• Arbor Networks - DDoS Experts

What Happened in the Second Half of 2021?

Initial Insights and Global Trends

cyber skull
by Richard Hummel on

Executive Summary

The second half of 2021 finally saw much of the world returning to normal, at least until the recent Omicron variant sent us packing back home. The premature return to normal coincided with a welcome respite in overall DDoS Attack numbers, but unfortunately adversaries used innovation and perseverance with TCP-based flood attacks and server-class botnets to effectively render the decline moot. If you only looked at the overall attack numbers found in the upcoming 2H 2021 Threat Intelligence Report, you might be tempted to celebrate the reduction in overall attacks from 5.4 million in 1H 2021 to 4.4 million in the next report, which will publish in March, but we ended 2021 with a total of 9.7 million attacks, just a three percent decrease from 2020 and a 14 percent increase over the number of attacks that occurred in 2019.

Key Findings

  • While overall attack counts were down for the last half of the year, innovation and adaptive DDoS attacks continued to pummel the world with disruptions and network outages.
  • NETSCOUT observed a balancing of the scales between reflection/amplification attacks and direct-path (non-spoofed) DDoS attacks with TCP-based floods and botnets. 
  • While overall attack counts decreased around the global, organization specific targeting boomed as adversaries turned their gaze to DDoS extortion and specific verticals.


In our last Threat Intelligence Report we showed a trending reduction in attacks to coincide with the tail end of COVID, which is definitely in sight, Omicron variant notwithstanding. While it's great that the number of attacks we've experienced during the pandemic is slowing, a small breath of fresh air, we still experienced a 14 percent increase in cyberattacks if you discount the unprecedented numbers tied directly to the pandemic.

Understanding the numbers

Without question, threat actors continue to leverage large botnets or non-spoofed sources to launch TCP-based attacks (TCP SYN, TCP ACK, TCP RST, and UDP Floods) that can overwhelm a target’s state-based network infrastructure. As such, there was a decrease in reflection/amplification attacks resulting in an overall 14 percent decrease in attacks from 1H2021.

More specifically, there was a 32 percent decrease in DNS Amplification attacks, which accounts for a large portion of the overall decrease. It's quite likely that a reduction in these attacks is due to the fact that they're well understood – giving adversaries enough incentive to develop new tactics for circumventing security measures.

Because while there was a decrease in DNS Amplification attacks, there was an increase in Direct-Path attacks – such as attacks that don't use spoofed source IP addresses – with several troubling trends emerging, including:

  • Attacks against VOIP providers increased by 93 percent
  • The computer manufacturing vertical was hit between 162 percent and 263 percent more frequency depending on the specific area within the vertical
  • Attacks against software publishers increased by 606 percent
  • Insurance agencies & brokerages experienced a 257 percent increase
  • Attacks against colleges, universities and professional schools increased by 102 percent

What it all means

Increased attacks against this wide swathe of industries combined with an increase in direct-path attacks suggests that adversaries are singling out organizations to attack rather than indiscriminately attacking in the hope of success. Moreover, there's a significant increase in DDoS Botnet activity, which are almost entirely direct-path attacks. This indicates that adversaries are no longer spoofing the source of attacks. Instead, they're sending attack traffic directly from bot nodes to the target.

Be sure to look for additional insights into how attackers and their methods are changing in the upcoming report, which comes out in March. Until then, check out the findings of the past 1H 2021 report to learn more DDoS attack activity, trends and unique insights.  Also be on the lookout for additional blogs to better understand interpreting the report data and how to protect your company from attacks.

NETSCOUT's Threat Intelligence Report covers the latest trends and activities in the DDoS threat landscape. It covers data secured from NETSCOUT's Active Level Threat Analysis System (ATLAS™) coupled with NETSCOUT's ATLAS Security Engineering & Response Team insights.

Posted In
  • Attacks and DDoS Attacks