Our New DDoS Normal Isn’t All That Normal

Summary

Yes, the first half of 2021 saw yet another record broken when it comes to global distributed denial-of-service (DDoS) attacks—but that’s not the full picture. After an astonishingly active first quarter of DDoS attack activity, things calmed down a bit for the second quarter of 2021. Unfortunately, “calmed down” is a relative term. Think of a toddler throwing a full-blown temper tantrum versus one whining constantly and loudly. One is certainly calmer, but neither scenario could be called great. 

Details

According to research from NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT), threat actors launched approximately 5.4 million DDoS attacks in the first half of 2021, an 11 percent increase from the same time period in 2020. Any way you slice it, that’s not a fun number and puts the world on track to hit close to 11 million DDoS attacks in 2021. But Q2’s numbers do show some signs of abatement:

• ASERT observed 2,488,048 attacks in the second quarter, a 13 percent decrease compared with the first quarter’s extraordinary number of 2,863,882.
• The second quarter 2021 numbers also decreased by 6.5 percent compared with the same period in 2020. 
• In June, monthly DDoS attack numbers dropped below 800,000 for the first time since March 2020, to 761,914. 

Second Quarter 2021
Total attacks: 2.48 million
Max size: 530 Gbps
Max throughput: 391 Mpps
Average duration: 59 minutes

But although attack frequency has dropped, we are nowhere near the attack numbers that were considered normal prior to the onset of the COVID-19 pandemic. To put things in perspective, we pulled data from the before the pandemic: 2019. In comparison, the second quarter numbers from 2021 showed a continued high level of activity: 

• 13 percent more attacks in 2021 than 2019
• The lowest monthly number of attacks for Q2 21 came in June, with 761,914 attacks. That low number nonetheless topped the high-water mark of Q2 2019: April’s 755,748 attacks.

Several other things jumped out from our review of both quarterly and first-half statistics for 2021.

• The top five DDoS attack vectors seen in the first half of 2021 were TCP ACK, DNS amplification, TCP SYN, TCP RST, and TCP SYN/ACK amplification.
• Attackers continue to find value in pouring on faster, more difficult-to-mitigate attacks. Adversaries ratcheted up throughput considerably, with the max throughput recorded increasing by 65 percent compared with Q1 2020.
• When it comes to attack duration in Q2 2021, attacks of five to ten minutes continued to top the list, used by 38 percent. We also saw a slight increase in attacks lasting between 10 minutes and an hour compared with Q1 duration numbers.

Conclusion

Adversaries will never turn down an opportunity for innovation—and the COVID-19 pandemic provided an enormous one. As such, the pandemic’s long tail of cyberthreat innovation will likely continue well into 2021 as cybercriminals continue to discover and weaponize new attack vectors that exploit pandemic-related vulnerabilities.