Link11 has released new data from its network on the development of the DDoS threat: The number of attacks remains at a very high level in Q3 2021. After Q2 2021 had already shown an increase of 19% compared to the same period of the previous year, the number of attacks rose by another 17% in Q3.
Attack volume and complexity of attack patterns are on the rise
In addition to the worsening of the threat situation in terms of the number of attacks, the increase in attack bandwidths and the rising complexity in attack techniques are also noticeable. Link11’s Security Operation Centre (LSOC) registered an increasing number of high-volume attacks. In 130 attacks, the maximum attack bandwidth exceeded 50 Gbps.
In addition, the maximum bandwidth more than doubled – by 159 % – compared to the same period last year. The largest attack was stopped at 633 Gbps. Furthermore, the attacks on the same customer added up to 2.5 Tbps within 120 minutes.
While single attack methods are declining, multi-vector attacks are becoming the norm in the DDoS threat landscape. The proportion of multi-vector attacks targeting multiple protocols and vulnerabilities, and thus different layers, increased significantly from 62% in Q2 2021 to 78% in Q3 2021. This development poses major challenges to many protection concepts that only focus on one layer or specific attack vectors and pushes them to their limits.
Key figures from the Link11 network on the DDoS threat situation in Q3 2021
- The number of attacks continued to increase: 17% increase in the number of attacks compared to Q3 2020.
- The increase in the number of attacks even amounted to over 1,000 %, if the carpet bombing attacks explained below are no longer counted as a whole, but as thousands of individual attacks.
- The attack bandwidths remained very high: the largest attack was stopped at 633 Gbps. In addition, there were over 100 attacks with more than 50 Gbps peak bandwidth.
- Increasing complexity of attack patterns: 78% of attacks were multi-vector attacks combining several techniques.
- Misused cloud servers as DDoS weapons: In every third DDoS attack (33 %), the attackers relied on cloud instances.
Carpet Bombing: Targeted attacks on operators of ICT infrastructures
Carpet bombing attacks are evolving into a major challenge for hosting and cloud providers, ISPs and carriers. These attacks are technically very complex. The data traffic per IP address is so low that many protection solutions do not recognise them as an anomaly, meaning attacks often fly under the radar.
In addition, the attacker does not direct the DDoS traffic to a specific system or server. Not only one IP address is attacked, but an entire network block with several hundred or thousand addresses. The extent of the threat can be seen in the example of a hosting provider from Southeast Asia that is protected via the Link11 network. In August 2021, LSOC registered several 100,000 carpet bombing attacks on the company within 72 hours. According to LSOC’s assessment, this form of attack thus reached a new level of quality.
The attack bandwidths of the individual attacks ranged from 100 Mbps to 40 Gbps and quickly added up to a total volume in the terabit range. For an inadequately protected hosting provider whose core business is operating servers, it is almost impossible to mitigate such “carpet bombing”.
“Although carpet bombing attacks seem to primarily target hosting and cloud providers, ISPs and carriers, their potential impact should not be underestimated,” said Marc Wilczek, managing director of Link11. “Attackers are intentionally targeting operators of basic digital infrastructures. When these infrastructures go offline, the connected business and working infrastructures of their customers go offline along with them. Therefore, there is no reason to give the all-clear. As the phenomenon becomes more prevalent, it is rather a matter of time before other sectors of the economy are confronted with it as well.”