could be used by a company to perform stress tests on their own security systems. This is legal, but is not the main revenue for these kinds of services. Booters still have some social media presence, though most commonly now they use instagram to boast of their DDoS successes. Some even go so far as to put their instagram handles in their bot malware binaries.

Sourced from Cisco

In addition to booters, botnet builder kits can be searched for on any search engine as well. These kits will give you tips and instructions of how to make your own botnet, as well as the bot payload and command and control (CnC) files.

If someone does not want to fuss with building their own botnet, the for-hire-DDoS services are quite cheap. This graphic from Cisco shows a subscription model running as low as $12.99 a month.

Sourced from Cisco

Microsoft’s figures go into more detail. Prices for DDoS-for-hire services had stayed relatively constant from 2013-2020. 2021 saw lots of price fluctuation. A rise in price started just before 2021 and carried into the year. Microsoft attributes high prices due to the rising cost of goods used for DDoS attacks, as well as increased security defenses which in turn require increased complexity of attacks.

Sourced from Microsoft

This observation ties in with the trend of multivector attacks being on the rise. In the past it was much easier for someone to launch a DDoS themselves. A small botnet performing a single vector attack could be effective. Nowadays any serious hack will incorporate multiple vectors and utilize massive amounts of bots and/or hacked devices. For a DDoS attack on a small business with poor security practices someone with minimal cyber knowledge may still be able to launch an effective DDoS attack. But for those who want to attack larger businesses these for-hire-services have become all but required. For this reason we expect for-hire-services to continue going up in price to meet an increase in demand that will continue through the year.

Conclusion

DDoS trends can provide a way for businesses to determine their relative risk for getting hit by DDoS attacks. Different industries get hit in different degrees, as well as organizations in different geographic locations. Even if your business is not the most likely to get targeted does not mean that it won’t. DDoS attacks are increasingly popular. That tied in with their increasing sophistication with attack vectors and sizes, as well as the element of ransom thrown in, and DDoS has become a serious threat. Knowing the trends is the first step of defense.

If you take a minute below to answer our survey we’ll send you the final report. The survey takes a look at DDoS attacks in relation to headcount size of a business. There is little discussion online on the relationship between these two variables. In the end it will provide an even better way to gauge your company’s risk levels.

Sources: