02

Global DDoS Attack Trends

The second half of the year brought about the establishment of high-powered botnet armies and a rebalancing of the scales between volumetric and direct-path attacks, creating new standard operating procedures (SOPs) for attackers and adding new tactics, techniques, and procedures (TTPs) to their arsenals.

This was observed as TCP-based flood attacks like TCP SYN, ACK, and RST floods remained stable, while DNS and CLDAP amplification attacks decreased by 32 percent and 64 percent respectively. The decrease in DNS and CLDAP amplification resulted in a return to prepandemic attack counts for 2H 2021 at 4,406,713 attacks. This represents a 14 percent decrease from 1H 2021 but a two percent increase from 2H 2019.

Global Stats: Number of Attacks

0

14% decrease from 2H 2020

Average Attack Duration

51 minutes (31% increase)

Largest Attack

0 Gbpsgreen asteriskgreen asterisk

14% increase from 2H 2020

Date

November 6, 2021

Target

Czechia

Vectors Used

DNS, DNS amplification, ICMP, TCP ACK, TCP RST, TCP SYN

Attack Duration

16.83 minutes

Fastest Attack

0 Mpps

107% increase from 2H 2020

Date

December 7, 2021

Target

Russia

Vectors Used

CLDAP amplification, ICMP, TCP ACK, TCP RST, TCP SYN, TCP SYN/ACK amplification

Attack Duration

1 hour 44 minutes

Despite the observed decrease in amplification attacks in 2H 2021, the year ended with 9.7 million DDoS attacks in total (an attack every three seconds!), a mere 3 percent decrease from the record number of attacks that took place during the height of the pandemic. This clearly signals that it would be premature to roll the victory drums, given the clear and present dangers lurking in the DDoS threat landscape.

This ebb and flow in DNS amplification attacks is a trend that tracks back to 2018. Similar dips occurred in May 2018, February 2019, September 2019, July 2020, and June 2021. Despite the occasional drop in overall attack numbers, the trend maintained an up-and-to-the-right trajectory at the close of December 2021.

A month-to-month comparison from 2H 2019 to 2021 illustrates how the pandemic impacted DDoS activity, including peaks occurring in January and March 2021. A decrease in attacks against consumers on wireline ISP networks sharply contrasts with a marked increase in attacks against education, computer and software manufacturing entities, and wireless telecommunications providers. This likely is due to multiple factors, including a return to in-person education and the rapid adoption of 5G wireless technology.

DDoS Extortion and The Triple Threat

7-Figure Losses from DDoS Attacks Reported by Publicly Traded Company

Although DDoS extortion (aka RDDoS) isn’t new, high-profile DDoS extortion attack campaigns sometimes emerge. It’s not unusual to have one high-profile DDoS extortion campaign in a year, but it’s fairly rare to see two such campaigns in a year. During 2021, however, a new record was established as three high-profile DDoS attack campaigns took place. This also signals that ransomware gangs are laser-focused on increasing the use of triple-extortion attacks (ransomware + data theft + DDoS).

The prolific Lazarus Bear Armada (LBA) DDoS extortionist threat actor extended its high-impact attack campaign into 2021, targeting multiple verticals worldwide and exhibiting a high degree of pre-attack reconnaissance to maximize attack efficacy.

The Fancy Lazarus DDoS extortionist kicked off a campaign that initially targeted the authoritative DNS servers of wireline broadband access ISPs in the U.K. and Scandinavia by using DNS reflection/amplification attacks, a suboptimal vector when attacking authoritative DNS servers. The campaign was somewhat successful due largely to the unpreparedness of a few network operators; nevertheless, the attacks were mitigated relatively quickly.

The third high-profile DDoS extortion campaign of the year was an aggressive series of attacks masquerading as the REvil ransomware group and targeting SIP/RTP VoIP operators. Retail and wholesale VoIP providers in the U.K. were the initial targets, followed by attacks against VoIP operators in Western Europe and North America. Notably, one VoIP wholesaler filed a form with the U.S. Securities and Exchange Commission (SEC) estimating the total cost of the DDoS attack at between $9 and $12 million. Attackers now appear to view DDoS attacks as criminal endeavors in and of themselves—as opposed to one pillar of triple extortion attacks—meaning more-skilled DDoS extortion campaigns should be expected as sophisticated ransomware groups master this tactic.

Ransomware Gangs

In the 1H 2021 Threat Intelligence report, we noted that several different groups conducting ransomware operations have also moved into DDoS attack territory to place greater pressure on victims to pay demanded ransoms. For this report, Palo Alto’s Unit 42, a Threat Intelligence partner, created a summary of active and recently inactive ransomware gangs that also use DDoS to extort victims into paying the ransom. The following groups are known to use and have been observed using DDoS as part of their operations.

A pink icon

Avaddon

Avaddon ransomware was first seen in February 2020 and by June 2020 had quickly evolved into ransomware as a service (RaaS). In January 2021, the group evolved again to include DDoS attacks in its extortion repertoire.

blue monster head with mouth open and horns

REvil

Although currently not operational due to a global takedown, REvil was a prominent user of RaaS. With its highly adaptable encryptors and decryptors, REvil provided infrastructure and services for communicating with victims, as well as a leak site for releasing stolen data if the victim refused to pay the ransom.

gray to white cat body icon

BlackCat

One of the newest ransomware groups, BlackCat (aka ALPHV), was discovered in November 2021. Operating as a RaaS, the group quickly gained notoriety for its sophistication and innovation.

blue beetle with 8 legs and 2 antenna

AvosLocker

First seen in summer 2021, AvosLocker is simple but effective ransomware that has utilized triple extortion from the start. AvosLocker operators advertise in underground networks for affiliates with active directory experience, as well as for “access brokers” who potentially could provide access to compromised systems.

pink and red lock with sunburst top key hole

Suncrypt

Initially appearing in October 2019, Suncrypt was one of the first ransomware groups to launch DDoS attacks. Along with data encryption and theft, Suncrypt extorts its victims by threatening to attack infrastructure or networks.

Botnet Army Adds New Weapons

The commonly held idea of botnets used for launching DDoS attacks is that compromised IoT devices come under the control of attackers via a common command-and-control (C2) infrastructure.

The first DDoS-capable botnets debuted in 2007, and they became commonplace by 2013. Their popularity soared in 2016 after the source code of the Mirai IoT botnet was leaked.

In 2H 2021, they continued evolving with the convergence of Mirai for Intel architectures, which inadvertently resulted in the rapid exploitation of serious vulnerabilities in servers running Confluence, GitLab, and Log4J. Exploits were crafted and delivered to compromise significant numbers of powerful, highly connected servers that were brought together via standard botnet C2 architectures.

Given that online criminals are familiar with the DDoS capabilities of existing Mirai botnets, they were able to quickly employ the new server-class Mirai botnets to launch vicious DDoS attacks. In 2H 2021, two direct-path flooding attacks of more than 2.5 Tbps were launched using server-class botnets. These are the first known terabit-class, direct-path DDoS attacks; previously, reflection/amplification attacks were considered the most practical way to launch DDoS attacks of this magnitude.

The newfound popularity of server-class DDoS botnets is linked with the growth in direct-path DDoS attacks, when compared with reflection/amplification attacks. We expect this trend to continue, driven by the introduction of multigigabit consumer wireline and wireless 5G broadband internet connectivity, increasingly powerful home computers, and IoT devices. We also foresee the very definition of server-class nodes expanding beyond the internet data center (IDC) and into the residential space.

The Dark Side of DDoS-for-Hire

The dark web is a dangerous place where adversaries own and operate DDoS-for-hire platforms and botnets to launch everything from free tests to high-powered multivector attacks. ASERT explored this underground space to evaluate the kinds of attacks being launched. Likewise, we wanted to better understand the kinds of platforms used and their capabilities, to illustrate the low barrier to entry and why DDoS attacks are so prevalent.

As such, we researched the top 19 validated DDoS-for-hire services and captured the types of attacks, purported number of users, and the costs to launch attacks.

  • 1

    AnonBot

  • 2

    Booter

  • 3

    Booter SX

  • 4

    CryptoStressor

  • 5

    CyberVM

  • 6

    DDoS Service

  • 7

    Downed

  • 8

    FlyStress

  • 9

    Instant Stresser

  • 10

    IPStresser

  • 11

    NetworkStress

  • 12

    Project Delta

  • 13

    Str3ssed

  • 14

    Stresser GG

  • 15

    Stresser US

  • 16

    SunStresser

  • 17

    Toxicity

  • 18

    WebStresser

  • 19

    ZDStresser

Although some of these services have static pricing models, many of them allow for custom configurations based on duration, concurrent tests, and power, which is how adversaries measure bandwidth and throughput.

Prices for these services vary wildly. We found free tests, tests for $5 over a five-day trial, and full attacks for as much as $6,500, which included 100 concurrent attacks, no daily limits, and a committed 1 million packets per second (Mpps). NetworkStress service boasts a 1 Tbps attack size using 150,000 bots for $2,499. Although these services boast massive capacity, we have yet to observe any DDoS attacks sourced from them in the terabit range.

Purchase Pick Your Options Max Duration attacks (828 Seconds), Stress Tests (5) Concurrent, Duration of Subscription (2) Months, API Access Yes, Price: $245.94 Order Button Blue

In the 1H 2021 Threat Intelligence report, we described how some of these underground services offer “blacklists” or delisting services to prevent attacks. One example of this can be found on Booter SX, where adversaries offer a temporary or permanent option for delisting IPs. At least three of the services noted above include this feature, which is anything but a guarantee the purchaser will not be attacked.

Blacklist Monthly Panel Access unchecked Host: 0.0.0.0 /Example.com Total Cost: $17 Buy
Blacklist Lifetime Panel Access unchecked Host: 0.0.0.0 / Example.com Total Cost: $230 Buy
Add Seconds Panel Access unchecked Host: 0.0.0.0 / Example.com Total Cost: $1 Buy
Add Concurrents Panel Access unchecked Host: 0.0.0.0 / Example.com Total Cost: $0 Buy

Nearly every service offers some form of free DDoS attack capability via Network Time Protocol (NTP), DNS, CLDAP, or a random UDP reflection/amplification attack vector. In addition to the free options, these 19 platforms combined boast a total of more than 200 different attack types, many of which are shared across platforms. UDP and TCP reflection/amplification are the most prevalent, followed by UDP and TCP floods. The services also offer varying degrees of UDP and TCP bypasses for CAPTCHAs or other anti-DDoS defenses.

Despite the incredible diversity of these platforms, the majority of attack types are recognized and predominantly mitigated via standard defensive practices. Our primary motivation in exploring these services was to determine the capabilities available to adversaries. Based on our research, none of the listed services was a surprise or provided something we haven’t witnessed in the wild. Given a solid understanding of these attack methods and a properly tuned mitigation platform, network security professionals can create defensive measures and templates to counter attacks from booter/stresser services.

The Intersection of Encryption, State, and DDoS Defense

Application-Layer DDoS Attacks Versus DDoS Attacks Against Applications

One of the most important and wide-reaching trends in the security landscape over the past decade has been the industrywide push to implement strong encryption for websites, online applications, communications services, and just about everything else we use online.

This wholesale move toward encryption for anything and everything also has been noted by attackers. The additional overhead required to process encrypted communications at large scale often means that launching successful DDoS attacks against encrypted applications and services requires comparatively fewer resources on the part of the attackers. Conversely, DDoS defense for encrypted applications and services also requires more resources on the part of defenders.

High-volume application-layer attacks launched over HTTP/S were prominent during this period. Attacks launched via the Meris and Dvinis router-based botnets were reported, either originating directly from the bots themselves or being relayed through them by way of the SOCKS5 proxy functionality of the bots. Attacks of up to 17.2 million requests per second (Mrps) were reported, representing a significant new metric for HTTP/S-encrypted application-layer DDoS attacks. Looking at a two-year snapshot for bandwidth and throughput in attacks targeting applications and services on TCP port 443, we see significant trends toward more potent attacks.

It is ironic that measures intended to bolster two aspects of security—confidentiality and integrity—can have unintended consequences for security’s third (and arguably most important) aspect: availability. Although it is important that deployment of TLS 1.3 proceeds apace, organizations must take into account the associated increases in complexity and overhead, while ensuring that their public-facing properties are designed and implemented to minimize state and maximize DDoS defense capabilities, thereby ensuring maximal resiliency in the face of attack.

Carpet-Bombing Attacks

Our Threat Intelligence partner Neustar also witnessed a significant shift in an attack methodology, with carpet-bombing picking up steam in July 2021. This attack is akin to flinging sand instead of a rock with the hope that many smaller attacks will succeed where a single, large attack fails. Data from Neustar’s security operations center (SOC) revealed that carpet-bombing attacks outnumbered individual attacks by more than 10 percent in 2H 2021. The very nature of these attacks makes them difficult to defend against, because there are multiple points to protect as opposed to a single point of entry.

Such attacks, which often can be too small on their own to trip mitigations, can cause a host of distractions and confusion as they land across a target’s network. They certainly make it necessary for defenders to update detection mechanisms and policies to spread defenses across all externally facing ingress points.

Vertical Industries

Always a popular target for attacks, many of the telecommunications verticals nevertheless saw fewer attacks in 2H 2021. One of the more notable exceptions occurred in the wireless telecommunications space, where a likely increase in wireless hotspot gaming and the rapid adoption of 5G fueled increased attacks (see Industry Spotlight: Wireless Telecommunications). Meanwhile, the closely related software and computer manufacturing verticals witnessed massive increases in attacks (see Industry Spotlight: Digital Supply Chain).

As adversaries sought to cash in on DDoS extortion, they increasingly launched attacks against insurance agencies and brokerages (see Industry Spotlight: Insurance Agencies and Brokerages), as well as against VoIP providers (see Industry Spotlight: VoIP Providers). Unfortunately, some of these attacks were highly successful, causing significant damage both to the targeted organization and collaterally with their customers.

We’d be remiss in not mentioning one more motivation that stands the test of time: “Because I Can.” Some people like to watch the world burn. And because they can, they do. By fall 2021, people were returning to normal life, including a return to physical versus virtual classrooms. The increase in attacks on colleges, universities, and professional schools is likely attributable to students looking to start fires wherever possible (see Industry Spotlight: Colleges, Universities, and Professional Schools).

Industry Spotlights

cell phone icon
laptop with PDF arrow on screen icon
woman with shield with exclamation point icon
phone handset with rss signal icon
college building with flag icon

DDoS Attack Vectors

Click on an element for more information

Number of Attacks
Available Devices
New attack vector Attack vector symbol Amplification factor 0 – 50,000 Attacks 50,001 – 500,000 Attacks 500,001+ Attacks Attack vector name
Risk 56,000,000+ Available devices Risk 44,000,001 – 6,000,000 Available devices Risk 32,000,001 – 4,000,000 Available devices Risk 2500,001 – 2,000,000 Available devices Risk 11 – 500,000 Available devicesAvailable devices
  • 35.5:1 Ar ARMS Amp2
  • 120:01:00 Bc BACnet Amp3
  • 3.8:1 Bt BitTorrent Amp4
  • 1,000:1 Ch Chargen Amp5
  • 5.7:1 Ci Citrix-ICA Amp6
  • 56.89:1 Cd CLDAP Amp7
  • 34:01:00 Cp COAP Amp8
  • 37.34:1 Dt D/TLS9
  • 24:01:00 Di DHCPDiscover Amp10
  •   Ds DNS11
  • 160:01:00 Dn DNS Amp12
  •   Ht HTML513
  •   Im ICMP14
  •   In IP NULL15
  • 1.1:1 Ip IPMI Amp16
  •   Iv IPv4 Protocol 017
  • 1:01 Ik ISAKMP/IKE Amp18
  • 5.6:1 Jk Jenkins Amp19
  • 13.5:1 Lt L2TP Amp20
  •   Mh MBHTTP Amp21
  • 4.35:1 Md mDNS Amp22
  • 51,200:1 Mc Memcached Amp23
  • 25:01:00 Mq MSSQLRS Amp24
  • 3:01 Nb NetBIOS Amp25
  • 556.9:1 Np NTP Amp26
  • 33.9:1 Ov OpenVPN Amp27
  • 4.68:1 Pm PMSSDP Amp28
  • 140.3:1 Qd QOTD Amp29
  • 63.9:1 Qk Quake Amp30
  • 85.9:1 Rd RDP Amp31
  • 134.24:1 Ri RIPv1 Amp32
  • 29:01:00 Rc rpcbind/portmap Amp33
  • 30.7:1 Se Sentinel Amp34
  • 10:01 Sp SIP Amp35
  • 880:01:00 Sn SNMP Amp36
  • 30.8:1 Ss SSDP Amp37
  • 3.32:1 St STUN Amp38
  •   Ta TCP ACK39
  •   Tn TCP NULL40
  •   Tr TCP RST41
  •   Ts TCP SYN42
  •   Tk TCP SYN/ACK Amp43
  • 46.5:1 Tf TFTP Amp44
  • 4:01 Ub Ubiquiti Amp45
  • 2,464:1 Un Unreal-Tournament Amp46
  • 14:01 Ve VSE Amp47
  • 500:01:00 Wd WS-DD Amp48

500,001+ Attacks

50,001-500,000 Attacks

0-50,000 Attacks

HTTP Reflection/Amplification via Abusable Internet Censorship Systems

A largely academic DDoS attack vector thus far, researchers presented a way to amplify a significant amount of attack traffic via abusable internet censorship systems. Until 2021, reflection/amplification attacks were widely believed to be a problem specific to connectionless protocols such as UDP. The USENIX 2021 paper “Weaponizing Middleboxes for TCP Reflected Amplification” proved otherwise. The paper examined a class of middleboxes used by some networks to censor HTTP-based traffic, ultimately showing how middleboxes can reflect and amplify TCP-based application traffic without requiring the sender to first establish a TCP connection. This discovery exposed the susceptibility of these censorship systems to source IP address spoofing attacks, which led to HTTP reflection/amplification attacks.

Diving into Direct-Path DDoS Attacks: Fighting Against the Flood

A new era of high-impact DDoS attacks flourished following the introduction of reflection/amplification methodology in 1997. Attackers used to be limited to the bits-per-second (bps) and pps rates directly generated by botnets and customized attack harnesses. Today, however, they punch far above their weight in terms of the amount of amplified attack traffic used against targeted organizations. Worse, easy-to-use DDoS-for-hire services eliminate the technical requirements of launching a massive DDoS attack. Meanwhile, the more mundane direct-path DDoS attacks—such as TCP SYN, ACK, RST, and GRE floods—continue in popularity.

SYN-flood was the most popular DDoS attack vector from 1996 to 2018, when it was overtaken by DNS reflection/amplification. Direct-path DDoS vectors were still employed by attackers either out of habit, randomly, or because of their suitability to task, but reflection/amplification attacks became significantly more prevalent.

But in 2021, reflection/amplification attacks were displaced by direct-path DDoS attacks. This change in trajectory became apparent with the sharp increase in ACK-flood attacks against online credit card processors and other financial services organizations in 1H 2021 and was further supported when SYN floods joined ACK floods as the top two vectors for 2H 2021.

Although there are always myriad factors at work across the DDoS threat landscape, we attribute this increase in direct-path DDoS attacks to the following factors:

OPERATION ANTI-SPOOFING

Server-Class Botnet Army Recruitment

All of these factors drove a marked increase in direct-path DDoS attacks during 2021, and we anticipate that their popularity will continue to grow.

Multivector Attacks and Vector Lifecyles

During the first half of the year, we revealed an omnivector attack in Germany that leveraged 31 different attack vectors, illustrating the upward trend in multivector attacks which we’ve tracked for more than five years. However, 2H 2021 not only saw a decrease in these attacks for the first time, but that decrease accompanied a significant dip in overall attack numbers and a subsequent decline in some reflection/amplification attacks. This reveals a trend in which adversaries now prefer to use TCP-based floods and botnets for direct-path attacks.

The variability and availability of DDoS attack vectors raises some questions, ultimately spawning an exercise focused on diving into the lifecycle of reflectors/amplifiers over time to reveal patterns of behavior from adversaries that launch such attacks.

It’s important to note that availability doesn’t often equate to DDoS attacks. A good example is the Apple Remote Management (ARM) service. A recent software update from Apple effectively renders this vector moot; however, it doesn’t reduce the service’s exposure to the internet. So despite an increasing number of available ARM devices, ARM has seen a significant decrease in usage as an attack vector. From a risk-based approach, vendors and security professionals should seek to both remove from visibility and remediate the exploitable nature of these vectors.

In other cases, however, a decrease in available reflectors/amplifiers has a direct impact on the number, size, and speed of an attack. DNS amplification is one such attack vector that experienced a significant decrease in the number of abusable devices over the last two months of 2021. Incidentally, we observed a 32 percent decrease in DNS amplification attacks. Unfortunately, due to the pervasiveness and constant rotation/addition of new DNS servers, which by their very nature lend themselves to this type of abusability, we anticipate that this trend won’t continue. It does, however, serve to illustrate what happens when a significant portion of resources becomes unavailable for adversaries: It accompanies a corresponding decrease in their activity.