DDoS Attacks Becoming More Potent, Shorter in DurationUS, India and East Asia Were Top Targets in 2022, Microsoft Report Says
Tech giant Microsoft says it observed distributed denial-of-services attacks become shorter in duration in 2022 while also becoming more potent and capable of larger impact.
The U.S., India and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice to launch these attacks, according to Microsoft's DDoS trends report for 2022.
DDoS attacks in 2022, on average, lasted for less than an hour, and attacks that lasted for 1 or 2 minutes made up for one-fourth of the total attacks last year.
The tech giant says the attacks were shorter because bad actors need fewer resources to carry them out and security teams are finding it harder to defend against them with legacy DDoS controls. "Attackers often use multiple short attacks over a span of multiple hours to make the most impact while using the fewest number of resources," Microsoft says.
An average of 1,435 DDoS attacks were observed daily, and the highest number was 2,215 attacks, recorded on Sept. 22. The volume of DDoS attacks during the holiday season increased considerably until the last week of December.
Short, Powerful Reflected Amplification
Microsoft documented a 3.25 terabyte-per-second attack in Azure Aloud as the "largest attack" in 2022. This is less than the previously known largest DDoS attack, which had an intensity of 3.47 TB per second at its peak.
Microsoft says TCP reflected amplification attacks are becoming more prevalent and powerful, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." In reflection attacks, attackers spoof the IP address of the target to send a request to a reflector, such as an open server or middlebox, which responds to the target, such as a virtual machine.
The latest TCP reflected amplification attacks can reach "infinite amplification" in some cases. In April 2022, a reflected amplified SYN+ACK attack on an Azure resource in Asia reached 30 million packets per second and lasted 15 seconds. "Attack throughput was not very high, however there were 900 reflectors involved, each with retransmissions, resulting in high pps rate that can bring down the host and other network infrastructure," the report says.
IoT Devices: Preferred Mode of Attack
IoT devices were the preferred choice of adversaries to launch DDoS attacks - a trend that has been growing in recent years, Microsoft says. In 2022, the use of IoT devices expanded during the Russia-Ukraine war.
Botnets such as Mirai, used by nation-state actors and criminal enterprises, adapted to infect a wide range of IoT devices and support new attack vectors.
"While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.
TCP Attacks Top the Chart
Accounting for 63% of all DDoS attacks recorded in 2022, TCP attacks were the most frequent form of DDoS attack, distantly followed by the UDP attack vector at 22%.
Politically motivated DDoS attacks have risen to the forefront, especially in the past year following Russia's invasion of Ukraine.
KillNet, a Russian hacktivist group that pledged its allegiance to Moscow, actively recruited volunteers to conduct DDoS attacks against Western nations (see: Pro-Moscow Nuisance Hackers Claim DDoS Attack on FBI Website).
According to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war, KillNet has launched 86 attacks against pro-Ukrainian countries since the war began in February.