Complex Made Simple

DDoS expert review up to Q2 2021

Threat actors launched approximately 5.4 million Distributed Denial-of-Service (DDoS) attacks in the first half of 2021. But comparing 2020 and 2019 numbers and attack types, we can see trends developing

There were 13% more attacks in 2021 than in 2019 when comparing Q2 Q2 blocked DDoS attack volumes were up more than 40% compared to the same period in 2020 The most attacked industry in the quarter was technology, with almost 3,000 attacks per company

According to research from NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT), threat actors launched approximately 5.4 million Distributed Denial-of-Service (DDoS) attacks in the first half of 2021, an 11 percent increase from the same time period in 2020, putting the world on track to hit close to 11 million DDoS attacks in 2021.

But Q2’s numbers do show some signs of abatement:

  • ASERT observed 2,488,048 attacks in the second quarter, a 13% decrease compared with the first quarter’s extraordinary number of 2,863,882.
  • The second quarter 2021 numbers also decreased by 6.5% compared with Q2 2020. 
  • In June, monthly DDoS attack numbers dropped below 800,000 for the first time since March 2020, to 761,914. 

But although attack frequency has dropped, we are nowhere near the attack numbers that were considered normal prior to the onset of the COVID-19 pandemic. There were 13% more attacks in 2021 than in 2019 when comparing Q2.

The top five DDoS attack vectors seen in the first half of 2021 were TCP ACK, DNS amplification, TCP SYN, TCP RST, and TCP SYN/ACK amplification.

Attackers continue to find value in pouring on faster, more difficult-to-mitigate attacks.  

When it comes to attack duration in Q2 2021, attacks of 5 to 10 minutes continued to top the list, used by 38%. We also saw a slight increase in attacks lasting between 10 minutes and an hour compared with Q1 duration numbers.

Blocked DDoS attack volumes

Q2 blocked DDoS attack volumes were up more than 40% compared to the same period in 2020, a Radware report reveals. The report provides an overview of DDoS attack trends by industry, as well as across applications and attack types.

On average, a company had to detect and block nearly 5,000 malicious events and a volume of 2.3Terabyte (TB) per month during the second quarter of 2021.

In Q2, the average number of blocked malicious events per company was up more than 30% and the average blocked volume per company increased by more than 40% compared to the second quarter of 2020.

During the first half of 2021, a company located in the Americas or Europe, the Middle East, and Africa (EMEA) had to repel, on average, twice as much volume compared to a company located in Asia-Pacific (APAC). The Americas and EMEA accounted for about 80% of the blocked attack volume during that same period.

Tech topped most attacked industries

According to the report, the most attacked industry in the quarter was technology, with an average of almost 3,000 attacks per company, followed by healthcare (2,000 attacks per company) and finance (1,350 attacks per company). Attacks in retail, communications and telecommunications averaged between 600 and 1,000 per company.

Gaming averaged more than 400 attacks per company, while an average of approximately 280 attacks targeted government and utility organizations.

 Ransom denial-of-service campaigns resurge

The second quarter saw a renewed DDoS extortion campaign by an actor posing as Fancy Lazarus. By the end of May, Radware had numerous emergency onboardings of its cloud security services from organizations that received these ransom letters.

During the second quarter of 2021, companies, on average, blocked almost 2,000 scan events by unsolicited vulnerability scanners. According to the attack report, of those scans, 40% were performed by potentially malicious scanners looking to actively exploit known vulnerabilities and attack an organization.

Vulnerability scanners are automated tools that allow organizations to check if their networks and applications have security weaknesses that could expose them to attacks.

Recently, scammers have been looking for ways to amplify DDoS attacks – the number of attacks through the Session Traversal Utilities for NAT (STUN) protocol has increased. Another visible trend is the exploitation of the TsuNAME vulnerability in DNS resolvers to attack DNS servers. In particular, this led to interruptions in the work of Xbox Live, Microsoft Teams, OneDrive, and other Microsoft cloud services. Internet service providers also fell victim to DDoS attacks.

China continued to lose ground in terms of the total number of DDoS attacks (10.2%). The USA remains the leader (36%) in this category for the second quarter in a row, while Poland and Brazil are new entries in the top five.

Kaspersky experts also analyzed which countries had bots and malicious servers that attack IoT devices in order to expand botnets. Results show that the majority of devices that carried out attacks were in China (31.8%), the US (12.5%) took second place, and Germany (5.9%) came in third.