Executive Summary

We’ve got good news and bad news.

The good news is that we accurately predicted a decline in distributed denial-of-service (DDoS) attacks would occur during the second half of 2021 (2H 2021), based on the early decreases we witnessed in Q2 from our last report. These numbers reflect the anticipated decline coinciding with the pre-Omicron easing of COVID-19 pandemic restrictions, with people returning to physical offices and classrooms. The overall number of attacks indeed decreased from 5.4 million in the 1H 2021 Threat Intelligence report to 4.4 million during the second half of the year.

And although any reduction in threat actor behavior is good, the bad news is that the reduction relates only to attacker behavior during the pandemic. Put another way, when you consider attacker behavior independent of the pandemic, the combined total of 9.7 million attacks in 2021 is a 14 percent increase over the number of attacks that occurred in 2019 and represents a DDoS attack every three seconds.

Another good news/bad news scenario also emerged in 2H 2021. The good news was a 32 percent decrease in domain name system (DNS) amplification and a 64 percent decrease in Connectionless Lightweight Directory Access Protocol (CLDAP) amplification attacks, both of which largely account for the overall decrease in attacks for the second half of the year. The bad news is that these types of attacks are now well understood, providing ample incentive for attackers to develop new strategies for disrupting networks and gathering information to extort their targets.

The result is that attackers doubled down on direct-path (non-spoofed) attacks instead of reflection/ amplification attacks, evening the playing field between both methods of attack. Likewise, they focused attention on targets that haven’t traditionally been in the crosshairs, such as Voice over Internet Protocol (VoIP) providers (who reported an estimated $9 to $12 million in revenue loss), software publishers, and computer manufacturing.

Attackers also started launching more potent direct-path attacks to take down user applications and services, thereby disrupting consumers’ ability to access the internet. Meanwhile, they continued to innovate with server-class botnets and increased use of DDoS techniques such as carpet-bombing.

So although it’s tempting to simply look at the decrease in overall attacks as threat actors resting on their laurels, the reality is that attackers are innovating and adapting new techniques and methodologies to strengthen and monetize their nefarious behavior.

Key Findings


The Triple Threat

For the first time ever, three prolific DDoS extortion campaigns operated simultaneously. VoIP providers were pummeled with high-profile DDoS extortion or ransom DDoS (RDDoS) attacks from a REvil copycat, resulting in an estimated revenue loss of $9 to $12 million, while Lazarus Bear Armada (LBA) and Fancy Lazarus targeted organizations around the world. Meanwhile, ransomware gangs continued adding triple extortion—attacks made up of file encryption, data theft/leakage, and DDoS attacks—to their arsenals.


A Flood of Attacks

Adversaries inundated organizations with TCP- and UDP-based floods, an activity we refer to as direct-path (non-spoofed) attacks. Nevertheless, a decrease in some amplification attacks drove down the total attack count for 2H 2021.


DDoS Ripple Effect

A rise in industry-specific targeting and direct-path attacks indicates that adversaries ramped up targeting of organizations, while attacks targeting customers of internet service providers (ISPs) on wired and cloud hosted networks declined slightly. This shift in modus operandi largely began as the world resumed normal daily activities in August and September 2021, coinciding with schools resuming on-site classes, companies removing some COVID restrictions, and employees returning to the office. Despite these focused targets, DDoS attacks cause damage not only to the intended target but to everything around it.


The rise of server-class Botnet Armies

The first botnets in the early 1990s were composed of servers, followed over the years by general-purpose personal computers (PCs) and then Internet of Things (IoT) botnets, which rose to prominence in the 2010s. Recently, adversaries not only increased the size of IoT botnets but also conscripted high-powered servers into larger botnets, as seen with the GitMirai variant exploiting a vulnerability on Git Servers.


DDoS-for-hire Free-for-all

Launching DDoS attacks with illicit DDoS-for-hire services no longer requires even a nominal fee. Most services now allow users to test basic DDoS attacks before increasing attack potency via some form of digital or cryptocurrency. The range of services offered by these nefarious platforms spans layers 3, 4, and 7 and targets everything from specific applications and games to methods for bypassing standard anti-DDoS measures. According to just 19 out of hundreds of such sites on the dark web, they claim to have successfully launched more than 10 million DDoS attacks.


The intersection of encryption, state, and DDoS defense

Adversaries are laser-focused on disrupting layer 4 Transport Layer Security (TLS)-encrypted applications and services, evidenced by the increase in bandwidth and throughput of these attacks. In fact, DDoS-for-hire services increasingly added specific attack types for different web browsers, web-based games, and gaming services software. These attacks negatively impact stateful firewalls, load balancers, and intrusion prevention systems (IPSs), further emphasizing that DDoS attacks are attacks against capacity or state.

Attack History

1h 2021



2h 2021



3% decrease over 2020 / 14% increase over 2019