DDoS report reveals that the complexity and volume of attacks continues to grow
- Published: Wednesday, 12 February 2020 09:22
Link11 has released findings from its annual DDoS Report, which revealed a rising number of multivector and cloud computing attacks during 2019.
The latest Link11 DDoS report is based on data from repelled attacks on web pages and servers protected by Link11’s Security Operations Center (LSOC).
Key findings from the annual report include:
- Multivector attacks on the rise: The share of multivector attacks – which target and misuse several protocols - grew significantly from 46 percent in the first quarter to 65 percent in the fourth quarter.
- DNS amplification most popular for DDoS attackers: DNS amplification was the most used technique for DDoS attackers in 2019 having been found in one-third of all attacks. The attackers exploited insecure DNS servers, of which there were over 2.7m worldwide by the end of 2019, according to the Open Resolver Project.
- Average attack bandwidth increases: The average bandwidth of attacks keeps increasing by more than 150 percent within four years, reaching 5 Gbps in 2019, up from 2 Gbps in 2016. The maximum attack volume has also nearly doubled compared to 2018; from 371 Gbps to 724 Gbps.
- Attacks on corrupted cloud servers rising: The proportion of DDoS attacks that involved corrupted cloud servers was 45 percent between January and December; this is a 16 percent increase over the same time period the previous year. The proportion rose to 51 percent over the last six months of 2019. The number of attacks traced to cloud providers was roughly proportionate to their relative market share, with more cases of corrupt clouds registered for AWS, Microsoft Azure and Google Cloud.
- The longest DDoS attack lasted 6,459 minutes; more than 100 hours.
The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and between 4pm and midnight on weekdays.
There was also a number of new amplification vectors registered by the LSOC last year including WS–Discovery, Apple Remote Management Service and TCP amplification, with registered attacks for the latter doubling compared to the first six months of the year. The LSOC also saw an increase in ‘carpet bombing’ attacks in the latter part of 2019, which involves a flood of individual attacks that simultaneously target an entire subnet or CIDR block with thousands of hosts. This popular method spreads manipulated data traffic across multiple attacks and IPs. The data volume of each is so small that it stays under the radar and yet the combined bandwidth has the capacity of a large DDoS attack.