Executive Summary

The COVID-19 pandemic essentially handed threat actors the keys to an all-you-can-eat buffet of malicious opportunities that triggered an enormous and extended upswing in attacker innovation—and it isn’t going away anytime soon. NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) expects this long tail of attacker innovation to last well into 2021, further fueling a growing cybersecurity crisis that broadly impacts organizations across the public and private sectors, from governments to corporate behemoths.

According to ATLAS data, adversaries launched approximately 5.4 million distributed denial-of-service (DDoS) attacks in the first half of 2021, an 11 percent increase from the same period in 2020. Although attack counts abated slightly from May to June, this level of activity still puts the world on track to hit close to a record-breaking 11 million DDoS attacks in 2021. And all the while, cybercriminals are stoking the innovation machine.

Key Findings


7 attack vectors in 7 months

Threat actors exploited or weaponized at least seven of the newer reflection/amplification DDoS attack vectors within the past seven months, igniting an explosion of new attack vectors that exploit abusable commercial and open-source User Datagram Protocol (UDP) services and applications. Meanwhile, the number of vectors used in multivector DDoS attacks has soared, with a record-setting 31 attack vectors deployed in a single attack against one German organization. The result: Greater risk for organizations.



Adversaries developed new DDoS attack techniques designed to evade traditional defenses. Using adaptive DDoS principles, threat actors now can customize each attack to bypass both cloud-based and on-premises static DDoS defenses. Adaptive DDoS attackers perform significant pre-attack research and reconnaissance to identify areas within service delivery chains that are vulnerable to specific types of attacks. Armed with this intelligence, they then launch a single, orchestrated onslaught of attack vectors perfectly calibrated to take down a target.


Connectivity supply chain under attack

The global connectivity supply chain is increasingly under attack as cybercriminals concentrate their activities on vital components of internet operations, such as DNS servers, virtual private network (VPN) concentrators and services, and internet exchanges. These services and infrastructure elements are vital gateways to online life; successful attacks against them can cause a cascade of collateral damage that affects a huge array of entities, from banks and retailers to wired and wireless service providers—not to mention myriad individual users.


Triple extortion: a ransomware trifecta

Ransomware gangs added triple extortion attacks to their service offerings. By combining file encryption, data theft, and DDoS attacks, threat actors have hit a ransomware trifecta designed to increase the possibility of payment.



Threat actors launched the self-dubbed Fancy Lazarus DDoS extortion campaign that primarily targets authoritative DNS servers for internet service providers (ISPs). Meanwhile, the more broadly based Lazarus Bear Armada (LBA) DDoS extortion campaign continues to target victims across a range of industries.



Against the backdrop of surging DDoS attack numbers from previous years bolstered by newly weaponized attack vectors, botnets continued their steadfast propagation and contribution to the larger DDoS threat landscape. We’ve tracked botnet clusters and high-density attack-source zones around the world to showcase how malicious adversaries abused these botnets to participate in more than 2.8 million DDoS attacks in the first half of 2021 alone.

Adversaries thrive on constant innovation.

Attacks will only grow more complex, and threat actors will continue to discover and weaponize new attack vectors designed to exploit the vulnerabilities found in our digital world. It is imperative that defenders and security professionals remain vigilant in their efforts to protect the critical infrastructure that drives the modern digital economy.

Number of Attacks in 1H 2021