The total number of distributed denial-of-service (DDoS) attacks fell 13% in 2021 over 2020, but were still well above pre-pandemic levels, according to Nexusguard researchers in the recently released DDoS Statistical Report for 2021.
Additionally, according to the report, while the average attack size fell by 50% over 2021 the maximum attack size nearly tripled, growing 297% over the same period.
The top three DDoS attack vectors in 2021 were UDP (user datagram protocol) attacks, DNS (domain name system) amplification attacks, and TCP (transmission control protocol) acknowledgment attacks.
UDP attacks were still the most common form of DDoS attack, even though they accounted for a smaller percentage of attacks this year, falling from 59.9% in 2020 to 39.1% in 2021, the researchers found.
According to the report, UDP attacks can quickly overwhelm the defences of unsuspecting targets, and they frequently serve as a smokescreen to mask other malicious activities such as efforts to compromise personal identifiable information (PII) or the execution of malware or remote codes.
DNS amplification attacks were the second most common, even though they also account for a smaller percentage of total attacks than they did 12 months ago, declining from 14.2% in 2020 to 10.4% in 2021, the report finds.
A DNS amplification attack occurs when UDP packets with spoofed target IP addresses are sent to a publicly accessible DNS server. Each UDP packet makes a request to a DNS resolver, often sending an 'ANY' request in order to receive a large number of responses.
Attempting to respond, DNS resolvers send a large response to the target's spoofed IP address. The target thus receives an enormous amount of responses from the surrounding network infrastructure, resulting in a DDoS attack.
TCP acknowledgment (ACK) attacks, on the other hand, accounted for a larger share of total attacks. Overall they rose to become the third most common form in 2022. In 2021, TCP ACK attacks accounted for 3.7%, which rose to 9.7%.
In these kinds of attacks, a large quantity of ACK packets with spoofed IP addresses are sent to the victim server, forcing it to process each ACK packet it receives, rendering the server unreachable by legitimate requests.
Nexusguard chief technology officer Juniman Kasman commented on the research saying, "While the number and average size of DDoS attacks fell in 2021 over 2020, the threat level is still very high when compared to pre-pandemic levels.
"Attack vectors are also in flux, because while UDP attacks are still the most common, TCP ACK, which can exponentially amplify the effect of a DDoS event with a small amount of traffic, rose significantly."
He concludes, "Organisations need to be prepared to deal with a wide array of vectors DDoS remains a persistent, elevated threat."