DDoS reports – Securelist

DDoS attacks in Q3 2022

Oleg Kupreev, Alexander Gutnikov, Yaroslav Shmelev — Mon, 07 Nov 2022 08:00:31 +0000

News overview

In Q3 2022, DDoS attacks were, more often than not, it seemed, politically motivated. As before, most news was focused on the conflict between Russia and Ukraine, but other high-profile events also affected the DDoS landscape this quarter.

The pro-Russian group Killnet, active since January 2022, took the responsibility for several more cyberattacks. According to the hacktivists themselves, more than 200 websites in Estonia fell victim to their attacks, including the ESTO AS payment system. In nearby Lithuania, the websites and e-services of the energy company Ignitis Group were hit. Both attacks were described by the affected organizations as the largest they’ve faced in the last 10–15 years.

Killnet also claimed responsibility for an attack on the website and services of the US Electronic Federal Tax Payment System. The attackers stated on Telegram that they were “testing a new DDoS method.” During the attack, they said, the site administration tried to change the DDoS protection vendor, but then had a rethink. In addition, Killnet disrupted the US Congress website for a couple of hours.

On the other side of the Pacific, in Japan, 20 websites of four different government departments were hit by DDoS attacks. Killnet hacktivists claimed involvement in this incident, too. The defending side managed to eliminate the main damage within 24 hours, although the e-Gov administrative portal continued to experience access problems the day after.

The lesser known pro-Russian group Noname057(16) took the credit for the attacks on the website of Finland’s parliament and the publication archive of its government, which they managed to take offline temporarily. If the group’s Telegram channel is to be believed, the reason for the attacks was because “[Finnish] officials are so eager to join NATO.”

In turn, Russian resources suffered from DDoS attacks by pro-Ukrainian hacktivists. Victims included the Unistream, Korona Pay, and Mir payment systems, as well as the Russian National Payment Card System, which ensures the operation of Mir and the Faster Payments System. What’s more, activists brought down the website, call center, and SMS provider of Gazprombank; Otkritie Bank noted disruptions to its internet banking service and mobile app, and SberBank reported 450 repelled DDoS attacks in the first two months of Q3. According to SberBank, this is the same number as in the previous five years put together.

Electronic document management systems, in particular SKB Kontur and Taxcom, were also in the firing line. Their websites were either down or slow, which caused supply troubles for dairy producers. The websites of the political parties United Russia, Young Guard of United Russia, and A Just Russia — For Truth.

Media outlets did not go unaddressed either: RIA Novosti and Sputnik suffered attacks that lasted almost 24 hours, while the website of Argumenti i Fakti was unavailable for some time. Meanwhile, StormWall reported that 70 regional newspapers in 14 Russian cities, among them Bryansk, Kaluga, Chelyabinsk, Pskov, Omsk, Tyumen, and Sochi, were hit by garbage traffic.

A wave of DDoS attacks swept across many tech and entertainment companies as well. Hacktivists attacked around 20 Russian video-conferencing platforms. Among the services affected were TrueConf, Videomost, Webinar.ru, and iMind. Also targeted were the websites of Kinomax, Mori Cinema, Luxor, Almaz Cinema, and other movie theaters. Hacktivists also tried to disable the websites of the car information portal Drom, the drone store MyDrone, and the security vendor Avangard.

Already in Q1, various sites and apps were available to allow technically inexperienced users who sympathize with Ukraine to join DDoS attacks against Russian resources. The Russian-speaking APT group Turla exploited the hype. In July, Google researchers reported a piece of Android malware being distributed by cybercriminals under the guise of a DDoS tool for attacking Russian websites. According to experts, this is Turla’s first ever malware for Android.

Besides the Russia–Ukraine conflict, there were reports of politically motivated DDoS attacks in other hot spots on the planet. US Congress Speaker Nancy Pelosi’s visit to Taiwan provoked not only a public outcry in mainland China, but also a string of cyberattacks both before her arrival on the island and in the hours immediately after. In particular, the websites of Taiwan’s president and its Ministry of National Defense experienced downtime. Also affected were the online resources of the Ministry of Foreign Affairs and Taoyuan International Airport.

Israel, too, became a DDoS target when cybercriminals attacked the websites of the country’s Ministry of Health and Tel Aviv-Yafo Municipality. As a result, access to these resources from abroad was limited. Responsibility for the cyberattacks was claimed by Al-Tahira (aka ALtahrea), a group opposed to NATO and its allies.

The post-Soviet space was also a hotbed of activity. Amid the escalating conflict between Armenia and Azerbaijan, a DDoS attack battered the official site of the Collective Security Treaty Organization (CSTO), a Russia-led military alliance in Eurasia. The CSTO reported that attackers, under the guise of a DDoS, had attempted to change some information on its website. And in the last third of September, the Kazakhstani segment of the internet faced a DDoS onslaught from abroad. At around the same time, local media (Top Press, New Times, Skif News) were also subjected to DDoS attacks.

Some events in Q3 could not be described as unambiguously political. For example, the company Russian Environmental Operator reported DDoS attacks on the new Secondary Material Resources Exchange immediately after the announcement of the platform’s launch. Although this may have been part of a hacktivist campaign, new online resources regularly face DDoS attacks before going live even during quiet times. The largest Russian-language torrent tracker RuTracker and the entertainment portal Live62 also admitted to being attacked in Q3. Both sites have been beset by copyright infringement claims, and RuTracker has been blocked in Russia as a pirate resource.

In addition, a number of firms specializing in DDoS protection reported major attacks in Q3.

Akamai announced two major attacks on the same client from Eastern Europe. In both cases, the number of packets per second sent by the attackers was extraordinary. The first attack, on July 21, peaked at 659.6 million packets per second, a new European record at the time, says Akamai. This was not an isolated case: in July, this same client was attacked more than 70 times. The record held until September 12, when another attack posted 704.8 million packets per second.

In continuation of a Q2 trend, Google says it blocked an HTTPS-based DDoS attack that peaked at 46 million requests per second, 77 percent more than the record-breaking HTTPS attack mentioned in our previous report. According to experts, the attack involved more than 5,000 IP addresses from 132 countries, with around 30 percent of the traffic coming from Brazil, India, Russia, and Indonesia. The geographical distribution and botnet characteristics suggest the use of the Mēris family.

Lumen reported stopping an attack with a capacity of over 1 terabyte per second on the servers of its client. At the time of the attack, the target servers were hosting a gaming service. In the week leading up to the incident, the attackers tested various DDoS methods and studied the victim’s protection capabilities by issuing commands to bots from three different C2 servers.

Gaming services are regularly targeted by DDoS. In Q3, the servers of Gaijin Entertainment, which developed War Thunder, Enlisted, and Crossout, were hit by an extended series of attacks. They began on September 24, and users were still complaining of disruptions at the time of writing. To reduce the negative effect of the DDoS attack, Gaijin promised to extend its promotions and premium subscriptions, as well as award bonuses to players for a whole week.

The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.

An ESL eSports match between the teams NaVi and Heroic was held up for over an hour due to a DDoS attack on individual players. The match continued only after the organizer had dealt with the threat.

In turn, the developers of the game Tanki Online announced they had finally neutralized a string of DDoS attacks that had plagued players since the summer. Having beefed up protection and stabilized the servers, the organizers thanked the players for their patience with a prize giveaway.

That was not the only good news regarding DDoS attacks on gaming services this quarter: in Sweden, police detained a suspect in a DDoS attack on Esportal, a CS:GO tournament platform. If convicted, they face from six months to six years in prison.

Anti-DDoS measures are also being implemented at the national level. For instance, Israel announced the launch of the Cyber-Dome project, designed to secure national digital resources. According to the Israel National Cyber Directorate, having a single protective complex will “elevate national cybersecurity by implementing new mechanisms in the national cyber perimeter and reducing the harm from cyberattacks at scale.”

In Bangladesh, the governmental Computer Incident Response Team required all key organizations, including those responsible for the country’s IT infrastructure, to develop and introduce anti-DDoS measures. This came after a reported spike in attacks.

At the same time, the global legal consensus that any DDoS attack constitutes a cybercrime came under threat in Q3, and from an unexpected source. The Hungarian Cable Communications Association (MKSZ) requested that the law be changed to officially allow MKSZ members and legal enterprises from the telecom industry to carry out DDoS attacks as a means of combating IPTV piracy. Traditional measures, such as blocking IP addresses and domain names, MKSZ described as slow and ineffective, while legally sanctioned cyberattacks could genuinely force users to abandon pirate services.

It was not only Hungarian telecom companies that had the idea of taking the fight to cybercriminals. After the ransomware group LockBit hacked Entrust, a specialist cybersecurity firm, and began publishing confidential data, unknown actors attacked the site where the information was being leaked. The packets they sent contained an unambiguously worded message: DELETE_ENTRUSTCOM_[BAD_WORD].

Quarter trends

The main surprise of Q3 2022 was the lack of surprises, which were continuously present since late 2021. But that doesn’t mean it was a dull quarter. Let’s take a look at the statistics.

Comparative number of DDoS attacks, Q3 2021, Q2 and Q3 2022. Q3 2021 data is taken as 100% (download)

The first thing worth noting is the significant rise in the number of DDoS attacks of all types relative to the previous reporting period. At the same time the quarter picture is fairly standard: a relatively calm summer followed by a sharp surge in DDoS activity. In September, the Kaspersky DDoS Protection team repelled 51 percent of all attacks in the quarter, which amounts to roughly the same number as in the previous two months. This is a normal situation that we observe and report on every year. Usually the autumn growth is more of a recovery after the summer slump, but the fact remains that the number of DDoS attacks always increases sharply in September. This is due to a general rise in activity after the lazy summer months: people return from vacation, students go back to school, and everything picks up, including the DDoS market.

Share of smart attacks, Q3 2021 and Q2/Q3 2022 (download)

What is unusual, however, is the continued growth in the share of smart attacks, which, with 53 percent, already account for the majority, setting a new record in the history of our observations. Moreover, DDoS attacks on HTTP(S) this quarter exceeded those on TCP for the first time, despite the latter being easier to organize and still the most common type of DDoS.

Ratio of HTTP(S) and TCP attacks, Q2 2021–Q3 2022 The number of TCP-based attacks for the corresponding period is taken as 100% (download)

What’s most interesting is that, in absolute terms, the number of attacks on HTTP(S) has remained quite stable over the past year. The share of attacks on TCP is on a downward curve, which reflects well the general trend: the share of dumb DDoS attacks is falling, while that of smart attacks is growing. This was bound to happen sooner or later, as tools on both the attacking and defending sides evolve and become more readily available. Organizing L7 attacks is getting easier, while L4 attacks are losing their effectiveness. As a result, they are being used less and less by professionals in their pure form (although L4 vectors are still found in mixed attacks), and more and more by amateurs. The above figures illustrate this well.

Note this Q1 2022 stat: There were half as many DDoS attacks on HTTP(S) as on TCP. February and March saw a significant increase in non-professional attacks due to the geopolitical situation, as outlined in our report. Hacktivists are passionate but fickle. Having quickly tired of DDoS, they switched to other attacks, and the share of DDoS started to fall. By Q3, it was tending to zero. Meanwhile, the number of high-quality professional attacks, after increasing in Q1, remains at a high level. The targets have not changed either: mainly the financial and government sectors. Both of these facts reinforce our notion that, from the spring until at least the end of September, professionals were working to order against these sectors, which is reflected in our statistics.

In terms of DDoS attack duration, there were no new records: if Q2 was marked by the longest attack ever observed, Q3 was calmer: on average, attacks lasted about eight hours, with the longest being just under four days. Compared to the previous quarter, this seems rather modest, but the numbers are still huge: in Q3 of last year, the duration of DDoS attacks was measured in minutes, not hours. In this regard, the situation remains challenging.

DDoS attack duration, Q3 2021 and Q2/Q3 2022. Q3 2021 data is taken as 100% (download)

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C2 servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2022.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS-attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.

Quarter summary

In Q3 2022:

Kaspersky’s DDoS Intelligence system detected 57,116 DDoS attacks.
A total of 39.61 percent of targets, affected by 39.60 percent of attacks, were located in the US.
The busiest day of the week (15.36 percent of attacks) was Friday and the calmest (12.99 percent) was Thursday.
July saw the sharpest contrast: The 1st and 5th saw 1494 and 1492 attacks, respectively, and the 24th just 135.
Attacks lasting less than four hours accounted for 60.65 percent of the total duration of attacks and for 94.29 percent of the total number of attacks.
UDP flood accounted for 51.84 percent of the total number of attacks, and SYN flood for 26.96 percent.
The country with the largest share of bots trying to hack into Kaspersky SSH honeypots was the US (17.60%).

DDoS attack geography

In Q3 2022, the top four countries in terms of resources attacked remained unchanged from the previous reporting period. The US (39.60%) remained in first place, despite losing 6.35 percentage points. Mainland China’s share (13.98%) increased by almost the same amount, up 6.31 percentage points, securing second place. Germany (5.07%) remains in third and France (4.81%) in fourth place.

Hong Kong (4.62%) rounded out the TOP 10 countries and territories with the highest number of DDoS attacks last quarter. Having seen its share more than double this quarter, it now ranks fifth. Brazil (4.19%) moved up into sixth position, while Canada (4.10%) and the UK (3.02%), which ranked fifth and sixth last quarter, dropped to seventh and eighth, respectively. Propping up the TOP 10 are Singapore (2.13%) and the Netherlands (2.06%).

Distribution of DDoS attacks by country and territory, Q2 and Q3 2022 (download)

The distribution of unique DDoS attack targets by country and territory is almost a carbon copy of the attack rating. In first place is the US (39.61%), followed by mainland China (12.41%), whose share grew most noticeably over the quarter, up 4.5 percentage points. Third place still belongs to Germany (5.28%), and fourth to France (4.79%).

As in the distribution of attacks, Brazil (4.37%) and Hong Kong (4.36%) ranked fifth and sixth by number of unique targets, but in reverse order. The former was home to slightly more DDoS targets, while the latter showed larger growth against the previous reporting period, climbing 2.36 percentage points. Canada (3.21%), the UK (2.96%) and Singapore (2.11%) occupied lines seven to nine in the table, while tenth place went to Poland (2.00%), squeezing the Netherlands (1.86%) out of the TOP 10.

Distribution of unique targets by country and territory, Q2 2022 and Q3 2022 (download)

Dynamics of the number of DDoS attacks

The number of DDoS attacks in Q3 2022 fell again. Having decreased by 13.72 percent in the previous reporting period relative to the one before, this quarter it dropped by a further 27.29 percent, to 57,116. August proved to be the busiest month, with Kaspersky’s DDoS Intelligence system detecting an average of 824 attacks per day. July, on the other hand, was calm: 45.84 percent of all attacks during this month occurred in the first seven days, maintaining the dynamics of June, which posted an average of 1301 per day; starting from week two, however, the average number of daily attacks fell to 448. Thus, the July average was just 641 DDoS attacks per day, slightly ahead of the even quieter September, which averaged 628.5. At the same time, September’s attacks were distributed more evenly throughout the month.

The quarter’s peak and trough both came in July: the most aggressive day was the 1st (1494 attacks); the calmest was the 24th (135). In August, over a thousand attacks were recorded on the 8th and 12th alone (1087 and 1079, respectively), and the quietest day was the 30th (373). September delivered no noteworthy highs or lows.

Dynamics of the number of DDoS attacks, Q3 2022 (download)

Sunday (13.96%) in Q3 fell by 1.85 percentage points compared to the previous reporting period, and lost its position as the leading day in terms of traffic. Saturday’s share also declined, but remained above 15 percent. First place by number of DDoS attacks went to Friday, which showed a noticeable increase — from 13.33 to 15.36 percent. Thursday was the only day whose share dropped below 13 percent, down to 12.99 percent.

Distribution of DDoS attacks by day of the week, Q3 2022 (download)

Thursday was also the only weekday that saw its share decrease.

Duration and types of DDoS attacks

In Q3 2022, sustained attacks of 20 hours or more accounted for 19.05 percent of the total duration of attacks. This figure almost tripled after falling in the previous reporting period, almost reaching the level as that at the beginning of the year. Accordingly, the proportion of long-term attacks increased quantitatively: from 0.29 to 0.94 percent.

Short attacks lasting up to four hours showed a slight decrease to 94.29 percent. At the same time, their share of the total duration of DDoS attacks fell significantly, from 74.12 to 60.65 percent. Attacks lasting from five to nine hours remained in second place (3.16% of attacks); attacks lasting from 10 to 19 hours were in third (1.60%).

The longest attack of Q3 lasted 451 hours (18 days 19 hours). That was way ahead of the second-place 241 hours (10 days 1 hour). The average duration of attacks rose slightly to around 2 hours 2 minutes, which is not surprising given the increase in the share of sustained attacks and the decrease in the share of short ones.

Distribution of DDoS attacks by duration, Q2 and Q3 2022 (download)

In Q3 2022, the ranking of DDoS attack types was unchanged from the previous reporting period. The share of UDP flood fell from 62.53 to 51.84 percent, but remained the most common type of DDoS. The second most common, SYN flood, on the contrary, increased its share to 26.96 percent. TCP flood (15.73%) reversed its decline, adding more than 4 percentage points to hold on to third place. GRE flood and HTTP flood made up 3.70 and 1.77 percent, respectively, of the total number of attacks.

Distribution of DDoS attacks by type, Q3 2022 (download)

Geographic distribution of botnets

Botnet C2 servers are still mainly located in the US (43.10.%), but its share fell by 3 percentage points. The Netherlands (9.34%), which ranked second last quarter, slipped more than 5 percentage points and again changed places with Germany (10.19%). Russia (5.94%) stayed in fourth place.

Asian countries come next: fifth place goes to Singapore (4.46%) and sixth to Vietnam (2.97%), whose share in Q3 continued to grow, although not as rapidly as in Q2. They are followed by a new entry in the ranking, Bulgaria (2.55%), whose share increased more than sixfold.

France dropped from fifth place to eighth (2.34%), and the UK (1.91%) to ninth. Canada and Croatia, which rounded out last quarter’s TOP 10, gave way to Hong Kong (1.49%) by number of C2 servers.

Distribution of botnet C2 servers by country and territory, Q3 2022 (download)

Attacks on IoT honeypots

In Q3, mainland China surrendered its lead in terms of number of bots attacking Kaspersky SSH honeypots: its share dropped to 10.80 percent. First place was claimed instead by US-based bots (17.60%). Third, fourth, and fifth positions, with hardly any distance between, belong to India (5.39%), South Korea (5.20%), and Brazil (5.01%). Germany (4.13%) dropped from third place last quarter to seventh, but bots based there were among the most active in Q3, responsible for 11.22 percent of attacks. This figure is bettered only by the US bots (27.85%). What’s more, over five percent of attacks came from bots in Singapore (5.95%) and India (5.17%), which took third and fourth place, respectively.

TOP 10 countries and territories by number of devices from which Kaspersky SSH traps were attacked, Q3 2022 (download)

As for Kaspersky Telnet honeypots, here mainland China retained its lead among countries and territories by number of both attacks and attacking devices. The first figure, however, declined from 58.89 to 38.18 percent, while the second climbed slightly from 39.41 to 41.91 percent. Second place by number of attacks went to the US (11.30%), with Russia third (9.56%). In terms of their share of bots, these two countries rank slightly lower: in sixth (4.32%) and fourth (4.61%) place, respectively. The TOP 3 countries by number of bots featured South Korea (8.44%) and India (6.71%). Taiwan ranked fifth with 4.39 percent.

TOP 10 countries and territories by number of devices from which Kaspersky Telnet traps were attacked, Q3 2022 (download)

Conclusion

The situation in Q3 2022 points to a stabilization of the DDoS market after a tumultuous first half of the year, although it remains difficult. Yet the picture changes every quarter and forecasts remain tentative at best: pretty much anything can happen. That said, we don’t expect any significant surges or drops in Q4. If our conclusions are correct, and the market is indeed back on a predictable track, we expect similar indicators in Q4 as in Q3, adjusted for the slight growth we usually see toward the end of the year. In any case, we can assume such a development in terms of both number and quality of attacks. As for duration, here we can only guess: the DDoS market is still very far from the norm, and the length of attacks tends to jump up and down. We hope that Q4 shows relative stability in this regard, too, and does not try to break any records.

DDoS attacks in Q2 2022

Alexander Gutnikov, Oleg Kupreev, Yaroslav Shmelev — Wed, 03 Aug 2022 08:00:22 +0000

News overview

Politically-motivated cyberattacks dominated the DDoS landscape in the second quarter of 2022 just as they did in the previous reporting period. ALtahrea Team, a group targeting NATO and its partners, attacked public transportation websites in Israel and the United Kingdom. Israel saw a cyberattack on the Airports Authority, and UK, an attack on the Port of London Authority. Also attributed to the group are cyberattacks on websites affiliated with the Turkish ministry of defense.

Attacks linked in some way or another to the Russia-Ukraine conflict continued too. The pro-Russian hacktivists Killnet, which first surfaced in January 2022, claimed responsibility for DDoS attacks on the websites of various European organizations from April through June. Starting on April 18, Czech government and public transportation websites, including those of the rail authority and airports, came under attack. Then on April 29, the hackers targeted Romanian government websites including those of the Border Police, the National Railway Transport Company and Optbank, and on May 8, German websites, including the Bundestag and the Federal Police. Italy was another DDoS target: the websites of the senate, the National Health Institute and the Automobile Club d’Italia took a hit on May 11. The attackers used the slow HTTP technique, transmitting the HTTP request body at a very low rate and sending incomplete requests to make the target servers allocate resources for listening. Later cyberattacks attributed to Killnet affected the Italian foreign ministry and national magistrate association websites. In late June, the hacktivists attacked Lithuania’s Secure National Data Transfer Network as well as other government agencies in that country. At various points throughout the quarter, the group took responsibility for DDoS attacks on various European organizations, which did not publicly confirm the incidents.

In several cases, no entity claimed responsibility for what was presumed to be politically-motivated attacks. For example, websites belonging to the Vltava Labe Média publishing house were down on April 6–7. The publisher said it had been subjected to DDoS attacks multiple times since the start of the Ukraine conflict. The websites of Finland’s defense and foreign affairs ministries were unaccessible on April 8, the day when Volodymyr Zelenskyy was addressing the country’s parliament. Iceland was the target of several cyberattacks in mid-April, with the websites of various organizations affected, including media outlets. The police suspect political motivation as the country announced the intention in March to boost its defense budget. Some of the targeted resources resorted to geoblocking to stay online.

Another anonymous attack that could be categorized as driven by political motives is the April 22 DDoS attack on Ukraine’s postal service, which followed the release of postage stamps featuring the image of the Russian cruiser Moskva. Estonian government websites, including the Information System Authority (RIA), remained under attack from April 21 through at least April 25. The Estonian government came under attack again on May 9 as the website of the country’s foreign ministry was brought down.

Some of Ukrainian and pro-Ukrainian websites were attacked from compromised WordPress sites. Hackers were embedding a script within the main files of the websites, which sent requests to various targets on behalf of visitors. In technical terms, this bore a similarity to the hacktivist attacks on Russian websites that we covered in the first quarter, the difference being that in the earlier case, the hacktivists were making DIY stresser sites, allowing sympathetic visitors to aid in their DDoS efforts. Interestingly enough, one of the hacked WordPress sites was a hacktivist website used to attack Russian media outlets in the previous quarter.

Russian websites remained a target for DDoS attacks in Q2. The attacks were coordinated via pro-Ukrainian Telegram channels as before. A hacktivist attack on the information systems that supported the St. Petersburg International Economic Forum (SPIEF) resulted, among other things, in the Russian president’s speech at the event being delayed by an hour. The SPIEF press pass issuance system and press room experienced issues too.

A further DDoS target was the Gosuslugi e-government website and mobile application. Russia’s ministry of digital development reported a tenfold load increase on these resources. Other federal agencies subjected to cyberattacks were the consumer health watchdog Rospotrebnadzor and the agricultural safety watchdog Rosselkhoznadzor. The latter’s website said the cybercriminals were primarily targeting Mercury, an electronic veterinary certification system.

Other electronic document management systems were targeted too. Alcohol producers and distributors faced difficulties delivering their goods to stores due to a cyberattack on the Unified State Automated Information System (EGAIS). Due to outages that affected the fiscal data operator’s website, OFD.ru, receipt delivery to internal revenue offices was greatly delayed. The Chestny ZNAK national track & trace digital system was also inundated with junk traffic.

Websites of the Perm Krai provincial administration and legislature were among the government resources that suffered from cyberattacks. The hacktivists haven’t spared the media either: novgorod.ru, Zebra TV, Amurskaya Pravda, sibkray.ru, the Lotos state broadcaster and other provincial news outlets reported service disruptions.

Private service providers were also caught in a surge of cyberattacks. According to CNews, 1C-EDO, 1C-OFD, 1C:Reporting and other services of Russian enterprise software developer 1C were unavailable for several days. The privately-owned RosDorBank recorded an impressive volume of malicious traffic: up to three million requests per second. A number of Russian airlines — Rossiya, Aurora, ALROSA, and others — said around the same time that their websites had been targeted by DDoS attacks. “Moskovskiye apteki”, a pharmaceutical journal, reported that aptekamos.ru and other websites of well-known pharmaceutical publications and pharmacy aggregators and chains had been attacked daily from March through June.

NashStore, Russia’s mobile app marketplace modeled after App Store and Google Play, experienced outages on its official launch day. Widespread DDoS attacks targeted Russian colleges as enrollment boards began to examine applicants. Outages affected visitors to some websites of RUDN University and Moscow Polytechnical University, Astrakhan State University, Siberian Federal University, colleges in Yaroslavl, Perm and Irkutsk, and schools in Tatarstan, the Komi Republic, Altai Krai, Amur Oblast and other provinces. Students are often known to be behind DDoS attacks on schools, especially on key academic dates, but in this case, the cyberattacks were orchestrated via pro-Ukrainian Telegram channels too.

Educational establishments in the United States suffered from DDoS attacks as well: schools of Topeka USD 501, Kansas, were disconnected from the internet for five minutes as a result of a cyberattack. The incident prompted the school district administration to contract a specialized infosec provider for DDoS protection.

As usual, the gaming industry was targeted too. Fans of World of Warcraft, Overwatch, Call of Duty and Diablo III had issues accessing the games for slightly more than an hour on May 11 as Battle.net experienced a DDoS attack on its servers. STEPN, a game in which players can earn crypto tokens for real-life running and trade in virtual sports shoes, reported a series of incidents in June. The attacks followed an update that targeted cheaters. The admins asked the users to take a break from the game to avoid errors in recording their workouts.

DDoS attacks on websites associated with cryptocurrency are anything but rare. They are often timed to coincide with landmark events, such as new cryptocurrency launches and rate fluctuations. In Q2 2022, the website of the Tether stablecoin was targeted by a DDoS attack after the rate dropped despite USD pegging.

Ransom DDoS attacks, which often made the news in 2020 and 2021, had all but died down: the only one that received broad coverage was an attack by a group that claimed to be the operator behind the infamous REvil ransomware. Our fellows at Cloudflare acknowledged the trend in their Q1 2022 report.

Cloudflare also reported two unprecedentedly powerful HTTPS DDoS attacks. These are more costly both to the attacker and the victim compared to DDoS attacks that use the unsecured HTTP protocol. In the first case, the attack rate reached 15 million requests per second, with the target bombarded with junk traffic for less than 15 seconds. The victim was a company operating a crypto launchpad. The record was beaten two weeks later by an attack with the magnitude of 26 million requests per second.

Both attacks were launched by relatively small botnets consisting of five to six thousand devices each. Unlike larger, but less powerful zombie networks composed of IoT devices, these utilized web servers and virtual machines. The operator behind the second HTTPS attack, the most powerful one to date, has been nicknamed Mantis after the tiny yet mighty predatory insect.

Botnets built from routers, cameras, and other consumer devices did not go away, either. The 360 Netlab company published a report on a new zombie net named Fodcha, which expanded through brute-force attacks and by exploiting known vulnerabilities in IoT devices. As of April 10, 2022, the number of Fodcha bots in China alone exceeded 60 000, with more than 10 000 active daily. Fodcha C2 servers were originally hosted on a single cloud provider’s network, but after those were blocked, the operators had to rebuild their infrastructure. At the time the study was published, command and control functions were spread across several providers’ clouds, with commands reaching bots from a dozen IP addresses in different countries.

Enemybot is another new DDoS botnet, which belongs to the Keksec extortion group, borrows code from the Mirai and Gafgyt bots, and drops a file with the cybercriminals’ signature on devices it infects. The bot specializes in attacking routers and web servers that contain known vulnerabilities, including those discovered in 2022.

As for previously-known botnets, Q2 2022 saw a series of publications on their recent activity. Fortinet reported in early April on two vulnerabilities, which were weaponized by the Mirai variant known as Beastmode. A significant portion of these were vulnerabilities found in TOTOLINK routers in 2022. In May, Microsoft published a report on a surge in activity associated with the XorDdos bot that targets Linux devices.

Another noteworthy publication appeared on Stackoverflow: On May 16, the website posted a breakdown of cyberattacks it suffered, describing some interesting techniques and explaining how Stackoverflow had defended itself. For example, in one of the cases, the attackers used highly expensive SQL queries triggered from a large number of IP addresses. This meant that IP blocking was not an effective protection method, and the criminals managed to load some of the backend servers to full capacity.

Positive Technologies and Qrator Labs experts said the second quarter saw a new trend among DDoS attackers: they began looking for ways to bypass geoblocking after companies started to rely heavily on the technique. In particular, they use VPN, proxy servers, and infected devices located in the same region as the target to render blocking pointless.

Amid the battle between the attackers and their targets, Roskomnadzor, Russia’s communications watchdog, said it would adopt the Deep Packet Inspection (DPI) technique to fight DDoS. Critics say that although technically feasible, DPI is limited in what it can do and is no cure-all. Besides, the system would need to be updated and trained to make it fit the purpose.

Meanwhile, other countries keep on combating operators renting out DDoS capacities: the FBI, supported by Dutch and Belgian authorities, seized two domains used for selling the services.

Quarter trends

The second quarter of 2022 saw the continuation of a trend that began in spring: an increase in superlong attacks. These last so long that websites remain under stress continuously. Compared with the previous quarter, DDoS attacks faded from public view and amateur hacktivist attacks all but ceased. That said, they had done no major damage before, so the cessation had little effect from a DDoS defense perspective. But let us look at the figures.

Comparative number of DDoS attacks, Q2 2021, Q1 and Q2 2022. Q2 2021 data is taken as 100% (download)

In this quarter, the Kaspersky DDoS Protection group repelled about 2.5 times more attacks year-on-year. The number is huge, but it pales in comparison with Q1 2022 when we detected almost twice as many. It would seem that we are seeing a drop in attacker activity, but things are, in fact, much more interesting. Though there were fewer attacks in absolute terms, the overall DDoS situation might have deteriorated.

As mentioned above, hacktivist activity, which was responsible for the previous quarter’s surge, tapered off. An overwhelming majority of those attacks were neither professionally managed nor very long, so they failed to produce any particular effect on anything but pure statistics. The attacks we observed in Q2 and are still observing are of a somewhat different nature. They last for days, even weeks, with this quarter’s record being 41 441 minutes or about 29 days. The most attacked resources remain stressed almost continuously.

DDoS attack duration, Q2 2021, Q1 and Q2 2022. Q2 2021 data is taken as 100% (download)

The average duration of a DDoS attack in Q2 was about 3000 minutes (roughly 50 hours or about 2 days). Compare this with the average of 30 minutes for Q2 2021: the figure has grown hundredfold. It is extremely expensive to sustain an attack for such a long time, especially an ineffectual attack that gets blocked by cybersecurity systems. Continuous bot activity increases the risk of botnet hosts wearing out or being detected, or even the C2 center itself getting traced. The fact that these attacks do happen makes one wonder what the operators’ true capabilities and affiliations are.

In terms of DDoS attack quality, we are seeing a trend for greater complexity. The share of smart attacks in Q2 2022 almost reached 50%, which is close to a record. The figure was last that high when the DDoS market was at rock bottom about four years ago. The rise began with expensive, well-staged attacks. It is fairly unusual to see a figure like that in a DDoS-rich year.

Share of smart attacks, Q2 2021, Q1 and Q2 2022 (download)

More interestingly, Q2 2022 saw a large number of high-class targeted attacks, which are designed for a specific website, with its features and vulnerabilities in mind. These are very expensive, very complex attacks that require a high standard of competence and extensive knowledge from both the attackers and the defending party. Normally, these occur in single-digit numbers, so even one attack in a year is a remarkable occurrence. In the second quarter, we saw two. This is quite an alarming trend, which makes one wonder what size of resources these cybercriminals command.

Another, extremely important, trend of the second quarter is the crypto crash, which began with an instant Terra (Luna) collapse and has only intensified ever since. As we and our peers have noted in multiple posts, the DDoS market is highly sensitive to crypto market fluctuations and inevitably grows when crypto declines. We have not seen crypto collapse this rapidly for a long time, and by all indications, this will last: for example, miners have started selling off their farms to gamers. It is not unreasonable to expect the DDoS market to start growing soon. The DDoS situation in Russia is already about as tense as it gets, so we are unlikely to notice any changes in that region. On a global scale, there is a high probability that DDoS activity will intensify.

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of varying type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

This report contains DDoS Intelligence statistics for Q2 2022.

Quarter summary

In Q2 2022:

Our DDoS Intelligence system recorded 78,558 DDoS attacks.
25% of the targets were located in the US, accounting for 45.95% of all attacks.
June 20 and 21 were the wildest days, with 1815 and 1735 attacks, respectively, while April 10 and 11, and May 17 were the least turbulent ones, with 335, 294 and 267 attacks, respectively.
Very short attacks made up 95.42% of the total number.
17% of the botnet C2 servers were located in the US.
UDP flood accounted for 62.53% of attacks.
41% of the devices that attacked Kaspersky Telnet honeypots were located in China.

DDoS attack geography

The US remained the leader in the number of DDoS attacks on the country’s resources, with their share of the total rising slightly to 45.95% from the first quarter’s 44.34%. China was still the runner-up with 7.67%, but the country’s share dropped by 3.93 p.p. Germany came up close with 6.47%, gaining 1.41 p.p.

Distribution of DDoS attacks by country and territory, Q1 and Q2 2022 (download)

A sharp drop in attacks on the Hong Kong special administrative region (to 1.75%) continued for a third consecutive quarter. After its share more than halved yet again, the territory found itself in tenth place, virtually matching its position in Q2 2021. France and Canada displayed minimal gains, with 4.60% and 3.57%, respectively, inheriting the UK’s and Hong Kong’s fourth and fifth places. Great Britain sunk to sixth place with 3.51%, followed by Brazil with 3.2% and the Netherlands with 2.91%. Coming up close in ninth place was Singapore, the only country of the TOP 10 besides the US and Germany to see attacks grow by more than one percentage point, to 2.9% from 1.86%.

Singapore’s share of unique targets (3.22%) grew even more noticeably, more than doubling from Q1 2022. As a result, the country, which was not even among the ten leaders at the beginning of the year, found itself in sixth place. Overall, the composition of the TOP 10 is traditionally similar to the rankings by the number of attacks. The three leaders remained unchanged: the US (43.25%), China (7.91%) and Germany (6.64%). France rose to fourth place with 4.42%.

Distribution of unique targets by country and territory, Q1 and Q2 2022 (download)

Hong Kong (2.01%) dropped from fifth place to tenth as the UK (3.77%) slid by one position to take its place. Other members of the TOP 10 included Brazil (3.18%) in seventh place, Canada (2.97%) and the Netherlands (2.73%).

Dynamics of the number of DDoS attacks

In Q2 2022, DDoS attacks dropped by 13.72% (to 78 558) as compared to the previous reporting period. Activity increased steadily throughout the quarter: from 731 attacks per day on the average in April to 845 in May, to 1195 in June. June 20 and 21 proved to be the busiest, with 1815 and 1735 attacks, respectively, whereas April 10 and 11 were the calmest, with the Kaspersky DDoS Intelligence system recording 335 and 294 attacks, respectively, and May 17, when we saw just 267 attacks.

Dynamics of the number of DDoS attacks, Q2 2022 (download)

The distribution of DDoS attacks by day of the week was slightly more even than in Q1 2022. Friday (13.33%) grew by 0.56 p.p., passing its title of the calmest day to Wednesday (13.02%), while Sunday’s share dropped to 15.81% from 16.35%, although it still remained the busiest day.

Distribution of DDoS attacks by day of the week, Q2 2022 (download)

Tuesday (14.06%) and Saturday (15.59%) both grew, and Monday (14.22%) dropped. As a result, Saturday and Sunday saw the highest level of DDoS activity.

Duration and types of DDoS attacks

Q2 2022 saw a marked reduction in the share of long (20 hours and longer) attacks in the total DDoS duration, to slightly more than 7% from almost 20% in the first quarter. In quantitative terms, these attacks accounted for just 0.3% of the total, with 0.24% being attacks that lasted 20–49 hours.

Shorter DDoS attacks of up to 4 hours accounted for 74.12% of the total duration and 95.24% of the total number. The share of attacks lasting 5–19 hours remained virtually unchanged (4.28% of the total against 4.32% in Q1 2022), but the proportion shifted slightly toward attacks 5 to 9 hours long.

The quarter’s longest attacks continued for 423 and 403 hours (approximately 17.5 and 17 days), which was 126 hours shorter than the first quarter’s record attack of 549 hours (nearly 23 days). The average attack duration dropped from nearly two hours to around 1 hour 45 minutes.

Distribution of DDoS attacks by duration, Q1 and Q2 2022 (download)

The share of UDP flood, the main DDoS technique employed by the botnets that we have observed, rose again in Q2 2022 to 62.53%. SYN flood remained in second place with a 20.25% share. The share of TCP flood shrank to almost half its former size at 11.40%, but this type of flood still kept third place. The share of HTTP flood (2.43%) remained unchanged, whereas GRE flood rose to 3.39%, rising to fourth place.

Distribution of DDoS attacks by type, Q2 2022 (download)

Geographic distribution of botnets

The share of botnet control servers located in the US (46.17%) dropped by 9.3% from Q1 2022, but the country remained the leader. Second came the Netherlands (14.49%), followed by Germany (9.11%), the two countries swapping rankings. The Czech Republic, previously fourth, all but dropped out of the TOP 10, sharing ninth, tenth and eleventh places with Canada and Croatia (1.24%). Russia (4.76%) and France (3.52%) climbed one position each as a result.

Distribution of botnet C2 servers by country, Q2 2022 (download)

Singapore (2.69%) and Vietnam (2.48%) were sixth and seventh, respectively, their shares quadrupling compared to the previous reporting period. The UK (2.07%) dropped to eighth position.

Attacks on IoT honeypots

China (14,22%) remained the leader by number of attacks on Kaspersky SSH honeypots in Q2, although the gap with the US (13.52%) narrowed significantly. Germany (5.64%) and Brazil (5.43%) also kept third and fourth place, respectively, whereas Singapore (4.71%) pushed Hong Kong (4.35%) from fifth place and was closely followed by India (4.70%). South Korea (4.21%) was eighth, Russia (3.41%) was ninth, and the UK (3.33%) rounded out the TOP 10.

Bots from Russia were ahead of other countries and regions by number of attacks at 54.93%. The US was second by number of attacks on SSH honeypots and number of bots associated with these at 7.82%. Vietnam (6.74%) was third: bots located in that country launched more than 1.5 million attacks on our honeypots in Q2 2022. China, which was second in the previous quarter, now slid to fourth place with 4.96%.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q2 2022 (download)

The devices that attacked Kaspersky Telnet honeypots in Q2 2022 were mostly located in China, too (39.41% of them). These were also responsible for more than half (58.89%) of all attacks. India was second by bot count (6.90%), but only seventh in terms of bot activity (2.5%). The Netherlands had the second-highest level of bot activity (8.11%). Russia was third on both lists, home to 5.83% of all bots which launched 7.48% of all attacks on the honeypots.

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q2 2022 (download)

Conclusion

The second quarter was calmer than the first in terms of DDoS attacks. This is nothing new: we always observe a drop in activity as summer nears. However, the changes in the number of attacks within the quarter did not conform to that trend: botnet activity grew steadily between April and June, following a slump at the end of the previous quarter. This was in line with the crypto collapse, an event that typically gives a boost to DDoS attacks. The attack geography did not change significantly as compared to past reporting periods, but it is worth noting that attacks linked to concurrent geopolitical events may utilize specially created resources not accounted for in our botnet statistics.

Now for our forecasts. Russia’s situation is unlikely to change any time soon as long as the political agenda remains the same. DDoS activity in that country has reached a peak of sorts: anyone who is a desirable target or can be attacked is now under attack. We expect similar figures for Russia in Q3 2022 to those in Q2. In view of the cryptocurrency situation, we expect the DDoS market to grow globally. This may have an indirect effect on Russia: the prices of botnet rental will likely drop, making DDoS more affordable as a service, which means the resources that were previously too expensive to attack will now be accessible targets. In particular, one may predict a rise in attacks on educational websites which is already taking shape — although it is hard to say if this is a persistent trend, seasonal variation or an accidental fluctuation. One way or another, the number of DDoS attacks will not dwindle. There are no prerequisites for a lower threat level anywhere in sight, whereas the growth factors are plenty.

DDoS attacks in Q1 2022

Alexander Gutnikov, Oleg Kupreev, Yaroslav Shmelev — Mon, 25 Apr 2022 10:00:41 +0000

News overview

The DDoS landscape in Q1 2022 was shaped by the ongoing conflict between Russia and Ukraine: a significant part of all DDoS-related news concerned these countries. In mid-January, the website of Kyiv Mayor Vitali Klitschko was hit by a DDoS attack, and the websites of a number of Ukrainian ministries were defaced. In mid-February, DDoS attacks affected the website of Ukraine’s Ministry of Defense, online services of Oschadbank and PrivatBank, as well as the hosting provider Mirohost. Around the same time, PrivatBank customers received fake text messages about out-of-service ATMs, seemingly intended to sow panic. Another wave of DDoS engulfed Ukrainian government resources on February 23, while the State Service of Special Communication and Information Protection of Ukraine reported a series of continuous attacks in late February and early March. Although the volume of junk traffic exceeded 100 GB/s at peak onslaught, that pales in comparison to the attacks of 1 TB/s capacity or more that occured repeatedly last year.

In early March, researchers at Zscaler published an analysis of attacks on Ukrainian resources carried out by a DanaBot operator. This banking Trojan spreads via the malware-as-a-service (MaaS) model. The buyer used DanaBot to download onto infected devices a DDoS bot whose sole function was to attack a hard-coded domain. The initial target was the mail server of the Ukrainian Ministry of Defense. The attacks on this resource continued from March 2 through March 7, after which the cybercriminals switched to the page of the National Security and Defense Council of Ukraine website dedicated to information about Russian prisoners of war.

The information resource LiveUAMap, which provides real-time monitoring of the Russian-Ukrainian conflict, also became a DDoS target. This website is used by reporters and charities as a source of up-to-date information. In addition, Ukrainian media and information resources of NATO countries were subjected to attacks. In particular, the Ukrainian portal Espreso suffered a DDoS strike. According to Ukrainian providers, they faced DDoS attacks on certain resources throughout the whole of March.

Starting February 24, a spate of DDoS attacks hit Russian websites. The targets included media, government authorities at the regional (for example, in Yugra) and federal levels, Roscosmos, Russian Railways (RZD), the State Services (Gosuslugi) portal, telcos and other organizations. At the end of March, DDoSers went after the Russian domain registrar Ru-Center, disabling the websites of its customers for some time. According to RBC, at least some of the attacks targeting media were carried out from websites calling for an end to misinformation. The hacktivist group Anonymous, having declared war on Russia over Ukraine, claimed responsibility for several attacks, including a DDoS against the news station Russia Today.

Anonymous is not the only hacktivist group to come out in support of Ukraine. The country’s government called upon volunteers to join the “IT army,” whose tasks include DDoS attacks. Such attacks were coordinated primarily through Telegram, where the organizers posted lists of targets. Moreover, multiple websites appeared inviting sympathizers with any level of IT literacy to join the DDoS offensive against Russian organizations. All the user had to do was open the website in a browser for it to start sending junk requests to a given list of web resources. And to make it more entertaining, some stresser websites, for example, gamified the process.

Hacktivists also distributed apps allowing ordinary users to take part in DDoS attacks. As with the websites, their developers advertised them as tools for attacking Russian resources. According to Avast, one such app was downloaded by at least 900 users from Ukraine. Such apps do not just carry out attacks on behalf of users, but collect data about them, such as IP address, approximate location, username, system information, time zone, language, etc.

In response to the DDoS attacks, many Russian resources have employed geofencing to temporarily restrict access from abroad. In addition, Russia’s National Coordination Center for Computer Incidents published lists of IP addresses and domains from which attacks were allegedly launched, plus security recommendations for organizations. The list of DDoS sources included, inter alia, the domains of US intelligence agencies, as well as some media outlets.

Besides Russian and Ukrainian resources, North Korean websites also became unavailable several times. The country first went offline in mid-January after a series of missile tests, cutting access to most North Korean websites and mail servers. Researcher Junade Ali, who monitors the North Korean internet, said the incident resembled a DDoS attack. On January 26, the story repeated itself — after more tests. Connectivity disruptions were observed in the country at the end of the month, too. Although many initially attributed the incidents to North Korea’s increased military activity, it was an American infosec expert nicknamed P4x who claimed responsibility. In his own words, he acted in response to a series of cyberattacks by North Korean hackers against security experts. Seeing no reaction from the US authorities, P4x decided to take matters into his own hands: he found several vulnerabilities in North Korean network equipment which he used to overload critical routers and servers in the country.

In March, the Israeli ISP Cellcom was the target of a large-scale DDoS attack. The incident took government resources, in particular ministry websites, offline for some time. The attack also hit another major Israeli provider, Bezeq. The Israel National Cyber Directorate (INCD) believes that Iran was behind the attack.

Another DDoS-hit country is Andorra. The targeting of Andorra Telecom, the only local ISP, temporarily cut off communications for everyone in the country. The attackers’ motive was far from political: the target seemed to be participants in the Twitch Rivals Squidcraft Games, a Minecraft tournament based on Squid Game. The tournament was for Spanish-speaking streamers in Europe and Latin America, and the top prize was $100,000. Among the players were many Spaniards living in Andorra — the attackers most likely wanted to disconnect them from the game. But because the country is small, its entire infrastructure was affected.

Q1 was not without DDoS attacks on suppliers of the popular technologies of blockchain and NFT. Right at the start of the year, the Solana platform, after repeated DDoS attacks in 2021, was hit again. The attackers disabled the platform using its own functionality by “spamming” the blockchain with empty transactions, causing the core network to overload and stop responding. This latest DDoS attack enraged users, who accused the developers of failing to secure the system.

No sooner had it opened than the new NFT marketplace LooksRare was DDoSed. The platform’s website was temporarily down, and users had trouble connecting wallets and getting information about purchased tokens. The problems with wallets persisted for some time, even after access to the website was restored.

DDoS extortionists, posing as the infamous REvil group, not only continued to attack companies, but displayed creativity. Imperva reported attacks in which a ransom note was included in requests to the targeted website. What’s more, if previously the attackers wanted a one-time ransom, they now demand 1 BTC per day in exchange for “protecting” the victim company from their attacks. Researchers note that the capacity of some attacks stretched to hundreds of thousands and even millions of requests per second. They also report that the attackers most likely used the Mēris botnet, discovered in Q3 2021.

In addition to requests carrying ransom notes, DDoS operators added another string to their virtual bow in Q1. Cybercriminals started using misconfigured Mitel MiCollab and MiVoice Business Express collaboration solutions to amplify attacks by more than 4 million times. Both solutions feature a TP-240 interface for VoIP. Acting as a bridge for interaction with this interface is the tp240dvr driver, whose tasks include receiving a command to generate huge amounts of traffic for the purpose of debugging and testing system performance. Normally this driver should not be available from the internet, but around 2,600 Mitel systems were found to accept commands from outside. The attackers forced vulnerable systems to send stress tests to the victim, thereby achieving manifold amplification. These attacks have been observed since mid-February and have targeted ISPs and financial, logistics and other organizations.

To combat DDoS and other cyberattacks, British authorities launched an initiative aimed at preventing child cybercrime. Students searching for suspicious terms on school computers see a warning page with a suggested redirection to information about cybercrime, its consequences and the Computer Misuse Act 1990. The pilot showed that in just four weeks children had become far less likely to search for “stressers” and “booters” (websites for carrying out DDoS attacks).

Quarter trends

Before evaluating the Q1 2022 data, it is worth recalling that our previous quarter report mentioned a record number of DDoS attacks. This quarter, we saw an almost 1.5-fold (46%) increase in the number of attacks relative to the record, and a 4.5-fold rise compared to the same period last year.

Comparative number of DDoS attacks, Q1 2022, Q1 and Q4 2021. Q1 2021 data is taken as 100% (download)

The reason for this growth is obvious: the crisis in Ukraine led to a cyberwar, which could hardly fail to impact the statistics. Looking at the distribution of DDoS attacks by week, we see that the peak of new attacks occurred in the eighth week of 2022, that is, February 21–27, and we repelled the largest number of DDoS attacks that week on February 25.

Comparative number of DDoS attacks by week, April 2021–March 2022 (download)

That said, there were relatively few attacks before late February, and without the spike in DDoS activity at the end of the month we would have seen a drop relative to the previous quarter. It is interesting to note that very many of the attacks in late February/early March were organized by hacktivists and carried out from personal devices that users voluntarily connected to the botnet (for example, by opening a stresser website in their browser).

Share of smart attacks, Q1 2022, Q1 and Q4 2021. The Q1 2022 decrease in this value is due to the surge in hacktivism (download)

The hacktivist nature of the attacks was also responsible for the sharp decline in their number towards mid-March: those initially driven by emotion had calmed down, and infosec companies published warnings against taking part in such attacks. As a result, the number of hacktivists decreased. Whereas in late February/early March we saw an unusually high number of amateurs involved in the attacks, by the end of March their relative number had almost returned to normal levels. In absolute terms, there are still more of them than usual, as well as of DDoS attacks, but the difference is not so great.

But the most curious thing has to do with the data not on the number of attacks, but on their duration. In Q1 we saw an increase in this indicator by two orders of magnitude. If previous attacks were measured in minutes, now the average attack is measured in hours, and many go on for several days. We detected the longest attack on March 29, which lasted a little over 177 hours, that is, more than a week.

DDoS attack duration, Q1 2022, Q1 and Q4 2021. Q1 2021 data is taken as 100% (download)

This is extremely uncharacteristic of DDoS attacks, especially ones filtered by security solutions. Attacks of this length are expensive and expose the botnet, since active nodes are easier to detect and disable. So professional DDoSers always try to stop an ineffective attack as quickly as possible so as not to waste money. Now, however, we are seeing the opposite: attacks continue regardless of their effectiveness. At the same time, the overwhelming majority of targets of ultra-long (more than a day) attacks are government agencies and banks. All of this underscores once more that many of the DDoS attacks this quarter were not financially motivated.

Average DDoS attack duration by week, April 2021–March 2022. A sharp increase occurs in the last third of February (download)

The upswing in DDoS attacks in Q1 2022 led to another significant trend: many Russian organizations were unprepared for being targeted. As a result, both we and other anti-DDoS protection providers received a huge number of requests in a short space of time from companies already under attack.

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

This report contains DDoS Intelligence statistics for Q1 2022.

Quarter summary

In Q1 2022:

Kaspersky DDoS Intelligence system detected 91,052 DDoS attacks.
44.34% of attacks were directed at targets located in USA, which comprised 45.02% of all targets.
The largest number of DDoS-attacks (16.35%) come on Sundays.
Most attacks (94.95%) lasted less than 4 hours, but the longest attack continued for 549 hours (nearly 23 days).
53.64% of attacks were UDP flood.
55.53% of C&C servers were located in USA.
China accounted for 20.41% of bots attacking our SSH honeypots and 41.21% of those attacking Telnet traps.

DDoS attack geography

In Q1 2022, US-based resources were most frequently hit by DDoS attacks (44.34%). Their share increased slightly against the previous reporting period. In second place remains China (11.60%), whose share also rose slightly, and Germany (5.06%) moved into third.

Distribution of DDoS attacks by country and territory, Q4 2021 and Q1 2022 (download)

The Hong Kong SAR (3.71%) saw its share more than halve, taking fifth place by number of DDoS attacks in Q1. The UK (3.89%), which added 0.68 p.p., finished fourth. France (3.65%) and Canada (3.37%) dropped to sixth and seventh, respectively, while the Netherlands (2.36%) remained in eighth position. Brazil (2.24%) and Singapore (1.86%) swapped places, coming in ninth and tenth, respectively. Overall, the geographical distribution of DDoS attacks changed little compared to Q4 2021.

The distribution of unique targets by country and territory traditionally mirrors the attack geography — only the bottom of the TOP 10 differs. Most targets in Q1 were located in the US (45.02%), followed by China (9.34%) and Germany (4.95%). The shares of the three countries have seen slight growth since the end of 2021. In fourth place is the UK (4.30%), and in fifth is Hong Kong (4.00%), whose share more than halved.

Distribution of unique targets by country and territory, Q4 2021 and Q1 2022 (download)

France (3.31%) and Canada (2.93%) remained in sixth and seventh positions, respectively, while Brazil (2.44%) moved up to eighth. By contrast, the Netherlands dropped to ninth place (2.32%). Australia (1.90%) rounds out the TOP 10.

Dynamics of the number of DDoS attacks

In Q1 2022, our DDoS Intelligence system detected 91,052 DDoS attacks. Throughout January and most of February, we saw an average of 1,406 attacks per day. The calmest day of this period was February 2, when DDoS Intelligence detected 809 attacks, and the stormiest was January 19, when 2,250 DDoS attacks were recorded. Since February 26, the average number of DDoS attacks per day has halved to 697. The most active day at the end of the quarter was February 28 with 1,362 attacks, and the quietest was March 3 with 479. Note that attacks by spontaneous hacktivist botnets, which happened to surge in late February and March, are not monitored by DDoS Intelligence.

Dynamics of the number of DDoS attacks, Q1 2022 (download)

The distribution of DDoS attacks by day of the week is slightly more evenly spread than in Q4 2021. The difference between the most active and the quietest days was 3.58 p.p. The largest share of attacks, as in the previous reporting period, came on Sunday (16.35%), and the lowest on Friday (12.77%), which in late 2021 was quite an active day. The shares of both days of the week fell.

Distribution of DDoS attacks by day of the week, Q1 2022 (download)

Besides Friday and Sunday, Monday (14.83%), Tuesday (13.63%) and Saturday (14.09%) were calmer, while the shares of Wednesday (14.12%) and Thursday (14.21%) increased.

Duration and types of DDoS attacks

The average DDoS attack duration in the first three months of 2022 remained at the same level as in Q4 2021 — just under two hours. At the same time, the proportion of both very short (94.95%) and long attacks increased: DDoS attacks lasting more than 140 hours accounted for 0.03%, as did those lasting 100–139 hours. The share of attacks lasting 50–99 hours climbed to 0.15%. The duration of the quarter’s longest attack also increased: from 218 to 549 hours. Conversely, the share of moderately short attacks (5–49 hours) decreased.

Distribution of DDoS attacks by duration, Q4 2021 and Q1 2022 (download)

UDP flooding (53.64%) constituted more than half of all DDoS attacks in Q1, adding 3.33 p.p. SYN flooding (22.37%) moved up to second, adding 6.08 p.p., while TCP flooding (20.17%) saw its share cut by a third, relegating this type of DDoS to third place. HTTP flooding (2.42%) and GRE flooding (1.41%) marginally increased their shares, but remained in fourth and fifth, respectively.

Distribution of DDoS attacks by type, Q1 2022 (download)

Geographic distribution of botnets

Glancing at the geographic distribution of botnet C&Cs, we see that more than half of those active in Q1 were located in the US (55.53%), up 9.04 p.p. from the end of 2021. Germany (8.30%) moved into second place (8.30%), followed by the Netherlands (8.09%). The Czech Republic (4.68%) and Russia (4.68%) share fourth place.

Distribution of C&C botnet servers by country, Q1 2022 (download)

In sixth place by number of C&C servers in Q1 is France (3.40%), in seventh is the UK (2.77%), and propping up the TOP 10 is Canada (1.06%). Eighth and ninth positions were taken by countries that did not make the TOP 10 last quarter: Singapore (1.91%) and India (1.49%).

Attacks on IoT honeypots

The largest share of bots trying to hack into our SSH honeypots in Q1 fell to China (20.41%). That said, the country’s share decreased compared to the previous reporting period by 6.32 p.p.; meanwhile, the share of the US rose from 11.20 to 15.24%. In third place in the list of countries and territories from which attacks originated is Germany (7.05%), followed by Brazil (4.91%) and Hong Kong (4.79%). However, not all bots were equally active. For instance, almost half of the attacks on our honeypots came from Russia (47.23%), despite accounting for just 3.40% of the total number of bots. In turn, China and the US were responsible for 9.01% and 8.16% of attacks, respectively.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q1 2022 (download)

The ranking of countries and territories with the most devices trying to hack into our Telnet honeypots is likewise headed by China (41.21%). Its share dropped since the last quarter, but remains significantly higher than that of other countries. India (8.44%) and Russia (6.15%) remained second and third, followed by Brazil (5.36%) and the US (3.95%). Meanwhile, Chinese bots were responsible for almost two-thirds (65.48%) of all attacks on Telnet honeypots, and another 12.02% of attacks came from inside the US.

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q1 2022 (download)

Conclusion

The DDoS attack landscape in Q1 was strongly influenced by the geopolitical situation: since the end of February, we have seen a surge in hacktivist activity and the emergence of a large number of spontaneous botnets that users connected to voluntarily. Hacktivist attacks were notable for their length, even if security solutions successfully filtered out the junk traffic. At the same time, known botnets, which we have long been monitoring, became far less active from late February, while in terms of duration, the number of both long and very short attacks of these botnets increased against the previous reporting period.

The Q1 situation with anti-DDoS protection in Russia warrants a separate mention. As we have said repeatedly, cyberdefenses need deploying in advance, because when an attack comes, it will be too late. This is precisely what very many owners of Russian network resources encountered at the end of February. The wave of new customers overwhelmed anti-DDoS services in the country. There was simply not enough time to set up protection, which led to long downtime for many resources. You never know when emergency occurs, so if you have yet to take care of anti-DDoS protection, we recommend that you start today.

It is very hard to predict anything in the current climate. The only certainty is that the state of the DDoS market in Q2 will depend directly and primarily on geopolitics. It is highly unlikely that we will see a decline in DDoS activity before the end of hostilities in Ukraine. Yet neither do we expect growth in Q2: for there to be a DDoS surge like we observed in late February/early March, a new shock of global proportions is needed.

DDoS attacks in Q4 2021

Alexander Gutnikov, Oleg Kupreev, Yaroslav Shmelev — Thu, 10 Feb 2022 10:00:04 +0000

News roundup

Q4 2021 saw the appearance of several new DDoS botnets. A zombie network, named Abcbot by researchers, first hit the radar in July, but at the time it was little more than a simple scanner attacking Linux systems by brute-forcing weak passwords and exploiting known vulnerabilities. In October, the botnet was upgraded with DDoS functionality. Then in December, researchers at Cado Security linked the botnet to the Xanthe cryptojacking group. This is further evidence that the same botnets are often used for mining and DDoS.

The EwDoor botnet, which first came to researchers’ attention in late October, turned out to be more picky than Abcbot. This zombie network consists solely of EdgeMarc Enterprise Session Border Controller devices located on AT&T carrier networks. The bot infiltrated the devices through the CVE-2017-6079 vulnerability, which allows execution of arbitrary commands. By exploiting a bug in the bot itself (one of the first versions accessed a non-existent C2 server registered by researchers), Netlab 360 managed to detect 5,700 infected devices. However, the cybercriminals later severed communication with this server. AT&T is investigating attacks on EdgeMarc devices.

In November, Qrator Labs recorded a series of short but powerful attacks on its systems and those of its clients. The attackers used a TCP data flood: they established a TCP connection to the victim’s server, then flooded it with random heavy TCP packets. In some cases, DNS amplification was also used. The attacks, launched from thousands of cameras and routers, lasted 2–3 minutes and then stopped. Researchers note that the botnet is new, and they currently lack sufficient data to describe it. They also speculate that the short attack duration is because the attackers wish to remain undetected, so they do not borrow infected device users’ communication channels for long.

Google’s Damian Menscher discovered a zombie network consisting of vulnerable GitLab servers. The botnet hijacked new devices by exploiting the CVE-2021-22205 vulnerability, which GitLab patched in April 2021, and carried out DDoS attacks of over 1TB/s. Menscher does not specify whether the bot is entirely new or related to existing botnets. However, around the same time, Cloudflare reported a brief but powerful Mirai-type attack, involving, among other things, GitLab servers infected through CVE-2021-22205.

Known botnets made the news more than once in Q4. For instance, Moobot added a relatively fresh vulnerability to its arsenal. A bug designated as CVE-2021-36260 was found in some Hikvision camera models and patched in September 2021. Like CVE-2017-6079, this vulnerability allows attackers to execute arbitrary commands. Once on the device, Moobot waits for a command from the C2 server before launching a DDoS attack. Researchers link the campaign to a DDoS-as-a-Service provider whose Telegram channel they came across during their analysis. The channel was created in June and went live in August 2021.

The Mēris botnet discovered last quarter turned out to be two botnets, reports Netscout. The company named the second one Dvinis (“twin” in Latvian). Unlike its elder brother, it does not use HTTP pipelining, but is also deployed in high-power attacks. Moreover, according to Netscout, Dvinis accounts for 75% of all attacks attributed to Mēris.

In late 2021, news broke of a vulnerability in the Apache Log4j library, which laid claim to being the most dangerous vulnerability of the year. Log4Shell, as the vulnerability is called, is present in all versions of Log4j from 2.0-beta9 to 2.14.1, and allows an attacker to take full control over a vulnerable system. What’s more, an exploit for the vulnerability is available online, and the library that contains it is used in millions of products, both commercial and open-source. Not surprisingly, many cybercriminals, including DDoS botnet developers, have added Log4Shell to their toolkit. In particular, Mirai, Muhstik and Elknot bots are trying to exploit this vulnerability.

As for DDoS attacks themselves, media in the Philippines came under repeated fire during the past quarter. In mid-November, the online outfit PinoyMedia Center was flooded; then in the first half of December the same fate befell the news portal ABC-CBN News, followed by the media organization VERA Files; the digital media company Rappler was also attacked several times a month by unknown actors. Also in Q4, the Indonesian journalism initiative Project Multatuli got DDoSed after publishing an article criticizing the work of local law enforcement agencies.

Cybercriminals also targeted tech companies this quarter. The Polish arm of T-Mobile reported the largest ever attack on this sector in the country, which, however, was repelled. Another DDoS target was the blockchain platform Solana. Blockasset, an NFT marketplace powered by Solana, was the first to draw attention to the attack. The company noted that the DDoS had caused a slowdown in token distribution. GenesysGo, a Solana-based infrastructure provider, also noted some services were working intermittently, but assured there was no major cause for concern.

The DDoS attacks on VoIP providers continued. In early October, British company VoIP Unlimited fell victim again, having been attacked by DDoS extortionists last quarter. The new wave of junk traffic was accompanied by a ransom demand. Similar attacks affected various other British providers. And in November, clients of VoIP provider Telnyx worldwide were hit by outages. The perpetrators could be the REvil group, which is linked to past attacks on VoIP providers and was liquidated by Russian law enforcement agencies in January, after the US authorities had supplied information about the attackers.

In Q4, besides VoIP providers, e-mail service providers were targeted by ransom DDoS (RDoS) campaigns. Those affected were mostly small companies that provide secure and private e-mail accounts by subscription or invitation: Runbox, Posteo, Fastmail, TheXYZ, Guerrilla Mail, Mailfence, Kolab Now and RiseUp. The attackers called themselves Cursed Patriarch and demanded a ransom of 0.06BTC from victims (around US$4,000 at the time of the attack).

Ransomwarers continued to use DDoS as additional leverage. For instance, right from the start the new Yanluowang ransomware threatens to DDoS victims if “they take the attackers for fools.” Besides Yanluowang, the HelloKitty ransomware group, known for attacking CD Projekt, the developer of The Witcher and Cyberpunk 2077, added DDoS to its arsenal.

Speaking of games: attackers in Q4 did not leave gamers alone. In October, Apex Legends players set a record for the longest match ever, because the server was DDoSed throughout. And attacks on Blizzard in November and December led to problems with accessing certain games, in particular Overwatch and World of Warcraft. Players themselves also got it in the neck. Among those who suffered were several popular streamers, likely due to an IP leak from the new title Crab Game: the streamers experienced issues after playing the game. Meanwhile, some Dead by Daylight streamers were not only DDoSed, but doxxed and swatted (the act of making a false report to the police with the intention of having a real-life SWAT team sent to the target’s home). One of the victims tweeted that, during such a fake call, one of the police officers recognized him because he himself plays Dead by Daylight. How exactly the attackers got hold of the streamers’ IP addresses and other data is unknown.

https://twitter.com/Elix_9/status/1458330303437574149

Fans of Titanfall 2, fed up with DDoS attacks, took the initiative in Q4 and created a mod for playing on custom servers if the official ones are down. Tracking the IP of a private server to flood it with junk traffic is not child’s play, so this measure greatly reduces the likelihood of DDoS.

Successes in the fight against botnets were reflected in Q4 news. In October, for instance, Ukrainian police arrested the operator of a DDoS botnet consisting of 100,000 infected devices. And in December, Google filed a lawsuit against the operators of another botnet, Glupteba. The Internet giant also took steps to eliminate the botnet itself by blocking 63 million malicious documents, 908 cloud projects, more than a thousand Google accounts and a further 870 Google Ads accounts. Google also worked with other companies to shut down the botnet’s C2 servers. Glupteba consists of a million infected IoT devices and Windows computers. The botnet can also install proxy servers on infected devices, mine cryptocurrency and conduct DDoS attacks. In addition, Glupteba uses the Bitcoin blockchain to store the addresses of backup C2 servers, making it harder to defeat. According to Kaspersky, it was this botnet that facilitated the spread of the notorious Mēris last quarter.

One last thing, attackers regularly carry out DDoS attacks on each other. In November, unknown actors tried to take down the dark-web marketplace Cannazon, which, as the name suggests, specializes in the sale of cannabis. The resource was shut down shortly afterwards, but its administrators claim they had long planned to close it anyway, and the DDoS was a convenient pretext to act sooner rather than later.

Quarter and year trends

Q4 played out in line with our forecasts: we saw impressive growth in the number of DDoS attacks, setting a new record in the history of our observations. Let’s look at the figures:

Comparative number of DDoS attacks, Q3 and Q4 2021, and Q4 2020. Q4 2020 data is taken as 100% (download)

The number of attacks in Q4 increased by 52% against the previous quarter and more than 4.5 times against the same period last year. The numbers look scary, but instead of rushing to conclusions, better to figure out why they are so.

Let’s start with the increase in the number of DDoS attacks relative to Q3. Such growth in the last three months of the year is a traditional seasonal fluctuation that we predict (and that occurs) pretty much every year. Towards the end of the year, life steps up a gear, and this cannot fail to affect the DDoS market: competition in retail hots up, students sit exams, various activists become more lively: all this leads to an increase in the number of attacks.

In addition, the size of the DDoS market is inversely proportional to that of the cryptocurrency market, which we’ve written about several times. This is because DDoS and mining capacities are partially interchangeable, so botnet owners tend to deploy them in mining when cryptocurrency prices are high and in DDoS when they fall. We witnessed precisely that in Q4, and not for the first time: a rise in the number of DDoS attacks amid a sharp drop in the value of cryptocurrencies.

Both of these factors — seasonal fluctuations and falling cryptocurrency prices — buoyed the DDoS attack market throughout Q4, hence the 1.5-fold increase. This becomes even clearer when viewing the stats by month: October accounted for 16% of all DDoS attacks in Q4, November 46% and December 38%.

Percentage distribution of DDoS attacks by month, Q4 2021 (download)

Now let’s see where the frightening 4.5-fold increase relative to the previous year came from. In contrast to 2021’s all-time high Q4, 2020 posted a record low. In Q4 2020, we observed the opposite situation: a declining DDoS market against the backdrop of rampant cryptocurrency prices. In fact, the DDoS market spent just about the whole of 2021 recovering from this collapse, hence such impressive growth: in essence, 2021’s all-time high divided by 2020’s all-time low.

The diagram below clearly shows the increase in the number of DDoS attacks over the year, as well as peaks attributable to the cryptocurrency collapse in the summer of 2021 and at the end of the year.

Dynamics of DDoS attacks, October 2020–December 2021; October 2020 data is taken as 100% (download)

As for DDoS targets, the cross-industry distribution of attacks was fairly even — we cannot say that DDoS activity was higher in any particular sector. Perhaps the only thing of note was the spike in attacks on educational resources in November (largely in the Moscow region) and December (largely in the Republic of Tatarstan). We cannot pinpoint the reason for this, but most likely the attacks were related to regional specifics in the field of education, for example, the exam or vacation schedule.

DDoS attack statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

This report contains DDoS Intelligence statistics for Q4 2021.

In the context of this report, the incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. If the same resource is attacked by the same botnet after an interval of 24 hours or more, two attacks will be counted. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographic locations of DDoS attack victims and C2 servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

Quarter summary

Most of all, attackers in Q4 took aim at US-based resources: the country accounts for 43.55% of attacks and 44.54% of unique targets.
Our DDoS Intelligence system recorded 86,710 DDoS attacks.
The quarter’s quietest days fell on Chinese Singles’ Day and Black Friday, two mega shopping events.
94,29% of attacks lasted less than 4 hours.
Half of the DDoS attacks were carried out by means of UDP flooding.
46,49% of the botnet C2 servers were located in the US.
70,96% of attacks on Kaspersky SSH honeypots were carried out by bots in Russia.

DDoS attacks geography

In Q4, as in previous quarters in 2021, the bulk of DDoS attacks targeted US-based resources (43.55%). And the country’s share in the geographic distribution rose once more. China (9.96%) returned to second place, up 2.22 p.p. on the previous reporting period, while the Hong Kong SAR (8.80%) took bronze: its share fell by a factor of more than 1.5 against the previous quarter.

Distribution of DDoS attacks by country and territory, Q3 and Q4 2021 (download)

The share of attacks increased in Germany (4.85%) and France (3.75%), which moved up to fourth and fifth positions, respectively. Canada (3.64%) remained in sixth place, the UK (3.21%) climbed to seventh, while eighth spot in Q4 went to the Netherlands (2.75%), where things had been relatively calm in the previous reporting period. Rounding out the TOP 10 countries and territories by number of attacks at the end of 2021 are Singapore (2.68%) and Brazil (2.08%), whose share more than halved from the previous quarter.

As usual, the geography of unique targets mirrored the distribution of individual attacks. The most targets were located in the US (44.54%), whose share increased compared to the previous quarter. The second and third lines are taken by the Hong Kong SAR (9.07%) and China (8.12%), respectively.

Distribution of unique targets by country and territory, Q3 and Q4 2021 (download)

In fourth place by number of targets is Germany (4.67%), followed in fifth by the UK (3.58%). Next come France (3.28%) and Canada (2.98%). The share of these four countries increased slightly in Q4, and they moved up one rank from Q3. Eighth by number of unique targets was the Netherlands (2.76%), whose share almost doubled, and rounding out the TOP 10, as in the ranking by number of attacks, were Singapore (2.49%) and Brazil (2.37%), whose share almost halved.

Dynamics of the number of DDoS attacks

During Q4, our DDoS Intelligence system recorded 86,710 DDoS attacks on resources worldwide. In contrast to the previous reporting period, which saw several unusually stormy days, the attacks were distributed relatively evenly throughout the quarter: from 500 to 1,500 per day. However, we did see a surge in DDoS activity on October 11, with 2,606 attacks in 24 hours. November, meanwhile, was marked by two notable drops in DDoS activity: on November 9–11 and 23–30, the number of attacks fell below 500 per day. Curiously, the first drop came on Chinese Singles’ Day and the second on Black Friday. Both dates are associated with massive online sales, which tend to cause a spike in various kinds of web attacks.

Dynamics of the number of DDoS attacks, Q4 2021 (download)

As we noted above, Q4 lacked the dramatic bursts of DDoS activity seen in its predecessor. This was reflected also in the distribution of attacks by day of the week: the spread between the most and least active days was 5.02%, down 2.72 p.p. on Q3. We observed the most DDoS attacks on Sundays (16.61%) — this day’s share in the distribution of attacks climbed by 0.66 p.p.; Thursday (11.59%) remained the quietest day, despite its share increasing slightly. The shares of Monday (15.78%), Tuesday (14.17%) and Friday (14.58%) also increased, while those of Wednesday (12.67%) and Saturday (14.60%) decreased, with Wednesday in Q4 being the second calmest day after Thursday.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2021 (download)

Duration and types of DDoS attacks

In Q4, we observed an increase in the share of very short (less than 4 hours) DDoS attacks, which accounted for 94.29% of the total, plus a significant drop in the number of long ones: only 0.02% of attacks lasted more than 100 hours. What’s more, the longest attack in the quarter was one-third shorter than the longest in the previous reporting period — 218 hours, or just over nine days. Consequently, the average DDoS attack duration fell once more, this time to just under two hours.

Distribution of DDoS attacks by duration, Q3 and Q4 2021 (download)

In terms of attack types, in Q4 we again saw a redistribution of forces. UDP flooding came out on top again, with more than half of all attacks deploying this method. The share of TCP flooding (30.75%) also increased markedly, while that of SYN flooding (16.29%) decreased more than three times. HTTP (1.33%) and GRE flooding (1.32%) stayed put, although their shares increased slightly.

Distribution of DDoS attacks by type, Q4 2021 (download)

Geographic distribution of botnets

The most botnet C2 servers active in Q4 were located in the US (46.49%), whose share increased by 3.05 p.p. against the previous reporting period. The Netherlands (10.17%) and Germany (7.02%) swapped places. A further 6.78% of C2 servers were located in the Czech Republic, whose share grew almost by 3 p.p., while Canada and the UK each had a 3.15% slice. France hosted 2.91% of the active botnet infrastructure, while 2.66% of C2 servers operated out of Russia. Also in the TOP 10 countries by location of botnets were Vietnam (1.94%) and Romania (1.45%).

Distribution of botnet C2 servers by country, Q4 2021 (download)

Attacks on IoT honeypots

As for bots attempting to expand botnets in Q4, the largest share of devices that attacked Kaspersky SSH honeypots were located in China (26.73%), the US (11.20%) and Germany (9.05%). At the same time, the share of the first two countries decreased, while the latter added 3.47 p.p. against Q3. Another 5.34% of active bots were located in Vietnam, and 5.13% in Brazil. That said, the vast majority of attacks on our honeypots (70.96%) originated in Russia, where only 2.75% of attacking devices were located; while Vietnam accounted for just 7.94% of attacks, and the US 4.84%. This most likely means that at least one Russian bot showed a high level of performance.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q4 2021 (download)

Most of the devices that attacked our Telnet traps, as in the previous quarter, were situated in China (44.88%), India (12.82%) and Russia (5.05%). The first country’s share increased by 3.76 p.p., while the latter two saw a drop of 2.4 and 0.93 p.p., respectively. The lion’s share of attacks on Kaspersky honeypots came from China (65.27%).

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q4 2021 (download)

Conclusion

On the one hand, Q4 met our expectations for this period; on the other, it surprised us. For example, instead of the expected increase in DDoS activity during major online sales, we saw a botnet lull. A feature of the quarter was the large number of very short DDoS attacks, as well as a slew of media reports about short but powerful attacks.

Now for our forecasts. Going by previous years’ trends, we expect Q1 2022 to produce roughly the same indicators as Q4 2021. But the situation in the world and, in particular, the cryptocurrency market is too volatile to make such a confident prediction. The bitcoin price has fallen to half its peak value, but remains high. It suffered a similar collapse in the middle of last year, but after that grew even stronger. If cryptocurrencies shoot up again, we could see a significant drop in the DDoS attack market, but if they sink even further, we will probably see an increase. It is impossible to predict which way it will go. But despite the lack of concrete information, we see no preconditions for any major fluctuations, and expect figures similar to those in Q4.

DDoS attacks in Q3 2021

Alexander Gutnikov, Oleg Kupreev, Yaroslav Shmelev — Mon, 08 Nov 2021 10:00:51 +0000

News overview

Q3 2021 brought two new DDoS attack vectors, potentially posing a serious threat, including for major web resources. A team of researchers from the University of Maryland and the University of Colorado Boulder found a way to spoof the victim’s IP address over TCP. To date, amplification attacks have mostly been carried out using the UDP protocol, since it does not require connection establishment procedures and allows IP spoofing. In contrast, the TCP protocol implements a three-way handshake in which the client and the server establish a connection and confirm they are ready to exchange traffic. If the victim receives a response from the server to a request they did not send, they simply discard this response.

The new attack, as described by the researchers, targets security devices located between the client and the server (so-called middleboxes) — firewalls, load balancers, network address translators (NAT), deep packet inspection (DPI) tools and others. Many of them can interfere with a TCP connection, for example, by blocking a connection to a banned resource, and they often react to packets received from one of the parties without seeing the full picture or monitoring the validity of the TCP session. If a request for access to a banned resource is sent under the guise of the victim, the response from a middlebox can be significantly larger. As such, the researchers found more than 386,000 devices giving an amplification factor of over 100, with more than 97,000 of them over 500, and 192 of them over 51,000.

The second attack, described by Nexusguard and dubbed Black Storm, can target any network device. An attacker can send requests to closed ports on devices in a communications service provider (CSP) network under the guise of other devices in the same network. Receiver devices respond to such requests with a message stating that the port is unavailable. Processing these messages consumes a lot of resources, which overloads victim devices and prevents them from accepting legitimate requests. The researchers note that this method allows an attacker to take down not only individual servers, but the provider’s entire network, including a large one.

Another high-profile event of the quarter was the discovery of Mēris, a new botnet capable of carrying out powerful DDoS attacks. According to Yandex and Qrator Labs, who were the first to report the botnet, it is made up of high-performance network devices, mainly from Mikrotik, and uses HTTP pipelining, which allows multiple requests to be sent to a server within a single connection without waiting for a response. Attacks by this botnet are notable for the huge number of requests per second. For instance, a DDoS attack on a Cloudflare customer (attributed to Mēris) clocked in at 17.2 million requests per second, despite lasting less than a minute, while Yandex reported 21.8 million requests per second.

The website of Brian Krebs, a well-known journalist in the field of information security, was also subjected to a brief, but powerful, Mēris attack. Krebs notes that, while the requests-per-second rate was not as impressive as in the case of Yandex or Cloudflare, it was still more than four times as powerful as the Mirai attacks on his site.

Another information security media, Infosecurity magazine, hit by a DDoS attack, decided to switch to a more robust hosting provider. While the site was unavailable, staff got creative: they began uploading podcasts to SoundCloud, which they informed readers about on Twitter.

We won't let our #DDoS stop us doing what we love! So, here's our BRAND NEW IntoSecurity Daily #podcast -a round up of all the TOP news headlines you need to know each day in a snappy bite-size format with our editorial team @InfosecEditor @ReporterCoker https://t.co/gR7D54BSYT pic.twitter.com/AAYehW8Ux0

— Infosecurity Magazine (@InfosecurityMag) July 26, 2021

In Q3, a wave of large-scale DDoS attacks swept across New Zealand, at least some of which, according to Yandex and Qrator Labs, were the work of that same Mēris botnet. Specifically, the researchers attribute the attack on a customer of Vocus, a major New Zealand provider, to the shenanigans of the new zombie network, which led to a short-term disruption of service nationwide. To stop the attack, the company updated a rule on its DDoS mitigation platform, and it was this rule change that reportedly caused the outage. Besides the unnamed Vocus customer, the DDoS surge in New Zealand also overwhelmed the banks ANZ and Kiwibank, the mail service NZ Post and the weather service MetService.

A notable trend of the third quarter appeared in the form of ransom attacks on VoIP providers, which affected companies in Britain, Canada and the US. Powerful and complex, they caused both voice and messaging issues for customers. The cybercriminals, who claimed to be from the ransomware group REvil, demanded a huge ransom to stop the attack. However, it is not possible to confirm the group’s identity as REvil or someone else. At any rate, the ransom attacks on VoIP providers were limited to DDoS, while REvil primarily does data encryption, although the group does not shrink from other methods of putting pressure on companies.

Also hit by a ransom DDoS attack was one of the oldest Bitcoin sites, Bitcoin.org. Though in this case, unlike the attacks on VoIP providers, the cybercriminals were willing to settle for half a bitcoin, for a non-profit information portal this is still a hefty amount.

Malware operators in Q3 also decided to use DDoS as an intimidation tool. The attackers sent out e-mails to companies saying their resources were being used in DDoS attacks and they could face legal problems. The messages contained a link to a cloud directory supposedly with details about the incident, which actually contained the BazarLoader malware loader.

In some countries, DDoS attacks have targeted sites set up to help fight COVID-19. In August, attackers tried to take down a vaccination registration portal in Manila. And in September, they went after the Dutch website CoronaCheck, where people can get QR codes required to visit cafes and cultural sites. As a result, users could not generate QR codes, and their attempts to get a response only made the situation worse.

Q3 saw a number of politically motivated DDoS attacks in various countries. For example, in early and mid-July, unknown actors flooded the resources of the security agencies of Russia and Ukraine with junk traffic. And in the last third of the month, the Russian newspaper Vedomosti became a DDoS victim. Most likely, the attack was linked to one of its online articles. In mid-August, attackers tried to stop users from accessing the web resources of the Philippine human rights organization Karapatan. Then, at the end of the month, the website of Germany’s Federal Returning Officer was briefly targeted in connection with the September 26 elections to the Bundestag.

As per tradition, gaming platforms didn’t escape cybercriminal attention either. In Q3 2021, the European servers of Final Fantasy XIV were hit. For several hours, gamers experienced dropouts, slowdowns and login issues.

On the other side of the coin, Ubisoft, the developer of Tom Clancy’s Rainbow Six Siege, having also been plagued by junk traffic, won a lawsuit this quarter against a cybercriminal group that had distributed software for DDoS attacks on the game. The accused were ordered to pay the company US$153,000 in damages, as well as to cease operations and hand over any relevant domains.

Another actor, the operator of two “stressers” (used to carry out DDoS attacks) was found guilty of cybercrime in court. Sentencing will not take place until January 2022. It could be harsh: up to 35 years in prison. According to the investigators, one of the stressers alone was used to attack more than 200,000 targets, including government, financial, educational and gaming sites.

The fate of the WireX botnet operator, who attacked an international hotel chain in 2017, is a little more hazy. The US Department of Justice filed charges in September 2021, but the perpetrator has yet to be caught. Law enforcers believe the individual is currently in Turkey.

Quarter trends

Q3 was certainly interesting and certainly not calm: contrary to our expectations, we observed growth uncharacteristic for this period.

Comparative number of DDoS attacks, Q2 and Q3 2021, and Q3 2020. Q3 2020 data is taken as 100% (download)

As can be seen from the graph, the number of attacks increased markedly in Q3, relative to both last quarter and last year. This is noteworthy, because the cryptocurrency market remains as strong as before, while the DDoS market growth is similar to what we saw before cryptocurrencies began skyrocketing. For the past few years, these two markets have been competing for computing power: many botnets can be used for both DDoS and mining, so the high cryptocurrency price drew capacity away from DDoS, something we have written about on more than one occasion. Now, judging by the growing DDoS market against the backdrop of consistently high cryptocurrency prices, attackers have started to allocate their resources differently. And this is quite logical: DDoS services are in demand, and the prolonged supply shortage has likely led to an increase in prices in this market, making it profitable for botnet operators to resume attacks. As such, the DDoS market seems to be returning to the growth rate we saw in late 2019.

On the topic of DDoS attacks in Q3, we should mention an unusual attack, data for which was not included in the above statistics. It occurred in August, and the target was the online accounts of applicants at a state university. The attack was hybrid, carried out at the L4 and L7 levels, and several days in duration, even lasting more than 48 hours after the target resource was placed under the watchful eye of Kaspersky DDoS Protection. The attack is interesting for two reasons. First, the attackers chose vectors that rendered the resource completely unavailable. Second, it is rather unusual that the attack continued long after filtering began. Continuing an attack when it no longer impacts the availability of the target resource makes no sense: it only increases the detection risk for botnet hosts. Accordingly, in the vast majority of cases, attacks cease as soon as effective traffic filtering begins. These two nuances suggest, at the minimum, that the attack organizers have above average technical knowhow and financial backing. The motives behind the attack are unclear, and although DDoS offensives on the education sector in Q3 are never a rarity, this one looks too sophisticated and high-end for simple teenage pranking.

Statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of any type and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q3 2021.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

Quarter summary

In Q3, 40.80% of DDoS attacks were directed at US-based resources. The resources themselves accounted for 42.13% of all unique targets.
Hong Kong made it back to TOP 3 both by the number of DDoS attacks (15.07%) and the unique targets count (14.36%).
Q3 has beaten every record in terms of daily number of DDoS attacks: on August 18, we observed 8,825 attacks, with over five thousand on August 21 and 22.
The average and maximum durations of DDoS attacks in Q3 decreased to 2,84 and 339 hours respectively.
In Q3, most DDoS attacks took the form of SYN flooding.
Most of the botnet C&C servers were in the US (43.44%), while the bulk of the bots attacking Kaspersky honeypots operated from China.

DDoS attacks geography

In Q3 2021, the share of attacks on US-based resources increased by 4.8 p.p. to 40.80%. The country keeps its first place by the number of DDoS attacks. The Hong Kong Special Administrative Region has stepped up to the second position (15.07%). Following a calm period in Q1 and Q2, the region’s share of attacks grew all at once by as many as 12.61 p.p. Whereas, China’s share (7,74%) shrank yet again, landing the country in third.

The fourth place is still held by Brazil (4.49%), its share but slightly reduced. South Africa rose to fifth (3.09%) adding 3 p. p. and pushing Canada (3.07%) to sixth. Canada is followed by Germany (2.88%), France (2.78%) and the UK (2.72%), with Singapore at the foot of the ranking (2.35%).

Distribution of DDoS attacks by country/region, Q2 and Q3 2021 (download)

A similar pattern can be observed in unique DDoS attack targets. The US remain in the first place (42.13%), having increased their share from the previous quarter. Hong Kong Special Administrative Region is in second (14.36%), its share consistently decreasing over the first half of 2021 with a dramatic upturn in Q3. China (6.68%) rounds out the TOP 3 having pushed Brazil (5.14%) into the fourth place. The rest of the TOP 10 positions are held by the same countries as in the attacks ranking, but in a different order. Germany (3.08%) and the UK (3,04%) are close together in the fifth and sixth places, followed by France (2.70%), Canada (2.65%), Singapore (2.40%) and South Africa (2.21%).

Distribution of unique targets by country/region, Q2 and Q3 2021 (download)

Dynamics of the number of DDoS attacks

Q3 was unusually explosive for the number of DDoS attacks. July started off relatively quietly, but towards the middle of the month the average daily count of DDoS attacks exceeded 1,000, with a whopping 8,825 attacks on August 18. For two more days, August 21 and 22, the daily count of five thousand was exceeded, and over three thousand attacks were detected on August 2 and 6, September 16, 18, 19 and 22.

Dynamics of the number of DDoS attacks, Q3 2021 (download)

During the quarter’s quietest days, we observed just short of 500 DDoS attacks: 494 on June 2 and 485 on June 3.

In Q3, the distribution of DDoS attacks by day of week was the least homogenous of the year: the difference between the most active and most quiet day reached 7.74 p.p. Most of the attacks occurred on Wednesdays — 19.22%. In no small part the statistics was influenced by the DDoS upsurge of Wednesday, August 18. The share of attacks that took place on Saturdays and Sundays also grew due to the other two August peaks. On other days of week the share of DDoS activities reduced from the previous quarter. Most of the time, cybercriminals were off on Mondays (11.48%).

Distribution of DDoS attacks by day of the week, Q2 and Q3 2021 (download)

Duration and types of DDoS attacks

In Q3, the average DDoS attack duration reduced to 2.84 hours. This may be due to the decreasing number of attacks lasting 50 hours or more and a rise in relatively short attacks. For instance, even though the share of very short attacks (86.47%) dropped from the previous quarter, their number almost doubled: 63.7 thousand versus 33 thousand in Q2. Meanwhile, the longest attack of Q3 lasted for 339 hours — over 2 times less than the longest one of the previous reporting period.

Distribution of DDoS attacks by duration, Q2 and Q3 2021 (download)

Looking at the types of attacks, SYN flooding recovered its leading positions in Q3: the method was used in 51.63% of attacks. UDP flooding finished second (38.00%). Its share decreased by 22 p.p. from the last quarter. TCP flooding remained in third, but its share also decreased to 8.33%. HTTP (1.02%) and GRE attacks (1.01%) swapped places, their shares only 0.01 p.p. apart.

Distribution of DDoS attacks by type, Q3 2021 (download)

Geographic distribution of botnets

In Q3, most of C&C botnet servers were located in the US (43.44%); however, their share was down by 4.51 p.p. Germany (10.75%) remains second, its share also slightly reduced, with the Netherlands in third (9.25%). Russia (5.38%) has made it to the fourth position replacing France (3.87%), which is now sharing the sixth and seventh places with the Czech Republic (3.87%), and Canada remains in fifth (4.73%). The UK (2.58%) is eighth by the number of C&C servers, with Romania (1,94%) and Switzerland (1,94%) rounding out the ranking.

Distribution of C&C botnet servers by country/region, Q3 2021 (download)

Attacks on IoT honeypots

Same as last quarter, most of the active bots that attacked Kaspersky SSH honeypots to add them to their botnets were operating from China (30.69%), the US (12.59%) and Germany (5.58%). Brazil (5.53%) came in fourth, with India (4.09%) fifth and Vietnam (3.48%) sixth. Russia (2.67%) is seventh by the number of bots, and the source of 34.39% of attacks on SSH traps. Quite a few attacks came out of Ireland (23.36%) and Panama (19.58%) — the countries we already heard about in Q2. Ireland was home to 0.21% of attacking devices, Panama to 0.09%. Notably, it takes just one powerful bot to launch multiple attacks on IoT devices.

Geographic distribution of devices from which attempts were made to attack Kaspersky SSH honeypots, Q3 2021 (download)

Most of the IP addresses of devices attacking our Telnet honeypots were from China (41.12%). India is second by the number of bots (15.22%) and Russia third (5.98%). Also on the TOP 10 list are: Brazil (4.21%), Vietnam (2.83%), the US (2.73%), Taiwan Province (2.17%), the Dominican Republic (2.02%), Iran (1.88%) and South Korea (1.47%).

Geographic distribution of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q3 2021 (download)

On the whole, the number of attacks on Telnet traps correlates with the number of bots. Thus, almost two thirds of Q3 attacks came from China (65.45%) — a quarter more contributed by bots from the US (10.44%), Russia (8.43%) and India (5.89%).

Conclusion

Q3 proved unexpectedly fast-paced for DDoS attacks: our records show several thousand attacks per day on some days. Yet the duration of attacks — both average and maximum — reduced from Q2, meaning that we saw very many shorter attacks during the period.

Q4 is traditionally eventful in terms of DDoS attacks: companies that were on summer vacation get back to work, massive holidays and sales stimulating the battle for the buyer — even waged using less than legal methods. There is no reason to hope this year’s fourth quarter will be any different. Even though bitcoin has again reached its all-time maximum this October — likely to trigger yet another redistribution of capacity towards mining —we expect the number of attacks to grow and would be quite surprised to see it hover at the same level as in Q3 or lower

DDoS attacks in Q2 2021

Alexander Gutnikov, Ekaterina Badovskaya, Oleg Kupreev, Yaroslav Shmelev — Wed, 28 Jul 2021 10:00:56 +0000

News overview

In terms of big news, Q2 2021 was relatively calm, but not completely eventless. For example, April saw the active distribution of a new DDoS botnet called Simps — the name under which it introduced itself to owners of infected devices. The malware creators promoted their brainchild on a specially set-up YouTube channel and Discord server, where they discussed DDoS attacks. The actual DDoS functionality of Simps is not original: the code overlaps with the Mirai and Gafgyt botnets.

That said, nor does Gafgyt rely on originality: a handful of modules in the new variants (detected by Uptycs) were all borrowed from Mirai, the most widespread botnet. In particular, Gafgyt’s authors copied its implementation of various DDoS methods, such as TCP, UDP and HTTP flooding, as well as its brute-force functionality for hacking IoT devices via the Telnet protocol.

Mirai’s code formed the basis of the ZHtrap botnet, which became known this quarter. This malware is of interest for its use of infected devices as honeypots. ZHtrap first collects the IP addresses of devices that attack the trap, and then attempts to attack these devices itself.

Lately cybercriminals have been actively seeking out new services and protocols for amplifying DDoS attacks. Q2 2021 was no exception: in early July researchers at Netscout reported an increase in attacks using the Session Traversal Utilities for NAT (STUN) protocol. This protocol is used to map internal IP addresses and ports of hosts hidden behind NAT to external ones. Using it, attackers were able to increase the volume of junk traffic by a factor of just 2.32, but in combination with other attack vectors, the DDoS power reached 2TB/s. In addition, hijacking STUN servers to be used as reflectors can disable their main functionality. The organizations that use STUN would be wise to make sure their servers are protected against such attacks. At the time of posting, there were more than 75,000 vulnerable servers worldwide.

Another new DDoS vector has yet to be harnessed by cybercriminals. It is linked to a vulnerability in DNS resolvers that allows amplification attacks on authoritative DNS servers. The bug was named TsuNAME. It works as follows: if a configuration error causes the DNS records of certain domains to point to each other, the resolver will endlessly forward the request from one domain to another, significantly increasing the load on their DNS servers. Such errors can occur by accident: in early 2020, two misconfigured domains caused a 50% increase in the traffic flow on authoritative DNS servers in the NZ domain zone, and a similar incident in a European domain zone led to a tenfold rise in traffic. If an attacker were to create multiple domains pointing to each other, the scale of the problem would be considerably greater.

Attacks on DNS servers are dangerous because all the resources they serve become unavailable, regardless of their size and level of DDoS protection. This is well illustrated by the attack on DNS provider Dyn that downed more than 80 major websites and online services in 2016. To prevent the TsuNAME vulnerability from having the same devastating consequences, the researchers recommend owners of authoritative servers to regularly identify and fix such configuration errors in their domain zone, and owners of DNS resolvers to ensure detection and caching of looped requests.

It was a DNS flood in early April that disrupted the operation of Xbox Live, Microsoft Teams, OneDrive and other Microsoft cloud services. Although the Azure DNS service, which handles the domain names of most of the services, has mechanisms to protect against junk traffic, an unnamed coding error meant it could not cope with the flow of requests. The situation was aggravated by legitimate users trying in vain to access the unresponsive services. However, Microsoft fixed the bug fairly quickly, and the services were soon up and running again.

One other large-scale DDoS attack swept through Belgium, hitting Belnet and other ISPs. Users across the country experienced service interruptions, and websites in the BE domain zone were temporarily unavailable. Junk traffic was sent from IP addresses in 29 countries worldwide, and, as Belnet noted, the attackers kept changing tactics, making the attack extremely difficult to stop. It forced the Belgian parliament to postpone several sessions, while educational institutions had problems with distance learning, and the transport company STIB likewise with the sale of tickets. Online registration systems for COVID-19 vaccinations were also affected.

The council of Grenoble-Alpes Métropole in France also had to suspend a session for several hours. A DDoS attack involving about 60,000 bots made it impossible to broadcast the event live.

Besides Belnet, several other European ISPs were targeted by DDoS attacks. For example, Ireland’s Nova fell victim to cybervillains. No confidential data was affected, a spokesperson said, adding that “we are the latest Irish ISP to be attacked and we won’t be the last, as the criminals cycle through Irish networks one by one.”

That said, there is no need to direct junk traffic at ISPs’ own resources in order to disrupt their networks. For instance, Zzoomm, a British broadband provider, suffered from a DDoS assault on one of its upstream suppliers, which in turn was not the real target: cybercriminals were trying to extort a ransom from one of its customers.

In general, DDoS ransomware attacks continued to gain momentum. A cybercriminal group known for its fondness of masquerading as various APT outfits again made the news, this time under the fictitious moniker Fancy Lazarus, composed of the names of two groups: Lazarus and Fancy Bear. Although cybercriminals attack organizations the world over, the victims of Fancy Lazarus were predominantly in the US, and the size of the ransom was lowered from 10–20 to 2 BTC.

Avaddon ransomware operators also tried to intimidate victims through DDoS attacks. In early May, they flooded the site of Australian company Schepisi Communications with junk traffic. The organization partners Telstra, a major Australian provider, selling SIM cards and cloud services on the latter’s behalf. Later that same month, French insurance company AXA, one of the largest in the field, also fell victim to Avaddon. As in the case of Schepisi Communications, besides encrypting and stealing data from several of its branches, the cybercriminals carried out a DDoS attack on its websites. After a string of devastating attacks in June, the ransomware creators announced its retirement.

In May, the Irish Health Service Executive (HSE) was hit by DDoS. The attacks would have been unremarkable had they not been immediately followed by an invasion of Conti ransomware. Whether these events are related is uncertain, but the ransomwarers could have used DDoS as a cover to penetrate the company’s network and steal data.

Attacks on educational institutions continued in Q2, occurring as they do throughout the school year. For example, malicious actors forced Agawam Public Schools in Massachusetts to shut down their guest network to protect the main network. This meant that Internet access was available only on school-issued devices.

Nor did video games escape attention this reporting period. The Titanfall and Titanfall 2 servers suffered DDoS-related outages in April and May. At least some of these attacks may have targeted specific streamers. To protect against attackers, enthusiasts created a mod that hides players’ names. However, this did not stop the attacks on the game servers. As for the developer, Respawn Entertainment, it took care of DDoS protection, but not in Titanfall, rather in Apex Legends, where the new version, in the event of an attack, chucks everyone out of the game, with compensation for any losses incurred. Back in Titanfall, however, the problem is so acute that a hacktivist player decided to hack Apex Legends to raise awareness of it.

Another hacktivist, after a decade of hiding from the law, was caught in Mexico and deported to the US. Christopher Doyon had been one of the organizers of the 2010 protests against a law banning rough sleeping in Santa Cruz, California. Following the crackdown on the protests, Doyon launched a DDoS attack on the Santa Cruz County website. Having been charged, the hacktivist failed to appear at a court hearing pending trial in 2012. Consequently, he was put on the international wanted list. Now Doyon will finally stand trial on the decade-old charges.

Quarter trends

As expected, Q2 2021 was calm. We recorded a slight fall in the total number of DDoS attacks compared to the previous quarter, which is typical for this period and seen every year, barring the anomalous 2020. This drop we traditionally associate with the start of the vacation period. It tends to continue through Q3, and we expect no change this year.

Comparative number of DDoS attacks, Q1 and Q2 2021, and Q2 2020. Q2 2020 data is taken as 100% (download)

Note the exceptional duration of smart DDoS attacks in the past quarter. This is due to several abnormally long, though not too powerful, attacks on law enforcement resources. We see no correlation between these attacks and any high-profile event. There may be a causal connection somewhere, but since there is no way of knowing, it remains to interpret them as statistical anomalies, which do crop up every so often. With these attacks excluded from the sample, the data on DDoS duration is closer to the norm with different periods fluctuating by no more than 30% relative to each other.

DDoS attack duration, Q1 and Q2 2021, and Q2 2020. Q2 2020 data is taken as 100% (download)

Statistics

Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. The company experts monitor botnets using the Kaspersky DDoS Intelligence system.

As part of the Kaspersky DDoS Protection solution, DDoS Intelligence intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2021.

In the context of this report, an incident is counted as a single DDoS attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS victims and C&C servers are determined by their IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

Quarter summary

Q2’s leader by number of DDoS attacks is again the US (36%). The share of China (10.28%) continued to fall, while Poland (6.34%) climbed into the TOP 3 most attacked countries.
The most DDoS-active day in the quarter was June 2, when we registered 1,164 attacks. On the quietest day, we observed only 60 DDoS attacks.
Most DDoS attacks occurred on Tuesdays (15.31%), while the calmest day of the week was Sunday (13.26%).
The longest DDoS attack lasted 776 hours (more than 32 days).
UDP flooding was used in 60% of DDoS attacks.
The country with the most botnet C&C servers was the US (47.95%), while the bulk of bots attacking IoT devices in order to assimilate them were located in China.

DDoS attack geography

In Q2 2021, as in Q1, most DDoS attacks were directed at US-based resources (36%). China (10.28%), the perennial leader until this year, continued to lose ground, shedding another 6.36 p.p. Third place this quarter was taken by a newcomer in the ranking, Poland (6.34%), whose share was up by 4.33 p.p. against the previous reporting period. Canada (5.23%), which rounded out the TOP 3 in Q1, fell to fifth place, despite gaining 0.29 p.p.

In fourth place by number of DDoS attacks in Q2 was Brazil (6.06%), whose share almost doubled. Sixth in the ranking was France (5.23%), behind Canada by a fraction of a fraction. Germany (4.55%) remained in seventh position, while the UK (3.82%) moved into eighth. At the foot of the ranking are the Netherlands (3.33%) and Hong Kong (2.46%), whose shares, like China’s, continued to nosedive.

Distribution of DDoS attacks by country, Q1 and Q2 2021 (download)

A look at the countries with the highest number of unique targets also shows an increase in DDoS activity in Poland (7.44%) and Brazil (6.25%), which ranked second and third, respectively, and a decrease in activity in China (5.99%), which dropped to fourth place. The TOP 10 tends to be pegged to the list of countries with the highest number of DDoS attacks: the US remains in top spot (38.60%), fifth to eighth places belong to France (4.97%), Germany (4.86%), the UK (4.40%) and Canada (4.20%), respectively, followed by the Netherlands (3.40%) and Hong Kong (1.81%).

Distribution of unique DDoS targets by country, Q1 and Q2 2021 (download)

Dynamics of the number of DDoS attacks

As noted above, Q2 turned out relatively calm. On average, the number of DDoS attacks per day fluctuated between 500 and 800. On the quietest day of the reporting period, April 18, we observed only 60 attacks. On two other days, June 24 and 25, the number of attacks fell short of 200. Nevertheless, Q2 had its share of turbulent days with more than 1,000 DDoS attacks. For instance, we observed 1,061 attacks on April 13 and 1,164 on June 2.

Dynamics of the number of DDoS attacks, Q2 2021 (download)

The distribution of DDoS attacks by day of the week in Q2 was, if anything, even more uniform than in Q1: the difference between the busiest and quietest days was only 2.05 p.p. At the same time, activity shifted to the start of the week. The share of Monday through Thursday relative to Q1 increased, while the end of the week, having been the most turbulent in the previous reporting period, grew calmer. We observed the highest number of attacks on Tuesdays (15.31%), while the quietest day this time was Sunday (13.26%).

Distribution of DDoS attacks by day of the week, Q1 and Q2 2021 (download)

Duration and types of DDoS attacks

In Q2, the average DDoS attack duration remained virtually unchanged from the previous reporting period: 3.18 hours versus 3.01 in Q1. What’s more, there was a slight increase both in the share of very short attacks lasting less than 4 hours (from 91.37% to 93.99%) and in the share of long (from 0.07% to 0.13%) and ultra-long (from 0.13% to 0.26%) ones. By contrast, the share of moderately long attacks in Q2 fell slightly, and attacks lasting 5–9 hours (2.65%) lost 1.51 p.p.

The maximum attack duration continued to increase. If in Q4 2020 we saw no attacks lasting more than 302 hours, the longest attack in Q1 2021 was 746 hours (more than 31 days), and Q2 topped that with a 776-hour-long attack (more than 32 days).

Distribution of DDoS attacks by duration, Q1 and Q2 2021 (download)

Looking at the distribution by type of attack, we see that UDP flooding in Q2 significantly increased its slice (60% vs 42% in Q1). SYN flooding (23.67%), which until 2021 was the most common type of DDoS, is fighting to regain lost territory: this quarter it swapped places with TCP flooding (13.42%) to claim second place.

Distribution of DDoS attacks by type, Q2 2021 (download)

Botnet distribution geography

Among botnet C&C servers, 90% were located in ten countries in Q2. The biggest share was in the US (47.95%), which added 6.64 p.p. to its score in the previous reporting period. In second place, as in Q1, is Germany (12.33%), and in third place the Netherlands (9.25%). France (4.28%) retained fourth position, followed by Canada (3.94%), whose share has doubled since last quarter.

The sixth-placed country by number of botnet C&C servers, as in Q1, is Russia (3.42%). The Czech Republic (2.57%) climbed to seventh place, overtaking Romania (2.40%), which shared eighth and ninth places with the UK (2.40%). Singapore (1.54%) props up the TOP 10, while the Seychelles dropped out of the ranking, having almost no C&C servers used by active botnets.

Distribution of botnet C&C servers by country, Q2 2021 (download)

Attacks on IoT honeypots

Also in Q2 2021 we analyzed in which countries bots and servers were attacking IoT devices with a view to botnet expansion. This involved studying the statistics on Telnet and SSH attacks on our IoT honeypots. The country with the most devices from which SSH attacks were launched this quarter was China (31.79%). In second place was the US (12.50%), and in third Germany (5.94%). However, the bulk of attacks via SSH originated in Ireland (70.14%) and Panama (15.81%), which both had relatively few bots. This could suggest that among the attacking devices located in these countries there were powerful servers capable of infecting multiple devices worldwide simultaneously.

Geography of devices from which attempts were made to attack Kaspersky SSH traps, Q2 2021 (download)

The biggest share of bots attacking Telnet traps in Q2 also belonged to China (39.60%). In addition, many bots were located in India (18.54%), Russia (5.76%) and Brazil (3.81%). The attacks originated mostly in these same countries, the only difference being that bot activity in Russia (11.25%) and Brazil (8.21%) was higher than in India (7.24%), while China (56.83%) accounted for more than half of all attacks on Telnet honeypots.

Geography of devices from which attempts were made to attack Kaspersky Telnet honeypots, Q2 2021 (download)

Conclusion

The DDoS market continues to stabilize after last year’s shakeup. As expected, Q2 2021 demonstrated the traditional summer lull. That said, we did see some abnormally long attacks, as well as shifts in the DDoS geography. The number of attacks in China, which long topped the ranking, continued to decline, at the same time as DDoS activity in Poland and Brazil increased markedly. Other than that, it was a pretty ordinary second quarter.

At present, we see no grounds for a sharp rise or fall in the DDoS market in Q3 2021. As before, the market will be heavily dependent on cryptocurrency prices, which have been riding high, despite declining relative to their spring peak: 1 BTC is worth US$30,000–35,000, less than a couple of months ago, but still a tidy sum. With cryptocurrency prices still attractive, the DDoS market is not expected to grow. Most likely, the summer decline typical of the vacation period will continue through Q3.

DDoS attacks in Q1 2021

Alexander Gutnikov, Oleg Kupreev, Ekaterina Badovskaya — Mon, 10 May 2021 10:00:15 +0000

News overview

Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.

Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka — nesting doll) due to the multi-step process for obtaining the C&C address. It is not the first bot to attack mobile devices through a debug interface. This loophole was previously exploited by ADB.Miner, Ares, IPStorm, Fbot, Trinity, and other malware.

Q1 was not without yet another iteration of Mirai. Cybercriminals infected network devices, exploiting relatively recently discovered vulnerabilities, plus several unknown bugs. According to the researchers who identified the attack, it might have affected several thousand devices.

In Q1 2021, cybercriminals also found a host of new tools for amplifying DDoS attacks. One of them was Plex Media Server for setting up a media server on Windows, macOS, or Linux computers, network-attached storages (NAS), digital media players, and the like. Around 37,000 devices with Plex Media Server installed, accessible online directly or receiving packets redirected from specific UDP ports, turned out to be vulnerable. Junk traffic generated by Plex Media Server is made up of Plex Media Service Discovery Protocol (PMSSDP) requests and amplifies the attack by a factor of approximately 4.68.

A major amplification vector was the RDP service for remote connection to Windows devices. RDP servers listening on UDP port 3389 were used to amplify DDoS attacks. At the time of publishing the information about the misuse of the remote access service, 33,000 vulnerable devices had been found. The amplification factor was significantly higher than in the case of Plex Media Server: 85.9. To prevent attacks via RDP, it is recommended to hide RDP servers behind a VPN or disable UDP port 3389.

That said, a VPN is no panacea if it too is vulnerable to amplification attacks. In Q1 2021, for instance, attackers went after Powerhouse VPN servers. The culprit turned out to be the Chameleon protocol, which guards against VPN blocking and listens on UDP port 20811. The server response to requests on this port was 40 times larger than the original request. The vendor released a patch when they learned about the problem.

Alas, not all users of vulnerable programs and devices install updates promptly. For instance, as of mid-March, there were around 4,300 web-based servers for DDoS amplification through the DTLS protocol — this method was covered in our previous report. Vulnerable devices were either misconfigured or missing the latest firmware version with the required settings. Cybercriminals have wasted no time in adding this amplification method (as well as most others discovered just this past quarter) to their arsenal of DDoS-for-hire platforms.

Non-standard protocols are of interest to cybercriminals not only as a means of amplification, but as a tool for carrying out DDoS attacks. In Q1, a new attack vector appeared in the form of DCCP (Datagram Congestion Control Protocol), a transport protocol for regulating the network load when transmitting data in real time, for example, video streaming. The built-in mechanisms to protect against channel congestion did not prevent attackers using this protocol to flood victims with multiple connection requests. What’s more, on the side of the junk packet recipients, there were no online-accessible DCCP applications. Most likely, the attackers were randomly looking for a way to bypass standard DDoS protection.

Another unusual DDoS vector was the subject of an FBI warning about the rise in attacks on emergency dispatch centers. TDoS (telephony denial-of-service) attacks aim to keep the victim’s phone number permanently busy, flooding it with junk calls. There are two main TDoS methods: via flash mobs on social networks or forums, and automated attacks using VoIP software. Neither is new, but TDoS against critical first-responder facilities poses a very serious threat. “The public can protect themselves in the event that 911 [the emergency number across North America] is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area,” the FBI advised.

On the whole, the quarter was rich in media-reported DDoS attacks. In particular, DDoS ransomware continued to attack organizations worldwide at the start of the year. In some cases, they demonstrated impressive capabilities. For example, a European gambling company was bombarded with junk traffic, peaking at 800 GB per second. Maltese Internet service provider Melita was also hit by ransomware: a showcase DDoS attack disrupted services. At the same time, ransomware operators, having already started to steal victims’ data before encryption, also turned their eyes on DDoS as an extortion tool. The first attack on the website of a victim unwilling to negotiate occurred late last year. In January, Avaddon’s operators jumped on the bandwagon, followed in March by the group behind the Sodinokibi (REvil) ransomware.

Ransomwarers were likely spurred on by the upward movement of cryptocurrency prices, which continued in Q1 2021. In early February, Tesla announced a massive investment in Bitcoin, which led to even more hype around digital money. Several cryptocurrency exchanges could not cope with the resulting influx of sign-ups and suffered downtime. There was no avoiding DDoS either: British exchange EXMO reported an attack on its systems. Company representatives admitted that not only the site was affected, but the entire network infrastructure.

As many users were still working (and playing) from home in Q1 2021, cybercriminals made sure to target the most in-demand resources. In addition to the aforementioned Melita, Austrian provider A1 Telekom (article in German), as well as Belgian telecommunications firm Scarlet, suffered DDoS attacks (albeit without the ransomware component). In both instances, customers faced communication disruptions, and in the case of A1 Telekom, users all across the country experienced problems.

Online entertainment was likewise targeted by cybercriminals throughout the quarter. For example, Blizzard reported a DDoS attack in early January. The barrage of junk traffic caused players, especially those trying to connect to World of Warcraft servers, to experience delays. There were also cases of players getting kicked off the server. Towards the end of the month, cybercriminals attacked League of Legends. Players attempting to enter tournaments in Clash mode experienced login issues and intermittent connection failures. In February, a DDoS attack temporarily disabled the television service of Icelandic provider Siminn. And in March, LittleBigPlanet servers were unavailable for several days. Players blamed a disgruntled fan for the attack.

By early 2021, many schools had switched to on-campus or hybrid mode, but that did not stop the DDoS attacks. Only now, instead of flooding online platforms with junk traffic, cybercriminals sought to deprive educational institutions of internet access. For instance, in February, US schools in Winthrop, Massachusetts, and Manchester Township, New Jersey, were hit by DDoSers. In the second case, the attack forced the institutions to temporarily return to remote schooling. In March, CSG Comenius Mariënburg, a school in Leeuwarden, Netherlands, also fell victim to a DDoS attack. The attack was organized by students themselves. Two of them were quickly identified, but school officials suspect that there were other accomplices.

The most significant event in Q1 was COVID-19 vaccination. As new segments of the population became eligible for vaccination programs, related websites suffered interruptions. At the end of January, for example, a vaccine registration website in the US state of Minnesota crashed under the load.The incident coincided with the opening of appointments to seniors, teachers and childcare workers.In February, a similar glitch occurred on a vaccine appointment portal in Massachusetts as retirees, people with chronic illnesses and staff of affordable senior housing tried to sign up for a shot. In both cases, it is not known for certain whether it was a DDoS attack or an influx of legitimate traffic; all the same, cybersecurity company Imperva recorded a spike in bot activity on healthcare resources.

Nor was Q1 without political DDoS attacks. In February, cybercriminals flooded the websites of Dutch politician Kati Piri and the Labor Party, of which she is a member, with junk traffic. The Turkish group Anka Nefeler Tim claimed responsibility. In late March, a DDoS hit the website of the Inter-Parliamentary Alliance on China (IPAC). Representatives of the organization note that this is not the first such attack in living memory. On top of that, several government agencies in Russia and Ukraine reported DDoS attacks in early 2021. The victims included the websites of the Russian Federal Penitentiary Service and the National Guard, the Kiev City State Administration, the Security Service of Ukraine, the National Security and Defense Council, as well as other Ukrainian security and defense institutions.

Since the start of 2021, a number of media outlets in Russia and abroad have been targeted by DDoS attacks. In January, attackers downed the websites of Kazakh newspaper Vlast and Brazilian nonprofit media organization Repórter Brasil. In the second case, the attacks continued for six days. The Ulpressa portal, based in the Russian city of Ulyanovsk, came under a much longer attack lasting several weeks. The website was attacked daily during peak hours. The KazanFirst news portal initially managed to repel the stream of junk traffic, but the attackers changed tactics and ultimately took the site offline. A similar scenario played out in the case of Mexican magazine Espejo: the administrators deflected the first attempts to down the site, but these were followed by a more powerful DDoS wave.

But it was not only legitimate organizations that suffered from DDoS in Q1 2021. In January, many resources on the anonymous Tor network, which is popular with cybercriminals, were disrupted. The Tor network may have been overloaded due to DDoS attacks against specific sites on the dark web. A February target was the major underground forum Dread, used, among other things, to discuss deals on the black market. The forum administration was forced to connect additional servers to defend against the attack.

But this quarter was not all doom and gloom: some DDoS organizers did get exposed. For example, a pair of high-ranked Apex Legends players who DDoSed anyone who beat them finally got banned. A slightly more severe punishment was dished out to a teenager who late last year tried to disrupt Miami-Dade County Public Schools’ online learning system. He escaped jail, but was sentenced to 30 hours’ community service and placed on probation.

Quarter trends

In Q1 2021, DDoS market growth against the previous reporting period outstripped our prediction of around 30%, nudging over the 40% mark. Unusually, and hence interestingly, 43% of attacks occurred in the normally relatively calm month of January.

Comparative number of DDoS attacks, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100% (download)

The unexpected surge in DDoS activity can be attributed to the price of cryptocurrencies in general, and Bitcoin in particular, which began to fall in January 2021. The practice of previous years shows that rapid cryptocurrency growth is followed by a similarly rapid decline. It seems that the nimblest botnet owners expected similar behavior this year, and reverted back to DDoS at the first hint of a price drop. However, the Bitcoin price sometimes has a mind of its own: it rose again in February, plateaued in March and remains high at the time of posting. Accordingly, the DDoS market sagged in February and March.

Note that these two months were entirely in line with our forecast: the DDoS market showed slight growth relative to Q4, but no more than 30%. Another curiosity is that this year’s February and March indicators are very similar (within a few percent) to those of January 2020, which was a typically calm January. The same picture (abnormal January followed by standard February and March) was seen in 2019.

Comparative number of DDoS attacks, 2019–2021. Data for 2019 is taken as 100% (download)

Q1 2019 was fairly stable, almost benchmark standard, so it can be used to demonstrate deviations. Last year saw an explosive increase in DDoS activity in February and March, which we attributed, and continue to attribute, to the coronavirus outbreak, the switch to remote working, and the emergence of many new DDoS-vulnerable targets. This year’s January outlier is equally stark when compared with the 2019 data.

Note the significant lag in the Q1 figures overall against the same period of last year. This gap can be explained by the above-mentioned abnormally high numbers in 2020. Over the past year, the situation has changed: organizations have strengthened and learned how to protect remote infrastructure, so Q1 this year was simply ordinary, with no distortions. The slump in the numbers was caused specifically by the abnormal previous year, not the decline in the current one.
At the same time, the share of smart attacks in Q1 increased relative to both the end of 2020 (from 44.29% to 44.60%) and its start. This also indirectly confirms the theory that capacities are being redirected away from DDoS, which comes at the expense of attacks that are easy to organize and defend, since they have become unprofitable for botnet operators.

Share of smart attacks, Q1 2021, Q1 2020, and Q4 2020 (download)

In our Q4 2020 report, we noted a downward trend in the duration of short attacks and an upward one in the duration of long attacks. This trend continued this quarter as well, which is clearly seen from the duration data compared to Q4 of the previous year. We cautiously assume that this trend will continue in the future.

DDoS attack duration, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100% (download)

Statistics

Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2021.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

Note that, starting Q4 2020, the number of botnets whose activity is included in the DDoS Intelligence statistics has increased. This may be reflected in the data presented in this report.

Quarter summary

In Q1 2021:

The US displaced China from top spot by both number of DDoS attacks and number of unique targets.
We saw a spike in DDoS activity in January, peaking at over 1,800 attacks per day: 1,833 on the 10th and 1,820 on the 11th. On several other days in January, the daily number of attacks exceeded 1,500.
The distribution of attacks by day of the week was fairly even: just 2.32 p.p. separated the most and the least active days.
The number of short (less than 4 hours) DDoS attacks increased significantly.
The most widespread this time was UDP flooding (41.87%), while SYN flooding dropped to third place (26.36%).
Linux botnets continued to account for almost all DDoS traffic (99.90%).

Attack geography

In Q1 2021, the perennial leaders by number of DDoS attacks swapped places: the US (37.82%) added 16.84 p.p. to top the leaderboard, nudging aside China (16.64%), which lost 42.31 p.p. against the previous reporting period. The Hong Kong Special Administrative Region (2.67%), which had long occupied third position, this time dropped to ninth, with Canada (4.94%) moving into the Top 3.

The UK (4.12%) also lost ground, falling from fourth to sixth place, despite its share increasing by 2.13 p.p., behind the Netherlands (4.48%) and France (4.43%). South Africa, which finished fifth last quarter, dropped out of the Top 10 altogether.
Germany (3.78%) moved up to seventh place, displacing Australia (2.31%), which rounds out the ranking this quarter. Eighth place was taken by Brazil (3.36%), having rarely climbed higher than eleventh before.

Distribution of DDoS attacks by country, Q4 2020 and Q1 2021 (download)

The Top 10 countries by number of DDoS targets traditionally corresponds closely to the ranking by number of attacks. The Q1 leader was the US (41.98%), whose share increased by 18.41 p.p. By contrast, China’s share fell by more than four times — from 44.49% to 10.77%, pushing it into second place. However, there are some minor differences in the two rankings. Hong Kong, for instance, dropped out of the Top 10 countries by number of targets, and the Netherlands moved up to third place (4.90%). The UK (4.62%) consolidated its position in fourth spot, while Canada (4.05%) dropped from sixth to seventh, just a fraction of a percentage point behind Germany (4.10%) and France (4.08%).

Brazil (3.31%), as in the ranking by number of DDoS attacks, moved up to eighth place, while Australia (2.83%) climbed tenth to ninth place, allowing Poland (2.50%) to sneak in at the foot of the table. Like Brazil, Poland is an infrequent guest in the Top 10.

Distribution of unique DDoS-attack targets by country, Q4 2020 and Q1 2021 (download)

DDoS attack dynamics

Q1 2021 got off to a dynamic start. DDoS activity peaked on January 10 and 11, when the number of attacks exceeded 1,800 per day. January posted several more days on which our systems recorded more than 1,500 attacks. As mentioned above, this surge in activity is most likely due to the brief drop in the Bitcoin price.
After a stormy start, there followed a relatively calm February, when for several days in a row — from the 13th to the 17th — the daily rate of DDoS attacks remained under 500. The quietest day was February 13, when we recorded just 346 attacks. Early March saw another peak, more modest than the January one: 1,311 attacks on the 3rd and 1,290 on the 4th. Note that, as before, this was preceded by a fall in the Bitcoin price.

Dynamics of the number of DDoS attacks, Q1 2021 (download)

In Q1 2021, DDoS attacks by day of the week were far more evenly spread than in the previous reporting period. The difference between the stormiest and the quietest days was 2.32 p.p. (versus 6.48 p.p. in Q4 2020). Saturday (15.44%) took the lion’s share of DDoS attacks, while Thursday (13.12%), last quarter’s leader, was this time the most inactive day. Overall, the share of days from Friday to Monday increased in the first three months of 2021, while midweek dipped slightly.

Distribution of DDoS attacks by day of the week, Q4 2020 and Q1 2021 (download)

Duration and types of DDoS attacks

The average DDoS attack duration in Q1 more than halved compared to Q4 2020. The proportion of very short attacks lasting less than four hours rose markedly (91.37% against 71.63% in the previous reporting period). In contrast, the share of longer attacks declined. Attacks lasting 5–9 hours lost 7.64 p.p., accounting for 4.14% of all attacks; only 2.07% of incidents lasted 10–19 hours, and 1.63% 20–49 hours. Attacks lasting 50–99 hours in Q1 made up less than 1% of the total. The shares of long (0.07%) and ultra-long (0.13%) attacks also fell slightly.

Distribution of DDoS attacks by duration, Q4 2020 and Q1 2021 (download)

The distribution of attacks by type continued to change. In Q1 2021, the seemingly unassailable leader, SYN flooding (26.36%), lost its grip on the ranking. This DDoS type shed 51.92 p.p. and finished third. Meanwhile, UDP (41.87%) and TCP flooding (29.23%) gained in popularity among attackers. GRE (1.43%) and HTTP flooding (1.10%), which round out the ranking, also posted modest growth.

Distribution of DDoS attacks by type, Q1 2021 (download)

In terms of botnet types, Linux-based bots were again responsible for the vast majority of attacks this quarter. Moreover, their share even rose slightly against the previous reporting period: from 99.80% to 99.90%.

Ratio of Windows/Linux botnet attacks, Q4 2020 and Q1 2021 (download)

Botnet distribution geography

The traditional leader in terms of C&C server hosting is the US (41.31%), and Q1 was no exception. Its share increased by 5.01 p.p. against Q4 2020. Silver and bronze again went to Germany (15.32%) and the Netherlands (14.91%), only this time they changed places: the share of the Netherlands fell, while Germany’s almost doubled.
Romania dropped from fourth to seventh place (2.46%), behind France (3.97%), the UK (3.01%), and Russia (2.60%). Canada held on to eighth position (1.92%), while Singapore and the Seychelles closed out the ranking, both posting 1.37% in Q1.

Distribution of botnet C&C servers by country, Q1 2021 (download)

Conclusion

The first quarter began with a surge in DDoS activity amid falling cryptocurrency prices, but on the whole it was relatively calm. At the same time, we observed several unexpected reshuffles. In particular, the US knocked China out of first place by both number of DDoS attacks and number of targets. SYN flooding, long the most common type of attack, gave way to UDP and TCP this time around.

As for Q2 forecasts, no significant shifts in the DDoS market are in sight at present. As is customary, much will depend on cryptocurrency prices, which are currently rising an all-time high. Besides, the experience of previous years shows that the second quarter is usually rather calmer than the first; so, barring any shocks, we can expect little change, perhaps a slight decline, in the DDoS market. That said, if the cryptocurrency market falls sharply, we forecast a rise in DDoS activity, driven largely by simple, short-lasting attacks.

DDoS attacks in Q4 2020

Oleg Kupreev, Ekaterina Badovskaya, Alexander Gutnikov — Tue, 16 Feb 2021 10:00:20 +0000

News overview

Cybercriminals are constantly on the lookout for means and methods to make attacks more destructive. In Q4 2020, Citrix ADC (application delivery controller) devices became one such tool, when perpetrators abused their DTLS interface. The DTLS (Datagram Transport Layer Security) protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent. To amplify the attack, the attackers sent requests to devices with the DTLS interface enabled, spoofing victims’ IP addresses. Consequently, the victims received reply packets several times larger in size. In the case of Citrix devices, the amount of junk traffic could increase by up to 36 times. After the attacks came to light, the manufacturer promptly released a firmware update for configuring verification of incoming requests. For those who do not use DTLS, it is recommended to simply disable this protocol.

Another notable attack in December targeted the website Bitcoin.org, which hosts Bitcoin Core, one of the most widely used software versions of bitcoin. While the resource was down, cryptocurrency newbies were invited to download a copy of Bitcoin Core via a torrenting service. Most likely, the attack is related to the bitcoin price, which has steadily risen over the past quarter. According to one of the developers behind Bitcoin.org, the site is always hit whenever bitcoin is on the up.

Overall, Q4 remained within the parameters of 2020 trends. Cybercriminals used the names of well-known APT groups to intimidate victims, demanded ransoms in cryptocurrency, and carried out demonstration attacks to back up their threats. Extortionists’ activity regularly made the news throughout 2020. In October, telecommunications firm Telenor Norway was another to fall victim.

Since the transition of schools and universities to remote learning, cybercriminals have tried to disrupt classes by flooding educational platforms with garbage traffic. This trend continued in the last months of 2020. In October, schools in Sandwich and Tyngsboro, Massachusetts, suffered network outages. In both cases, the institutions initially put the incident down to technical failure, and only later discovered the attack. In December, Canada’s Laurentian University reported a DDoS attack. But it dealt with the problem in a matter of minutes. Still, such attacks by year’s end were serious enough for the FBI to flag them in its December advisory as a major threat to teaching facilities. Educational institutions are recommended to use anti-DDoS solutions and strong firewall settings, and partner up with ISPs.

Gaming platforms didn’t escape cybercriminal attention either. According to ZDNet, Xbox and Steam were the targets of amplification attacks through Citrix devices. In early October, a DDoS attack was reported by the PUBG Mobile team.

Dear players,

The PUBG MOBILE team are currently actively working to resolve the DDoS attacks against our systems and the new hacking issues. For information, please check out here: https://t.co/DMYsxWTlCc

— PUBG MOBILE (@PUBGMOBILE) October 3, 2020

And Blizzard’s European servers were hit by threat actors twice in the quarter.

We are currently experiencing a DDoS attack, which may result in high latency and disconnections for some players. We are actively working to mitigate this issue #BlizzCS

— Blizzard CS EU (@BlizzardCSEU_EN) October 2, 2020

In late December, several dozen top streamers planned to celebrate the end of 2020 playing through Rust all on the same server. The show failed at the first attempt, apparently due to a DDoS attack, although there is no reliable data on this. Given the hype surrounding the event, it may have been caused by an influx of fans tuning in. In 2020, when much of life shifted online, internet resources repeatedly suffered from surges in totally legitimate activity.

As for the fightback, the most notable Q4 event was the conviction of a former Apophis Squad member responsible for a string of DDoS attacks, including for ransom, as well as for disrupting school classes worldwide through fake bomb alerts, and for storing child pornography. For his efforts, the perpetrator was sentenced to eight years in prison.

The resistance against individual attack vectors also continues. The Internet Engineering Task Force (IETF) published a proposal for Network Time Security (NTS), a secure standard for data transmission over the Network Time Protocol (NTP), which is used to synchronize time across a network. The document addresses, in particular, the problem of DDoS amplification through this protocol and prohibits the sending, in response to a request, of data packets larger than the request packet.

Quarter and year trends

This time, our forecasts came true exactly 50%: as expected, in Q4 2020 we observed indicators comparable to those for the same period in 2019, and even slightly higher. However, growth relative to Q3 2020, which we predicted as a possible alternative, did not occur. On the contrary, the total number of attacks fell by about 30%, and smart attacks by 10%.

Comparative number of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100% (download)

All the same, the qualitative indicators are noteworthy: the share of smart attacks increased slightly in Q4, and the data on attack duration showed a downward trend for short attacks and an upward trend for long ones.

Share of smart attacks, Q3/Q4 2020 and Q4 2019 (download)

Duration of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100% (download)

The drop in the number of DDoS attacks can be explained by growth in the cryptocurrency market. We already mentioned several times, including in the previous report, the inverse relationship between DDoS activity and the price of cryptocurrencies. When we made our Q4 forecasts, hardly anyone expected such rapid, frankly unprecedented growth. Unsurprisingly, then, botnet operators turned some of their capacity over to mining.

Interestingly, the noticeable fall in the number of DDoS attacks compared to the previous quarter came at the expense of easy-to-organize attacks, while smart attacks declined only insignificantly. This is perfectly logical: it is unprofitable for botnet operators to sell capacity on the cheap, losing out on mining profits; so when prices rise, the first to be cut loose are amateurs — schoolkids, prankers, hotheads — who have no real reason to organize a DDoS. As for professionals, their interests are undented by market fluctuations, especially in Q4 with its many holidays and online sales, so they continue to order and carry out attacks, and mostly smart ones, because they are focused on the result, not the attempt.

What Q1 2021 will bring is hard to say. However, we are becoming increasingly convinced that the DDoS market has stopped growing, having completely stabilized after the decline in 2018. The current fluctuations are mainly due to the dynamics of cryptocurrency prices, and will depend directly on them going forward. If cryptocurrencies begin to fall in price in Q1 2021, the number of DDoS attacks will rise, and vice versa. At the same time, we do not expect to see any explosive growth or dramatic fall. Barring the unexpected (although the unexpected was the name of the game last year), DDoS market fluctuations will remain within 30%.

Comparative number of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100% (download)

As for the results of 2020 as a whole, the market slightly less than doubled over the year. Note that this growth is purely quantitative: the share of smart attacks remained practically unchanged.

Share of smart attacks, 2019 and 2020 (download)

The attack duration data is of particular interest. In 2020, the average duration decreased by roughly a third, while the maximum increased noticeably overall, despite remaining almost on a par with last year in the case of smart attacks. This suggests that short attacks are getting shorter and long ones longer; we saw a similar trend in Q4. Although the reasons are hard to pinpoint, we can assume, as with every other trend last year, that it is related to the pandemic, the serious global instability and the eruptive growth in the cryptocurrency market. The DDoS market is changing under the influence of these factors, as too are the targets of attacks and those who order them, and with them the average attack duration.

Duration of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100% (download)

Statistics

Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

This report contains DDoS Intelligence statistics for Q4 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

Note that Q4 2020 saw a rise in the number of botnets whose activity is included in the DDoS Intelligence statistics. This may be reflected in the data presented in this report.

Quarter summary

In Q4, as before, China (58.95%), the US (20.98%) and Hong Kong (3.55%) led the pack by number of DDoS attacks.
Ditto the TOP 3 regions by number of targets: China (44.49%), the US (23.57%) and Hong Kong (7.20%).
On the “quietest” days, the number of DDoS attacks did not exceed one per day.
The most active day of the quarter in terms of DDoS was December 31, which recorded 1,349 attacks.
The most DDoS attacks this quarter we saw on Thursdays, and the fewest on Sundays.
The shares of very short attacks (71.63%) and very long attacks (0.14%) decreased in Q4, while the shares of all intermediate categories increased.
Q4 reshuffled the distribution of DDoS attacks by type: UDP flooding returned to second place (15.17%), and GRE flooding, previously unmentioned in our reports, became the fourth most common (0.69%).
Linux botnets were used in almost 100% of attacks.
The majority of botnet C&C servers were located in the US (36.30%), the Netherlands (19.18%) and Germany (8.22%).

Attack geography

The TOP 3 countries by number of DDoS attacks in Q4 2020 remained the same as in the previous reporting period. China is still top (58.95%), but its share fell by 12.25 p.p. Second place goes to the US (20.98%), whose share, in contrast, climbed by 5.68 p.p. A similar pattern — a decline in China’s and an increase in the US share against Q3 — we also observed in the last three months of 2019.

Despite losing 0.92 p.p., the Hong Kong Special Administrative Region (3.55%) clung on to third place, which it has not vacated since the beginning of 2020. This is where the similarity with the Q3 picture ends: Singapore, fourth in the last reporting period, dropped out of the TOP 10. It was replaced by the UK (1.99%), which gained 1.72 p.p.

The fifth line is occupied by South Africa (1.31%), displacing Australia (0.97%), which dropped to seventh, despite increasing its share by 0.32 p.p.; Canada (1.04%) ranked sixth after missing out on the TOP 10 in Q3.

The Netherlands moved down one position to eighth (0.86%). India and Vietnam, like Singapore, left the TOP 10. The ranking is rounded out by Germany (0.71%) and France (0.64%), which both fell short of the Q3 TOP 10.

Distribution of DDoS attacks by country, Q3 and Q4 2020 (download)

The TOP 10 countries list by number of DDoS targets is traditionally similar to the ranking by number of attacks. The three leaders are the same: ahead is China (44.49%), whose share decreased by 28.34 p.p., but remains unchallenged. Second is the US (23.57%), whose share increased by 7.82 p.p., and in third place is Hong Kong, adding 7.20%.

South Africa failed to make the TOP 10 by number of targets, but not Singapore (2.21%), despite dropping out of the ranking by number of attacks. While its share increased by 1.74 p.p., it lost ground relative to Q3 and moved down to fifth place. This is because all the TOP 10 countries, except China, increased their share. For instance, the fourth-placed Netherlands (4.34%) grew by 4.07 p.p.

As for countries lower down, only their order of appearance distinguishes this list from the ranking by number of attacks. Canada (1.97%) outstrips the UK (1.77%), while Australia (1.29%) places last, behind France (1.73%) and Germany (1.62%).

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2020 (download)

Dynamics of the number of DDoS attacks

As expected, Q4 was more turbulent than its predecessor. The start of the reporting period was quite calm: on October 3–6, we observed only one attack per day. However, come October 20, 347 attacks were recorded, which exceeds the Q3 maximum (323 attacks in one day). In late October and November, DDoS activity fluctuated between close to zero and 200 attacks per day.

The last days of November saw the start of significant growth, which continued through quarter’s end, most likely due to the increase in the number of botnets monitored by Kaspersky, as well as the Christmas and New Year vacations, the runup to which is usually accompanied by a spike in cybercriminal activity. The overall rise in online shopping (holiday-related and other) probably also played a role. The hottest day in terms of DDoS this quarter was December 31, with 1,349 attacks recorded worldwide.

Dynamics of the number of DDoS attacks, Q4 2020 (download)

In Q4, Thursday remained the most active day of the week (17.67%), although its share dropped by 1.35 p.p. against the previous quarter. But the title of quietest day changed hands again: this time, cybercriminals preferred to put their feet up on Sundays (11.19%). What’s more, the spread in the number of attacks on “calm” and “stormy” days narrowed to 6.48 p.p., down from almost 9 p.p. last quarter. In the last three months of the year, the number of attacks conducted on Tuesdays, Wednesdays and Fridays increased, and for other weekdays, decreased.

Distribution of DDoS attacks by day of the week, Q3 and Q4 2020 (download)

Duration and types of DDoS attacks

The average duration of DDoS attacks in Q4 increased relative to the previous reporting period. This can be attributed to the significant decline in the share of very short attacks lasting under four hours (71.62% versus 91.06% in Q3), as well as the increase in the number of longer attacks. Specifically, the share of attacks lasting 5–9 (11.78%), 10–19 (8.40%), 20–49 (6.10%), 50–99 (1.86%) and 100–139 (0.10%) hours increased this quarter.

In contrast, the share of ultra-long attacks decreased by 0.09 p.p. to 0.14%, yet remained higher than the share of attacks lasting 100–139 hours, while the duration of the longest attack exceeded 12 days (302 hours), which is noticeably longer than the Q3 maximum (246 hours).

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2020 (download)

The distribution of DDoS attacks by type changed dramatically in Q4. The lead is still held by SYN flooding, but its share fell by 16.31 p.p. to 78.28%. Meanwhile, the share of UDP flooding shot up (15.17%), having been under 2% in the first three quarters. TCP attacks (5.47%) also increased in number, but ICMP flooding, previously ranked second after SYN attacks, was negligible in Q4, so we did not include it in the statistics.

Instead, a type of attack previously unmentioned in our reports, GRE flooding (0.69%), showed up on the Q4 radar. GRE (Generic Routing Encapsulation) is a traffic-tunneling protocol used primarily for creating virtual private networks (VPNs). GRE flooding was employed, for instance, by the Mirai botnet to attack the blog of journalist Brian Krebs in 2016.

Distribution of DDoS attacks by type, Q4 2020 (download)

This quarter, for the first time since our observations began, the share of Windows botnets fell to almost zero (0.20%). Almost all recorded DDoS attacks were carried out using Linux-based bots.

Ratio of Windows/Linux botnet attacks, Q3 and Q4 2020 (download)

Botnet distribution by country

The bulk of C&C servers in control of DDoS botnets in Q4 2020 were located in the US, which accounted for 36.30% of the total number of servers. In second place was the Netherlands with a 19.18% slice. Germany completes the TOP 3 with 8.22%.

Romania came fourth by number of C&C servers (4.79%), while fifth and sixth positions were shared by France and the UK, both on 4.11%. This quarter’s seventh-, eighth- and ninth-ranking countries likewise had the same share: Canada, Hungary and Vietnam all posted 3.42%. China (2.05%) wraps up the TOP 10 countries by number of recorded botnet C&C servers.

Distribution of botnet C&C servers by country, Q4 2020 (download)

Conclusion

Q4 was both ordinary and extraordinary. On the one hand, there were no unexpected changes in the geographical distribution of DDoS attacks and targets; on the other, the distribution by attack type shifted radically: the share of UDP flooding was up; ICMP attacks were displaced by GRE flooding. In addition, for the first time in our observation history, Linux botnets have almost totally captured the DDoS market.

We would very much like to see the data for an alternative 2020 — one with no pandemic, no dramatic cryptocurrency growth, no shocks to the DDoS market. The coronavirus outbreak spurred the market (see our Q1 and Q2 reports), while the cryptocurrency upswing curbed it (see our Q3 report). Perhaps these opposing forces ultimately canceled each other out, and the picture would have been similar without them, but in 2020 they combined to create a perfect storm on the DDoS market, blowing half of our predictions off course.

It is hard to guess what to expect in 2021 — we cannot predict how the pandemic or cryptocurrency prices will behave. Therefore, our forecast is very tentative: no sharp shocks will equal little change on the DDoS market. We see no preconditions for major growth or decline, both in Q1 and throughout 2021. The watchword is stability, which is what we expect.

DDoS attacks in Q3 2020

Oleg Kupreev, Alexander Gutnikov, Ekaterina Badovskaya — Wed, 28 Oct 2020 10:00:21 +0000

News overview

Q3 was relatively calm from a DDoS perspective. There were no headline innovations, although cybercriminals did continue to master techniques and develop malware already familiar to us from the last reporting period. For example, another DDoS botnet joined in the assault on Docker environments. The perpetrators infiltrated the target server, created an infected container, and placed in it the Kaiten bot (also known as Tsunami), paired with a cryptominer.

The Lucifer botnet, which first appeared on researchers’ radar last quarter, and knows all about DDoS attacks and cryptocurrency mining, got an update, and now infects not only Windows, but also Linux devices. In DDoS attacks, the new version can use all major protocols (TCP, UDP, ICMP, HTTP) and spoof the IP address of the traffic source.

Mirai enthusiasts supplemented their brainchild with exploits for new vulnerabilities. In July, our colleagues at Trend Micro told about a variant of the botnet that exploited the bug CVE-2020-10173 in Comtrend VR-3033 routers, allowing sections of the network connected to vulnerable routers to be compromised. Then in August, news broke of a Mirai variant attacking BIG-IP products through the CVE-2020-5902 vulnerability. The BIG-IP family includes firewalls, load management and access control apps, and fraud and botnet protection systems. The vulnerability can be used to execute arbitrary commands, upload and delete files, disable services, and run JavaScript scripts.

On the topic of actual DDoS attacks, Q3 was not that eventful. The most newsworthy were extortion attacks allegedly carried out by actors known for hiding behind variously named APT groups: FancyBear, Armada Collective, Lazarus, and others. The ransomers send bitcoin ransom emails to organizations around the world, demanding from 5 BTC to 20 BTC, and threatening a powerful and sustained DDoS attack in case of non-payment. After that, the victim is flooded with junk traffic to demonstrate that the threats are far from empty.

In August and early September, several organizations in New Zealand were hit, including the New Zealand Stock Exchange (NZX), which was taken offline for several days. Also among the victims were the Indian bank YesBank, PayPal, Worldpay, Braintree, and other financial companies. Another DDoS wave of bitcoin ransom demands affected a number of European ISPs; however, it’s not known for sure whether this was the work of the same group. At the end of September, financial and telecommunications companies in Hungary were rocked by a powerful DDoS attack. According to Magyar Telekom, the junk traffic came from Russia, China, and Vietnam. Whether the cybercriminals sent ransom messages as part of the attack is unknown.

The back end of September saw a series of DDoS attacks on public flight-tracking services. The victims included the Swedish website Flightradar24 and the UK platform Plane Finder, which monitor the movement of aircraft in real time. These services are in great demand: meeters and greeters can check if a flight is on time, and media use the information when reporting on aircraft incidents. As a result, the services worked only intermittently, and their Twitter accounts posted messages that an attack had taken place. A tweet from Flightradar24, for instance, reported that the resource had suffered no fewer than three attacks in a short space of time. US company FlightAware also reported service availability issues, but did not specify whether it was an attack or just a malfunction.

Q3 was not without traditional attacks on the media. Russian TV station Dozhd reported a DDoS incident on August 24. Unknown cyberactors attempted to take the resource offline during daytime and evening news broadcasts. In early September, cybercriminals targeted the news agency UgraPRO. According to media reports, the junk traffic originated from Russian and foreign IP addresses at a rate of more than 5,000 requests per second. In late September, the news portals Chronicles of Turkmenistan and Sputnik Armenia reported attacks on their websites.

Lastly, due to the coronavirus pandemic and related restrictions in Russia, the Unified State Exam, sat by final grade students in Russian schools, was this year postponed to July. This could hardly fail to impact the DDoS landscape: in the middle of the month, the Federal Service for Supervision in Education and Science (Rosobrnadzor) reported an attempt to disrupt the exam results portal. Fortunately, the results had not yet been uploaded, so the attack was a wasted effort.

More school-related attacks were predictably seen at the start of the academic year. For example, in Miami-Dade County, Florida, a DDoS wave swept across the websites of local educational institutions, disrupting online classes. However, one of the juvenile cybercriminals met with near-instant karma: the schools brought in the FBI, and by September 3 the delinquent had been arrested. The other perpetrators are still being traced.

On the topic of the FBI, in Q2 the agency issued two anti-DDoS alerts for businesses. In July, a document was released containing a brief description of new amplification methods, as well as recommendations for detecting attacks and measures to prevent them. And in late August, it published a fairly detailed report on DDoS extortionists activity, again with tips for countering such attacks.

Quarter trends

In Q3, we observed a significant drop in all indicators relative to the previous reporting period. This is more likely due to the anomalous DDoS activity seen in Q2 than any unusual lull this quarter, which becomes clear when comparing the current picture with data for the same period in 2019: total attacks increased by 1.5 times, while the number of smart attacks almost doubled.

Comparative amount of DDoS attacks, Q2/Q3 2020 and Q3 2019. Data for Q3 2019 is taken as the 100% reference value (download)

Unlike the previous quarter, Q3 can be described as normal: we are finally witnessing the traditional summer decline in the attack market, which did not happen in May and June. We expected such picture in early 2020, but the abnormally high Q2 figures upset the applecart. The current normalization of DDoS activity can be explained by two factors:

Global market stabilization amid the coronavirus pandemic. It is now nine months since the introduction of quarantine measures, and the mass transition to remote working has ceased to be news. Companies have adapted to the new work format, and IT departments have plugged holes in remote infrastructure and strengthened key nodes. As a result, there are fewer targets fit for attack.
Cryptocurrency market growth. For instance, the Ethereum price chart (see below) shows a clear jump in Q3. Cryptocurrency mining and DDoS attacks are competing markets. Many botnets can do both, and their operators choose where to direct resources at any particular moment depending on the potential yield. In Q3, some botnets could have been switched over to mining.

Ethereum price dynamics from October 13, 2019, to October 13, 2020. Source: coindesk.com

Quarter statistics

Methodology

Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.

This report contains DDoS Intelligence statistics for Q3 2020.

In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical location of DDoS victims is determined by their IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

Quarter results

The TOP 3 by number of attacks and targets remain unchanged: China (71.20 and 72.83%), the US (15.30 and 15.75%), and the Hong Kong Special Administrative Region (4.47 and 4.27%).
The Netherlands and Vietnam are new faces in the Top 10 by number of attacks.
As for the ranking by number of targets, there was a noticeable decline of interest in Asia: Hong Kong lost 2.07 p.p. and Singapore 0.3 p.p., while Japan and South Korea did not even show. The exception is China, where the share of targets rose by 6.81 p.p.
After the Q2 upturn, the number of attacks in Q3 dipped again. What’s more, the difference between the peak (323 attacks per day) and anti-peak (1 registered attack) figures increased sharply.
In Q3, we observed a two-week drop in late August and early September. During this period, there were three anti-peaks (August 31, September 1/7) with one attack per day, and another five days with fewer than 10.
DDoS botnet flooding was most active on Thursdays, with a noticeable dip on Fridays.
Although Q3 lags far behind Q1 in terms of duration, there were two registered attacks of more than 10 days (246 and 245 hours), and the number of attacks lasting 5–9 days (12 attacks lasting 121–236 hours) increased.
The distribution of attacks by type did not undergo any changes: SYN flooding is still the main tool (94.6%), its share remaining virtually unchanged since the previous quarter. ICMP attacks comprised 3.4%, while HTTP flooding scored less than 0.1% of attacks.
Linux botnets still dominate over their Windows counterparts, accounting for 95.39% of attacks (up 0.61 p.p. on the previous quarter).

Attack geography

Q3 2020 brought no surprises in terms of the geographical distribution of attacks. The TOP 3 by number of attacks this year is surprisingly stable: China (71.2%, up 6.08 p.p. against Q2), the US (15.3%, down 4.97 p.p.), and Hong Kong (4.47%, down 1.61 p.p.). Despite some fluctuations, the huge gap between China and the US, and Hong Kong’s markedly lower share, remain unchanged. We saw a similar state of play in Q3 2019.

Singapore, Australia, and India all climbed one line higher (from fifth to fourth, sixth to fifth, and seventh to sixth place, respectively), knocking South Africa from fourth to eighth. The reason has less to do with the rising share of attacks in these countries, rather the relative calm in South Africa itself: in July-September, the share of attacks there fell by 0.88 p.p. to 0.4%. At the same time, there were fewer registered attacks in Singapore, in relative terms, than in the previous reporting period: 0.85% of DDoS attacks (-0.28 p.p.). The shares of Australia and India increased by roughly the same amount (+0.27 p.p. and +0.24 p.p., respectively), delivering a 0.65% share for the former and 0.57% for the latter.

In seventh place in the ranking, wedged between India and South Africa, is the Netherlands, absent from the TOP 10 since Q3 2019. In the reporting period, this country accounted for 0.49% of attacks.

The TOP 10 by number of attacks is rounded out by Vietnam and the UK. The share of attacks in the former increased by 0.23 p.p. against Q2, giving Vietnam a TOP 10 finish for the second time this year with 0.39% of attacks (its previous entry was at the start of the year). As for the UK, it remains relatively stable: from 0.18% of attacks in Q2, its share rose only slightly, to 0.25%.

Distribution of DDoS attacks by country, Q2 and Q3 2020 (download)

The geographical distribution of targets also changed insignificantly: only two newcomers entered the TOP 10, although the reshuffling of last quarter’s ranking is more pronounced than in the distribution of attacks.

The TOP 3 remained the same as in the previous quarter: China, the US, Hong Kong. The share of targets in China continues to grow — up 6.81 p.p. against the last reporting period, approaching three-quarters of all registered targets: 72.83%. Having shed 3.57 p.p., the US was left with 15.75% of targets. Hong Kong lost 2.07 p.p., its share of targets falling to 4.27%.

Fourth place was taken by Singapore. Despite the reduced number of targets there (down 0.3 p.p. to 0.74%), it moved up one notch, displacing South Africa. In fifth position was Vietnam with 0.5% of registered targets (in the previous reporting period it ranked seventh). The already mentioned South Africa claimed sixth place with 0.47% of targets.

The next two positions, seventh and eighth, went to a couple of newbies: the UK (0.35%) and the Netherlands (0.27%). It was their first inclusion in the ranking since Q4 and Q3 2019, respectively. These European countries ousted Asia’s Japan and South Korea, which had occupied the bottom two lines in last quarter’s TOP 10 countries by number of targets. In Q3, these lines were filled by Australia (0.25%) and India (0.23%), which had previously sat in sixth and eighth position, respectively.

Distribution of unique DDoS-attack targets by country, Q3 and Q4 2020 (download)

Dynamics of the number of DDoS attacks

The number of attacks this quarter varied significantly. On the one hand, at peak activity, DDoS operators broke the previous period’s record: on July 2, we registered 323 attacks (compared to 298 in April). On the other, this quarter had a few surprisingly calm days: August 31 and September 1/7 saw only one registered attack each. Overall, late August–early September was quite mild: during the two weeks from August 25 to September 7, the number of attacks exceeded 100 on just one day (181 on September 5), and as many as eight days registered fewer than 10.

Another curiosity is the difference between the peak and the indicators closest to it. In the past few quarters, there has been no significant difference in the number of attacks on the 2–3 most active days. Q3 broke the mold: the next most attack-intensive day after July 2 — July 13 — scored almost 20% fewer attacks, 260 in total. On average, there were approximately 106 attacks per day in Q3, which is 10 fewer than in the previous quarter.

Dynamics of the number of DDoS attacks, Q3 2020 (download)

Cybercriminals’ most and least favored days shifted again this quarter. Active Wednesdays were replaced by active Thursdays (19.02%), and quiet Saturdays by quiet Fridays (10.11%). The gap between them widened: 8.91 p.p. against 4.93 p.p. in the previous reporting period. This is largely due to Thursday being the most active day of the quarter.

Besides Saturday and Thursday, Monday also increased its share of attacks, although not significantly, while the remaining days saw their percentage fall accordingly.

Distribution of DDoS attacks by day of the week, Q2 and Q3 2020 (download)

Duration and types of DDoS attacks

The average attack duration in Q3 continued to shorten. This can be explained by the increase in the share of ultra-short attacks (this time by a significant 5.09 p.p.). However, unlike in the previous reporting period, the share of long (100–139 hours) attacks decreased inappreciably (by just 0.08 p.p.), while the share of ultra-long attacks even rose slightly (by 0.18 p.p.). Whereas in Q2, the longest attacks did not even reach nine days, this quarter we registered two lasting over 10 days (246 and 245 hours), and the number of attacks lasting 5–10 days increased by 1.5 times.

As such, the following picture emerged: the bulk of attacks (91.06%) lasted up to four hours; 4.89% lasted 5–9 hours; 2.25% lasted 10–19 hours; 2.09% lasted 20–49 hours; 0.4% lasted 50–99 hours; and just 0.08% lasted 100–139 hours. Unusually, this quarter the number of attacks lasting 140 hours or more is actually greater than the number of attacks in the bracket before it, accounting for 0.23% of the total number of DDoS attacks.

Distribution of DDoS attacks by duration (hours), Q2 and Q3 2020 (download)

The distribution of attacks of different types is unchanged from the last reporting period, as is the share of the most common type — SYN flooding: 94.6% in Q3 versus 94.7% in Q2. ICMP flooding decreased slightly (3.4% against the previous 4.9%), but did not surrender its positions. TCP attacks comprised 1.4% of the total number registered (up by a considerable 1.2 p.p.); UDP attacks accounted for 0.6%, while HTTP attacks were so few that their share did not even stretch to 0.1%.

Distribution of DDoS attacks by type, Q3 2020 (download)

In Q3, the share of Windows botnets continued to fall: this time their number dropped by 0.61 p.p. against the previous quarter to 4.61%. The percentage of Linux botnets grew accordingly.

Ratio of Windows/Linux botnet attacks, Q2 and Q3 2020 (download)

Conclusion

If Q2 2020 surprised us with an unusually high number of DDoS attacks for this period, the Q3 figures point to a normalization. Judging by the number of unique targets, in comparison with last quarter, cybercriminals were more attracted by European, and less by the Asian countries, such as Japan and South Korea, although interest in China is still high and continues to grow in terms both of unique targets and of attacks. Growth was observed in the number of short and ultra-short attacks, as well as multi-day ones. The sharp contrast between the highest and lowest number of attacks per day is curious. Taken together, these indicators mark Q3 2020 out as somewhat contradictory from a DDoS viewpoint.

It will be interesting to see what Q4 has in store. Barring major shocks, we expect to see indicators comparable to those at end-2019. Back then, after almost two years of growth, the DDoS market more or less stabilized.

Q4 is usually a hot time due to the Christmas and New Year sales frenzy. End-of-year figures are typically around 30% higher than those of Q3. We expect to see a similar picture this year, although, after the abnormally active Q2, it would be foolhardy to make cast-iron predictions. That said, if nothing else extraordinary happens in this more-than-extraordinary year, we see no reason for the DDoS market to experience a significant swing in either direction in Q4.

DDoS attacks in Q2 2020

Oleg Kupreev, Ekaterina Badovskaya, Alexander Gutnikov — Mon, 10 Aug 2020 10:00:11 +0000

News overview

Not just one but two new DDoS amplification methods were discovered last quarter. In mid-May, Israeli researchers reported a new DNS server vulnerability that lurks in the DNS delegation process. The vulnerability exploitation scheme was dubbed “NXNSAttack”. The hacker sends to a legitimate recursive DNS server a request to several subdomains within the authoritative zone of its own malicious DNS server. In response, the malicious server delegates the request to a large number of fake NS servers within the target domain without specifying their IP addresses. As a result, the legitimate DNS server queries all of the suggested subdomains, which leads to traffic growing 1620 times. A new version of DNS server software fixes the vulnerability.

About a week later, Chinese researchers posted information about another DDoS amplification method, named RangeAmp. The method exploits HTTP range requests that allow downloading files in parts. The experts found that a malicious range request can make content delivery networks (CDNs) increase load on a target site several times. The researchers identify two types of RangeAmp attacks. The first involves sending traffic from the CDN server directly to the servers of the target resource while amplifying it 724 to 43330 times. In the other case, increased volumes of garbage traffic are transferred between two CDN servers, with the amplification factor reaching 7500. According to the researchers, most CDN providers have released updates that safeguard their servers from this kind of attack or have stated an intention to do so.

As researchers investigate these new ways of amplifying attacks, DDoS botnet owners look for new resources to expand them. In June, our colleagues at Trend Micro discovered that the Kaiji and XORDDoS malicious programs, which formerly specialized in IoT devices, were targeting unprotected Docker servers. In the event of a successful attack, a XORDDoS bot penetrated every container on the server, and Kaiji created one of its own. Docker containers may prove unsuited for DDoS attacks — in particular because of the possibility of limiting the number of network protocols they use. Therefore, unprotected containers are attacked primarily by mining bots. However, some malware successfully combines a DDoS bot and a miner. For example, a bot that can both stage TCP, UDP and HHTP DDoS attacks, and hijack cryptocurrency for its operators was recently discovered in the wild.

The resonant socio-political events that marked the first quarter of 2020 could not but alter the picture of DDoS attacks. Thus, attacks on human rights organizations in the United States soared 1,120 times at the end of May. This activity coincided with the protests that unfolded in that country. The opposite side of the conflict was affected, too: the Minnesota State Information Technology Services were targeted by a DDoS attack. In particular, unknown hackers knocked out the Minneapolis police website. Around the same time, several tweets alleged that Anonymous hacktivists, who had previously threatened to expose police crimes, were behind the attack, but the group did not claim responsibility for the incident.

In June, Russia hosted a multi-day vote on amendments to its constitution, and preparations for the event were marked by DDoS attacks. The day after the voting began, the Central Election Commission said it had been attacked. The online voting service was hit right after the CEC, but officials said its operation was not disrupted. The service was experiencing outages at the beginning of the voting process: it could not handle legitimate load. The конституция2020.рф information website (covering the amendments into the RF constitution) was attacked as well. According to a CEC spokesperson, the site was inundated by garbage traffic originating in Great Britain and Singapore on June 28.

The media traditionally received their share of the attacks. This time, the Belarus Partisan independent social and political publication came under attack. According to a spokeswoman, the portal was flooded from foreign IP addresses before sources located in Belarus joined in. The owners of the website were forced to change its IP address. Belarusian online media have increasingly been targeted by DDoS operators.

The second quarter of the year in many countries saw measures to fight the COVID-19 pandemic, with the employees of many countries and institutions working remotely as before. Accordingly, the number of attacks on online resources remained high. According to Russia’s Rostelecom, the number of attempts at knocking offline education websites, such as e-diaries, instructional platforms, testing sites, etc., grew more than five times.

However, not every large-scale communication outage is a consequence of a DDoS attack. In mid-June, users the United States experienced problems accessing T-Mobile and Verizon networks. There were tweets about a large-scale DDoS attack on these wireless carriers and several social networks, allegedly originating in China, but these reports were left unconfirmed. On the contrary, T-Mobile stated that in reality, the affected resources, including those of the company’s competitors’, became inaccessible due to a wired provider failure in the Southeast, which caused network overload.

As failures and threat actors knocked out useful services, Dutch police shut down fifteen websites that sold DDoS attack services. In addition to that, in April Dutch law enforcement officers arrested a nineteen-year-old who attempted to disrupt the operation of several government portals in March. Police was determined to fight against services and individuals linked to DDoS activity. They have declared an intention to complicate this sort of attacks as much as they can.

Other countries have continued to fight DDoS attacks, too. In Israel, for example, former co-owners of a website that sold attack services were sentenced to six months of community service and fines. The malware service vDOS lasted four years and was shut down in 2016.

Quarter trends

Over the past few years, we have seen a significant drop in the number of DDoS attacks in the second quarter compared to the first, which is usually a tense period. However, from April to June of 2020, the picture remained nearly the same as in the previous reporting period: the overall number of attacks increased slightly, the number of smart attacks decreased slightly, but the profiles for the two quarters hardly differed overall.

Comparative number of DDoS attacks, Q1 and Q2 2020, and Q2 2019. Q2 2019 data taken as 100% (download)

The fact that the data we obtained for the “low” second quarter was virtually identical to that for the “high” first quarter is a testament to unprecedented growth in attacks in the reporting period. This is easy to see if one compares the figures for the second quarter of 2020 with the data for the same period in 2019: the total number of attacks more than tripled, and the number of smart attacks more than doubled.

The duration of attacks on the average did not change in comparison with the first quarter or with last year, remaining at the level of around twenty minutes. Smart attacks, which lasted an average of several hours, were the longest. This trend has persisted for a long time, so this was nothing new to us. However, we should note that we observed an unusually long smart attack activity in the second quarter. This affected the maximum DDoS duration, which increased 4.5 times compared to last year. We excluded that attack from the sample when calculating averages.

Duration of DDoS attacks, the Q1 and Q2 2020, and Q2 2019 Q2 2019 data taken as 100% (download)

Just like the previous reporting period, the second quarter saw educational and government institutions targeted the most frequently. At the same time, the number of attacks on the educational sector decreased sharply starting in the second half of June, which could be attributed to the start of the summer break.

Quarter statistics

Quarter results

The top three of the most attacked countries are the same: China (65.12%), the United States (20.28%) and Hong Kong, China (6.08%).
Romania dropped out of the top ten and was ranked the 17th, whereas Great Britain rose from the eighteenth to the tenth position.
The top five places in terms of both the number of targets and the number of attacks are occupied by China (66.02%), the United States (19.32%), Hong Kong, China (6.34%), South Africa (1.63%) and Singapore (1.04%).
We are seeing the now-familiar trend of attacks abating begin to reverse: this April, their number grew, peaking at 298 on April 9.
In the second quarter, we observed two dips several days long each, April 30 to May 6 and June 10–12, when the number of attacks remained within the range of ten to fifteen per day.
DDoS botnet activity increased on Wednesdays and Thursdays and decreased on Saturdays.
Even the longest attacks did not reach nine days (215, 214 and 210 hours), which is more than half the number of the previous quarter’s longest-lasting attacks (about 19 days).
SYN flood remains the main DDoS attack tool (94.7%), ICMP attacks accounted for 4.9 percent, and other types of DDoS attacks were sidelined.
The ratio of Windows-to-Linux botnets remained virtually unchanged, with the latter still responsible for the absolute majority (94.78%) of attacks.

Attack geography

In the second quarter of 2020, China (65.12%) again led by a wide margin, followed, as before, by the United States (20.28%) and Hong Kong, China (6.08%). The share of the first two countries increased by 3.59 and 1.2 p.p., respectively, whereas the share of Hong Kong, China decreased slightly, by 1.26 p.p.

Changes in the top ten were few as well. We are still seeing there South Africa (1.28%) Singapore (1.14%), both countries rising by a notch, now occupying the fourth and fifth positions, respectively. Next up is India (0.33%) and Australia (0.38%), which rose from ninth to seventh and from tenth to sixth place, respectively. These are followed by Canada (0.24%), which slipped to the ninth row.

Great Britain (0.18%; rose by 0.1 p.p.) is the newcomer in the rankings, sharing tenth place with South Korea. The EU countries, seldom targeted individually by DDoS operators, were seventh, with a share of 0.26%. Romania, however, slid from fourth to seventeenth place, dropping out of the top ten.

Distribution of DDoS attacks by country, Q1 and Q2 2020 (download)

The geographical distribution of unique targets traditionally replicates the distribution of attacks to a large extent. Six out of ten countries in the rankings overlap in the second quarter, with the top five being complete matches: China (66.02%), the United States (19.32%), Hong Kong, China (6.34%), South Africa (1.63%) and Singapore (1.04%). At the same time, only China registered an increase in the share of targets compared to the previous reporting period, by 13.31 p.p., while the rest showed a slight decline.

Sixth place went to Australia (0.3%), which was ninth in the first quarter. In addition, Vietnam returned to the top ten after a brief absence: with a small increase in the share of targets on its territory (just 0.06 p.p., to 0.23%), it occupied seventh position, displacing South Korea, which now shares the last two rows in the rankings with this quarter’s newcomer, Japan (0.18%), and has overtaken India, whose 0.23% of targets ensured that it took eighth place.

Distribution of unique DDoS attack targets by country, Q1 and Q2 2020 (download)

Dynamics of the number of DDoS attacks

The second quarter is normally calmer than the first, but this year is an exception. The long-term downward trend in attacks has unfortunately been interrupted, and this time we are witnessing an increase. The peaks occurred on April 9 (298 attacks) and April 1 (287 attacks within one day). Besides, the number of attacks exceeded the peak for the past two quarters twice, on May 13 and 16. In early May, DDoS operators apparently decided to go on a break: not once did the number of attacks reach fifteen within a day between April 30 and May 6, and between May 2 and May 4, just eight or nine per day were registered. The period of June 10–12 saw another lull, with 13, 15 and 13 attacks respectively.

The last three quarters have thus seen both a record high and a record low number of attacks. It is worth noting here that the quietest days repeated the absolute record in the observation period, set in the last quarter of 2019, but the busiest ones fall far short of even the relatively quiet third quarter. That said, the average number of attacks increased by almost thirty percent compared to the previous reporting period.

Dynamics of the number of DDoS attacks in Q2 2020 (download)

In the second quarter, the operators of the attacks preferred to work on Wednesdays (16.53%) and rested from their wicked deeds on Saturdays (only 11.65%). However, the difference between the “leader” and “anti-leader” is small, just 4.88 p.p. Compared to the last quarter, the share of attacks increased significantly on Wednesdays (by 5.37 p.p.) and Thursdays (by 3.22 p.p.), while Monday dropped (minus 3.14 p.p.).

Distribution of DDoS attacks by day of the week, Q1 and Q2 2020 (download)

Duration and types of DDoS attacks

The average duration of attacks decreased slightly (by 4 p.p.) when compared to the previous reporting period due to an increase in the share of ultrashort attacks and a decrease of 0.1 p.p. in the share of multi-day attacks, but more so due to an absence of ultra-long attacks. Whereas the first quarter saw attacks that lasted up to twenty days, this time, the top three lasted 215, 214 and 210 hours, that is less than nine days.

The distribution of attacks by duration has hardly changed: the aforementioned increase by 4 p.p. is the most significant event, with the remaining differences being within the range of 0.06 to 1.9 p.p., almost a statistical blip. Thus, the shortest attacks (up to four hours) accounted for 85.97% of the total number of DDoS attacks, those lasting five to nine hours for 8.87%, attacks up to 19 hours for 3.46%, attacks up to 49 hours for 1.39%, and attacks up to 99 hours in duration, for 0.11%. Attacks within the range of 100 to 139 hours proved to be slightly more numerous (0.16%), and the longest attacks accounted for 0.05% of the total DDoS attack number.

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2020 (download)

The share of SYN flooding in the quarter was 94.7% (up by 2.1 p.p.). For a second consecutive quarter, the leader is followed by ICMP flooding (4.9%), which is 1.3 p.p. above the previous reporting period. TCP attacks accounted for 0.2% of the total number, and UDP and HTTP attacks (0.1%) round out the list. The share of the last three groups dropped when compared to the previous quarter.

Distribution of DDoS attacks by type, Q2 2020 (download)

The share of Windows botnets decreased by 0.41 p.p. to 5.22% compared to the previous quarter. Linux botnets thus account for 94.78% of all zombie networks.

Ratio of Windows and Linux botnet attacks, Q1 and Q2 2020 (download)

Conclusion

The second quarter of 2020 is notable for the number of DDoS attacks: the period from April through June normally sees a lull, but this year, DDoS activity increased in comparison to the previous reporting period. This is most likely due to the coronavirus pandemic and restrictive measures that lasted for part or all of the quarter in many countries. The forced migration of many day-to-day activities online led to an increase in potential DDoS targets. Little changed in the second quarter otherwise: the composition of the top ten list in terms of the number of attacks and targets was virtually the same, as was the distribution of attacks by duration. The proportion of all types of DDoS attacks, except for SYN and ICMP flood, dropped markedly, but talking about any kind of trend in this regard would be premature.

We expect third-quarter results, typically low, to be at about the same level as the second quarter, or to decrease slightly, having no reasons to believe otherwise at the time of writing this. It will be exceptionally interesting to watch attacks in the fourth quarter: the end of the year and the holiday season traditionally see no shortage of DDoS attacks, so if the trend continues — especially if we are hit by a second wave of the epidemic — it is possible that the DDoS market will grow significantly.