Peak DDoS Traffic Up 100%, Researchers ReportNokia Deepfield: Attack Traffic Up 50% between March and June 2020
The daily peak of DDoS attack traffic increased 100% from January 2020 and May 2021, reaching 3 Tbps, with most of the high-bandwidth, high-intensity attacks originating from less than 50 hosting companies, telecommunications equipment manufacturer Nokia’s data analytics division, Nokia Deepfield, reports.
As many workers worldwide shifted to working remotely during the COVID-19 pandemic in 2020, broadband connectivity became more essential, and DDoS attack traffic surged 50% in the period between mid-March and June 2020, the company says.
The rapidly growing number of open and insecure internet services and IoT devices has increased the potential size for DDoS attacks to over 10 Tbps, the report states.
Attacks of this size can derail many country-level network infrastructures, Alex Pavlovic, director of product marketing at Nokia Deepfield, tells Information Security Media Group (see: Fake Lazarus DDoS Gang Launches New 'Attacks').
Even for larger, Tier 1 networks, which usually deal with much higher traffic volumes, attacks of 10 Tbps or larger could account for a large percentage of the overall network traffic, Pavlovic says.
"From the forensics we conducted, it seems that most large-scale DDoS attacks used a large number of obsolete amplifiers - servers that can be used to reflect and amplify requests aimed at them,” Pavlovic says. “Our current internet security 'snapshot' obtained from Deepfield Secure Genome [Nokia’s live data feed on DDoS and internet threats] informs us that many more open servers and insecure IoT devices could launch attacks with intensity above 10 Tbps."
The availability of DDoS-for-hire services has added to the threat potential of the existing botnet, IoT and cloud-based attack models, the report says.
Large-scale DDoS attacks can result in substantial expenses as a result of production and operational losses, the report says.
In 2018, a Kaspersky report noted that the financial impact of a DDoS attack averaged more than $120,000 for small and midsize businesses and more than $2 million for larger enterprises.
Remote Operations Increase Risk
DDoS volumes in the first quarter of 2021 increased 31% compared to the previous quarter, with the occurrence of major attacks of 10 Gbps or higher tripling, according to a quarterly DDoS attack report by DDoS services provider Radware. The largest attack in Q1 was 295 Gbps, it says.
Pascal Geenens, director of threat intelligence at Radware, attributes the increase to companies’ reliance on remote operations.
"As organizations shifted their operations from on-site to remote working models, DDoS threat actors seized the opportunity to target the supporting backend infrastructure," he says. "With very limited bandwidth, attackers were able to cause maximum disruption with minimal effort, disrupting operations, impacting productivity and compounding the challenging environment that businesses were already facing."
Nokia’s Pavlovic calls for more coordinated efforts to exchange security-related information -such as the top domains from which DDoS traffic originates - among service providers and cloud builders.
"There are also some existing recommendations made by IETF [Internet Engineering Task Force], such as the use of network ingress filtering - RFC2827 or BCP38 - and MANRS [Mutually Agreed Norms for Routing Security] that we expect to gain additional traction," he says.
Brian Higgins, security specialist at security company Comparitech, says DDoS attacks are widespread because cybercriminals can affordably purchase the code needed to wage an attack.
Cybercriminals can use DDoS attacks to take down a website to extort money from victims or to disguise more sophisticated attacks, he adds.
"Individuals and businesses both should ensure they have up-to-date perimeter protection software installed, proportionate to the threat they face, and regularly check that they are running the most recent version to maintain their best defense,” he says.
"Global cloud-scrubbing centers must continually increase their total capacity on a timely basis, in line with the growing size of volumetric DDoS attacks," Radware's Geenens says.
Geenens notes that attack volume is just one aspect to be addressed during DDoS mitigation.
"Low and slow attacks, in my opinion, are much harder to detect in the large volumes of legitimate data we have come to witness these days," he says. "Low and slow attacks degrade the performance of applications and the user experience. Resources are consumed and paid for only to consume the malicious requests. In many cases, organizations are not even aware of those sneaky attacks and see themselves continuously adding resources to ensure customer experience until the application becomes economically unviable."
Geenens also says that it's important to have "globally distributed mitigation such that attacks are mitigated as close to the source as possible and prevent flows from growing to a level that might put critical network peering links at risk. We have seen the internet connectivity of entire countries impacted by DDoS attacks, where the attack is targeting specific organizations located in those countries." (See: UK Sentences Man for Mirai DDoS Attacks Against Liberia).