Key metrics from the 2H 2021 Netscout Threat Intelligence Report
Flag of Poland

Poland

The second half of 2021 ushered in a new focus by adversaries, who launched direct-path (non-spoofed) DDoS attacks using botnets and TCP-based floods. This coincided with a drop in DNS and CLDAP amplification, resulting in a decrease in attacks across most countries and regions. The turning point for this decline occurred just before Omicron was discovered, as COVID-19 restrictions were easing and people began returning to physical offices and classrooms. With less time to engage in malicious activity resulting in fewer DDoS attacks, threat actors certainly lend credence to the proverb that idle hands are the devil’s workshop.

Adversaries launched more than 9.7 million DDoS attacks in 2021, just 3% shy of the record-breaking 10 million seen in 2020 and a whopping 14% more than seen pre-pandemic in 2019. So although it’s tempting to simply look at the decrease in overall attacks as threat actors resting on their laurels, the reality is that attackers are innovating and adapting new techniques and methodologies to strengthen and monetize their nefarious behavior.

Max Multivector Attack

Max number of vectors seen in a single attack

20

Attack Vectors Used

1. bittorrent amplification
2. chargen amplification
3. cldap amplification
4. dns
5. dns amplification
6. icmp
7. mdns amplification
8. ms sql rs amplification
9. netbios amplification
10. ntp amplification
11. openvpn amplification
12. ripv1 amplification
13. rpcbind amplification
14. snmp amplification
15. ssdp amplification
16. stun amplification
17. tcp ack
18. tcp rst
19. tcp syn
20. tcp syn/ack amplification

Top 5 Attack Vectors

Ta

TCP ACK

Number of Attacks

24,038

Dn

DNS Amplification

Number of Attacks

22,948

Tk

TCP SYN/ACK Amplification

Number of Attacks

17,200

Ts

TCP SYN

Number of Attacks

15,200

Tr

TCP RST

Number of Attacks

13,620

Top Ten Vertical Industries Under Attack

The following industry chart shows the most targeted sectors in 2H 2021 by number of attacks.

Rank Vertical Frequency Max Attack Max Impact Average Duration
1
cloud icon with up arrow Data Processing, Hosting + Related Services
3,167 80.56 Gbps 16.00 Mpps 39.9 Minutes
2
Wired Telecommunications Resellers icon Wired Telecommunications Carriers
2,565 100.46 Gbps 18.85 Mpps 50.7 Minutes
3
Telecomm Tower icon All Other Telecommunications
600 80.81 Gbps 15.4 Mpps 29.6 Minutes
4
Lab Formula Beaker icon All Other Professional, Scientific, and Technical Services
326 100.46 Gbps 18.85 Mpps 22.5 Minutes
5
House with sign icon Lessors of Residential Buildings and Dwellings
158 1.19 Gbps 0.32 Mpps 18 Minutes
6
Sign with megaphone icon Media Buying Agencies
99 0.97 Gbps 0.38 Mpps 26.2 Minutes
7
Newspaper Publishing icon Internet Publishing, Broadcasting + Web Search Portals
85 4.03 Gbps 2.5 Mpps 35.1 Minutes
8
Computer screen with document icon All Other Support Services
79 0.46 Gbps 0.06 Mpps 12.9 Minutes
9
cell phone icon Wireless Telecommunications Carriers (except Satellite)
73 4.39 Gbps 0.68 Mpps 19.6 Minutes
10
safe icon Commercial Banking
71 5.21 Gbps 1.9 Mpps 24.5 Minutes