Findings from Link11’s H1 2020 DDoS Report reveal a resurgence in DDoS attacks during the global COVID-19 related lockdowns.
In April, May and June 2020, the number of attacks registered by Link11’s Security Operations Center (LSOC) averaged 97% higher than the during the same period in 2019, peaking at a 108% increase in May 2020.
Key findings from the annual report include:
- Multivector attacks on the rise: 52% of attacks combined several methods of attack, making them harder to defend against. One attack included 14 methods; the highest number of vectors registered to date.
- Growing number of reflection amplification vectors: Most commonly used vectors included DNS, CLDAP and NTP, while WS Discovery and Apple Remote Control are still frequently used after being discovered in 2019. Since the beginning of the year, the vector set for DDoS attackers has also been expanded by DVR DHCPDiscovery. The LSOC discovered the vector that exploits a vulnerability in digital video recorders. The new method of attack was used hundreds of times for DDoS attacks during the COVID-19 pandemic in the second quarter of 2020.
- DDoS sources for reflection amplification attacks distributed around the globe: The top three most important source countries in H1 2020 were USA, China, and Russia. However, more and more attacks have been traced back to France.
- Average attack bandwidth remains high: The attack volume of DDoS attacks has stabilized at a high level, at an average of 4.1 Gbps. In the majority of attacks 80% were up to 5 Gbps. The largest DDoS attack was stopped at 406 Gbps. In almost 500 attacks, the attack volume was over 50 Gbps. This is well over the available connection bandwidth of most companies.
- DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the full year 2019 (45%). Instances from all established providers were misused, but most commonly were Microsoft Azure, AWS, and Google Cloud. Attackers often use false identities and stolen credit cards to open cloud accounts, making it difficult to trace the criminals behind attacks.
- The longest DDoS attack lasted 1,390 minutes – 23 hours. Interval attacks, which are set like little pinpricks and thrive on repetition, lasted an average of 13 minutes.
The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and out of office hours on weekdays.
“The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption. This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms,” said Marc Wilczek, COO, Link11.