02

DDoS Global Attack Trends

As the global pandemic forced a significant portion of the world into lockdown, our ability to shift work and life online proved to be a vital lifeline.

Unfortunately, such sudden and major changes often expose new vulnerabilities, and the COVID-19 pandemic was no exception. Armed with an ever-improving set of tools that lowered the bar to entry for launching more-complex, higher-throughput attacks, cybercriminals eagerly leveraged new weaknesses, setting the stage for a banner year for DDoS activity.

For the first time in history, the annual number of DDoS attacks crossed the 10 million threshold, with ASERT observing a staggering 10,089,687 attacks over the course of the year. This represents a 20 percent increase in attacks year over year, but that includes the prepandemic months of January, February, and most of March. For the second half of 2020, which was entirely pandemic-ridden, attacks rose 22 percent year over year. According to Carlos Morales, chief technology officer of security solutions at Netscout partner Neustar, Inc, “When the COVID pandemic hit, the numbers skyrocketed as attackers took aim at distracted and heavily internet-dependent companies. Then they rose again when the DDoS extortion campaign started, leading to a rash of ransom-related DDoS attacks.”

2020 Statistics

0 TBPS
Max attack size (EMEA)
0 MPPS
Max throughput (APAC)
0 ATTACKS
Largest regional attack frequency (EMEA)
0 MIN
Average global attack duration

As cybercriminals quickly exploited pandemic-driven opportunities, another kind of “new normal” emerged. Not only did DDoS attack frequency increase by nearly 1.6 million attacks year over year, but monthly DDoS attack numbers also spiked. Starting in March, as widespread pandemic lockdowns took effect, monthly attack frequency increased by between 100,000 and 200,000 compared with the previous six months, consistently exceeding 800,000 attacks per month.

ATTACK FREQUENCY

0
Average monthly attacks in 2019
0
Average monthly attacks in 2020
0
More attacks per month on average

LBA DDoS Extortion Campaign

Against the backdrop of a significant uptick in DDoS attacks during the pandemic, a threat actor given the moniker Lazarus Bear Armada (LBA) kicked off a long-running DDoS extortion campaign in mid-August of 2020. LBA launched DDoS attacks against organizations across a wide array of geographies and industries, demanding “protection” payments via Bitcoin in exchange for (supposedly) refraining from further attacks against the targets.

The attackers made extensive use of multivector DDoS attacks against not only applications and services, but also network and remote-access infrastructure elements. Unlike many DDoS extortionists, LBA often followed through on threats to repeatedly attack targeted organizations if they fail to pay. Attacks associated with this DDoS extortion campaign ranged in size from 50 Gbps to 450 Gbps. LBA demonstrated a certain amount of persistence, revisiting targets weeks and months after initial contact with a second extortion email that threatened further consequences should the targeted organization fail to acquiesce to their payment demands.

We analyzed attack data by North American Industry Classification System (NAICS) codes, which group companies into 22 broad categories that contain multiple large subvertical sectors. The top 10 vertical industries under attack in the second half of 2020 further illustrates the enormous impact COVID-19 had on DDoS attack activity. Threat actors always have embraced an opportunistic pivot, and this was no exception as they enthusiastically flocked to the ensuing smorgasbord of new opportunities.

To view full report

Vertical Industry Attacks

We analyzed attack data by North American Industry Classification System (NAICS) codes, which group companies into 22 broad categories that contain multiple large subvertical sectors. The top 10 vertical industries under attack in the second half of 2020 further illustrates the enormous impact COVID-19 had on DDoS attack activity. Threat actors always have embraced an opportunistic pivot, and this was no exception as they enthusiastically flocked to the ensuing smorgasbord of new opportunities.

The top three listed sectors fall under the category of Old Faithfuls, because attacks on both subscribers and their operational infrastructures are inherent to their role as connectivity providers. However, the fourth sector—Internet Publishing and Broadcasting—is by no means a usual suspect in our top 10. Its presence can be summed up in two words: Netflix and Zoom. Similarly, online shopping, which grew an impressive 44 percent in 2020, represents another pandemic stalwart that came under increased attack, as did online learning. Interestingly, this activity was seen not only at the usual hot spots of colleges and universities but also at the high school and middle school level. With DDoS-for-hire services both readily available and incredibly cheap, it seems likely that budding online delinquents set about playing hooky on an internet scale.

DDoS Attack Vectors

Periodic Table of Attack Vectors

Research into attack vectors and how attackers leverage them illuminates the ever-evolving nature of the DDoS threat landscape. This table sorts vectors by attack numbers, as well as digging into details about risk level and amplification factors.

DDoS periodic table

Abusable open-source and commercial applications and services based on UDP remained a valuable asset for attackers, who mined them to discover new reflection/amplification DDoS attack vectors to power a new wave of attacks. Here’s a rundown of the latest attack vectors:

RDP-over-UDP table icon, 85.9:1

Microsoft Remote Desktop Protocol (RDP)

Included in Microsoft Windows operating systems, Microsoft Remote Desktop Protocol (RDP) is intended to provide authenticated remote virtual desktop infrastructure (VDI) access to Windows-based workstations and servers. The RDP service can be configured by Windows systems administrators to run on Transmission Control Protocol (TCP)/3389 and/or UDP/3389.

PMSSDP icon, 4.68:1

Plex Media SSDP (PMSSDP) Reflection/Amplification

Plex Media Server is a personal media library and streaming system that runs on modern Windows, macOS, and Linux operating systems, along with variants customized for special-purpose platforms such as network-attached storage (NAS) devices, external RAID storage units, and digital media players. Plex Media Server instances can potentially be abused as part of possible DDoS attacks if they have been deployed either on a public-facing network demilitarized zone; in an internet data center (IDC); or with manually configured port-forwarding rules that forward specific UDP ports from the public internet to devices running Plex Media Server.

DTLS table icon, 37.34:1

DTLS Reflection/Amplification

Datagram Transport Layer Security (DTLS) is a version of the TLS protocol implemented on the stream-friendly UDP transfer protocol for securing datagram-based applications to prevent eavesdropping, tampering, or message forgery. While an anti-spoofing mechanism was designed into DTLS from the outset, it was described in the relevant standards documents as ‘recommended’, rather than ‘mandatory’. As a result, some implementations don’t leverage the anti-spoofing mechanism by default, and thereby can be abused to launch reflection/amplification DDoS attacks.

Jenkins periodic table graphic, 5.6:1

Jenkins Reflection/Amplification

A popular open source automation server used in almost all modern deployments, Jenkins servers support using a UDP multicast/broadcast network discovery protocol to locate other Jenkins instances. Upon receiving a packet containing any payload (1 byte is enough) on UDP port 33848, the Jenkins server will respond with full information on the deployment. An attacker can therefore generate a spoofed UDP packet and send it to the Jenkins server, generating a reflection/amplification attack with an amplification factor up to 5.6:1.

Top DDoS Vectors by Attack Count

UDP-based reflection/amplification attacks continue to dominate the list of most popular attack vectors, with TCP ACK flood attacks coming in a close second. This represents a changing of the guard, given that TCP SYN floods were dominant in previous years. However, Domain Name System (DNS) reflection/amplification attack frequency rose steadily over approximately the past 18 months and became the top vector of choice in 2020.

Multivector Attacks: More of a Bad Thing

When we look at all these high-level statistics, it seems as if they move in only one direction: up and to the right. During the second half of 2020, the epic number of overall attacks drove increases at all levels, from single-vector attacks to those using 25 vectors. In particular, we noted the growing prevalence of 15-plus vector attacks. Adversaries often leveraged between 15 and 25 vectors to launch complex, high-volume attacks that combined multiple different attack vectors aimed at differing layers of enterprise and service provider infrastructures.

Attacks that used 15 to 25 vectors increased between 9 percent and 312 percent, with particular growth noted in attacks that used 15 to 21 vectors.

Impact of DDoS Traffic

This was a record-breaking year for DDoS attacks—and that has to have an impact on global infrastructure, particularly since DDoS attackers don’t pay for transit costs. Instead, that cost is generally passed down to everyone who uses the internet. So we continued to dig into the details of how much traffic on the global internet is due solely to DDoS attacks.

Once again, we looked at the totality of activity in both bandwidth (bits per second) and throughput (packets per second) to gauge just how much aggregate traffic crosses internet pipelines in any given minute of time. Known as the DDoS Attack Coefficient (DAC), this measurement illustrates the continual presence of DDoS traffic across all regions. In essence, it shows the “DDoS tax” that we all end up paying.

Comparing the minute-by-minute aggregate DDoS attack traffic to the aggregate DDoS traffic of an entire month further highlights the sheer volume and throughput this type of malicious traffic inflicts worldwide. In our previous report, we showed a simple calculation of bandwidth and throughput without factoring in the duration of DDoS attacks; in one 31-day window we observed 1 Pbps of bandwidth and 208 Gpps. However, by factoring in attack duration with bandwidth and throughput, the DAC shows an even starker picture of the massive amount of attack traffic traversing the internet.