Global pandemic and the easy availability of for-hire services and inexpensive tool sets gave adversaries more opportunities to attack.
Providers of DDoS mitigation services reported an overall increase in attack volumes, attack sophistication, and attack complexity in 2020 compared with prior years. Adversaries went after more organizations in more industries than ever before, and the motives for launching attacks became as varied as the attacks themselves.
Tom Emmons, principal architect at Akamai, says the increased dependency on remote connectivity as a result of COVID-19 drove up risk levels overall and provided bad actors with more opportunities to monetize DDoS attacks.
The barriers to entry for DDoS attacks also became extremely low, driven by tool-set improvements and the easy availability of for-hire services that allowed attackers to launch bigger and more consequential attacks, Emmons says. The combination of the two trends led not only to an increase in attacks but also, more interestingly, to a change in targets, he says.
The evolving nature of DDoS attacks heightened the need for formal mitigation strategies at many organizations. "DDoS is a relatively simple attack to orchestrate since all public Internet-facing websites and services are sitting ducks," says Mark Kedgley, CTO at New Net Technologies (NNT).
The best mitigation approaches continue to be the use of content distribution networks or Web application firewall technology to filter out malicious traffic. "The only real defense is using a reverse-proxy, content-distributed Web infrastructure that multiplies your Web presence and distributes access geographically while a mitigation process takes place to filter out the attack traffic," Kedgley says.
Here are the major DDoS trends for 2020, according to Kedgley and other experts.
1) The Global Pandemic Drove a Sharp Increase in DDoS Attacks
Threat actors launched more DDoS attacks this year than ever before. Much of the increase was tied to the large-scale shift to remote work as a result of the global pandemic. Adversaries perceived more opportunities to attack organizations that suddenly were forced to support large distributed workforces and employees logging in from weakly protected home networks.
"As a result of the pandemic, we saw an unprecedented number of systems going online, with corporate resources now in less-secure home environments, and a massive increase in the use of VPN technology," says Richard Hummel, threat intelligence lead at Netscout.
Netscout's current projections forecast more than 10 million DDoS attacks in 2020, the most ever in a single year. In May 2020 alone, Netscout observed some 929,000 DDoS attacks, the largest ever in a 31-day period. During the height of the pandemic-related lockdown between March and June, the frequency of DDoS attacks increased 25% compared with the previous three-month period.
The attacks consumed huge amounts of network throughput and bandwidth and increased costs for both Internet service providers and enterprises.
Other vendors reported a similar increase in DDoS attack volumes. Nexusguard observed a 287% increase in attack volumes in the third quarter of 2020, with the online gaming and gambling community bearing the brunt of the attacks.
"Most recently, and as we headed into the holiday season primed with pent-up shopping demand driven by COVID restrictions, we again observed a significant uptick in both the number of DDoS attacks, up 65%, and the number of customers attacked, up 57%," says Roger Barranco, vice president of global security operations at Akamai.
Contributing to the growth in attack volumes was the relatively easy availability of DDoS-for-hire services that allowed even novice threat actors to launch denial-of-service attacks. In many cases, it's likely that low-level threat actors carried out DDoS attacks because of low entry-barriers and the potential for monetary gain, says Stefano De Blasi, threat researcher at Digital Shadows. "In 2017, the average cost of a DDoS service was around $25," De Blasi says. "In our recent analysis, similar services are available for an average of just less than $7," he says.
2) Extortion DDoS Attacks Increased in Number
For the most part, threat actors continued to use DDoS attacks for diversionary purposes more so than anything else. In many cases, DDoS attacks were used as a diversion for data exfiltration attempts, or for distributing malware on networks while defenders were busy mitigating a DDoS flood.
At the same time, providers of DDoS mitigation services reported an increase in incidents where adversaries used large DDoS attacks — or threats of them — to try to extort organizations in multiple sectors.
One example was a large, and still ongoing, campaign that Akamai and others first reported in August involving threat actors who identified themselves as belonging to previously known nation-state-backed groups: Fancy Bear, Lazarus Group, and the Armada Collective. The campaign targeted thousands of organizations in the financial services, e-commerce, and travel sectors and involved multivector DDoS floods, some of which peaked at around 200 Gbps.
Before the attacks began, the threat actors typically sent intended victims a ransom denial-of-service extortion email in which they claimed they would conduct a small DoS attack as proof of their capabilities. The email warned targets of substantially larger attacks if they weren't paid a ransom in six days. Most organizations that received the threatening emails crossed the six-day mark without further incident. A few, though — including some very prominent ones —experienced substantial operational issues as a result of follow-on attacks, according to an FBI advisory on the campaign.
"At the end of the day, criminal actors are about one thing: money, money, and more money," says Akamai's Barranco.
For DDoS in particular, adversaries are highly motivated to try extortion attempts to drive profits, he says. The fact that the DDoS extortion campaign that started in August is still ongoing indicates that threat actors are making money and that some victim organizations are paying the ransom, he says. "It's easy to foresee the problem continuing into 2021 unless arrests are made," he says. "Paying the threat actors just emboldens them and incentivizes their criminal endeavors."
3) Multivector Attacks Became More Common
DDoS attacks became faster and a lot more complex this year. Adversaries tried to overwhelm enterprises defenses with campaigns that combined multiple different attack vectors at the network, application, and data layers.
An analysis of network data that Netscout conducted in 2020 found a 2,815% increase over 2017 in DDoS attacks using 15 or more attack vectors. The most common among them were attacks that abused protocols such as CLDAP and DNS as well as TCP, Chargen, MTP, OpenVPN, SNMP, SSDP, and BitTorrent. Other commonly used attack vectors included HTML, TFTP, Quake, NetBIOS, and IPMI.
Netscout found that even as multivector attacks increased sharply, the number of single-vector DDoS attacks dropped 43% in the first half of 2020. The average duration of DDoS attacks, too, was down 51% in the first half of 2020 compared with the same period the prior year, shortening the window for mitigation response.
All of this equated to increased complexity for organizations and heightened risk of service downtime, customer churn, and increased network transit and mitigation costs, says Netscout's Hummel. "Cybercriminals pounced on pandemic-driven vulnerabilities, launching an unprecedented number of shorter, faster, more-complex attacks designed to increase ROI," Hummel says.
According to Akamai, multivector attacks became so common in 2020 that some 33% of the attacks the company mitigated in the first half of the year involved three or more vectors.
4) DDoS Attacks Became Bigger
Most DDoS attacks in 2020 were relatively small in size, as they have been in recent years. Some 99% of the DDoS attacks that AWS mitigated on its network, for instance, were about 43 Gbps in size. However, at the same time, big attacks got bigger in 2020. In February, AWS reported blocking a CLDAP reflection attack with a peak volume of 2.3 Tbps, which was about 44% larger than any other attack the company had previously blocked. Before that incident, the largest DDoS attacks on AWS networks were less than 1 Tbps.
In late May and continuing into June, Akamai reported mitigating a 1.44 Tbps attack that at its peak involved a staggering 809 million packets per second. The company described it as the largest and most sophisticated DDoS attack it had helped mitigate. "During the first half of 2020, it was all about large, complex attacks against customers in the financial services and hosting spaces," Barranco says.
UDP reflection was by far the most commonly observed vector in large DDoS attacks, according to AWS. This included attacks such as NTP reflection, DNS reflection, and SSDP reflection attacks. "Each of these vectors is similar in that an attacker spoofs the source IP of the victim application and floods legitimate UDP services on the Internet," AWS said in its threat landscape report for the first quarter of 2020. "Many of these services will unwittingly respond with one or more larger packets, resulting in a larger flood of traffic to the victim application."
Hummel says the main factors that drove the bandwidth and throughput of DDoS attacks were attacker innovation and the continued development and deployment of insecure servers, services, and applications across the global Internet. Also contributing to the growing scale of DDoS attacks were the attempts by attackers to make use of both compromised servers and a group of reflectors located topologically near their targets, whenever possible, in order to get as much attack traffic as possible on target.
5) DDoS Attacks Targeted More Organizations Across More Industries Than Ever
Organizations within the online gaming and gambling communities once again tended to be the most frequently targeted in DDoS attacks. Seventy-seven percent of the DDoS attacks that Nexusguard observed in the third quarter were aimed at the gaming and gambling communities.
However, in 2020 attackers also broadened their range of targets to include organizations in verticals such as e-commerce, healthcare, and educational services. With more people working, shopping, and studying online as a result of pandemic-related social distancing measures, attackers also turned their attention to websites belonging to delivery services firms, retailers, and organizations providing distance learning services.
The attacker activity reflects the broader trend of threat actors moving beyond high-risk sectors commonly associated with DDoS attacks to a much wider set of industries and verticals to target for disruption, Barranco says. "There was a major shift in DDoS trends where attacks were being spread out amongst multiple verticals versus, for example, last year the games vertical was targeted comparatively at a much higher level," he says.
According to Akamai, the industries that experienced the biggest spike in DDoS attacks included the financial services sector, which saw a 222% year-over-year increase; the education sector, with a 178% jump; and the Internet and telecom sector, which experienced a 210% increase over 2019.
In the week following Thanksgiving, financial services firms were more heavily targeted in DDoS attacks than even the online gaming companies, Barranco says. "Throughout 2020, DDoS threat actors [went] wider and deeper among a diverse array of industries than ever before," he notes.