It’s 2023. A new year.
But before we start talking about the latest DDoS trends, news, and mitigation advice, it’s worth looking back over the events of the year past.
In this article, we’ll look at some of the highest-profile attacks of 2022 and take a more in-depth view of DDoS attack trends and motivations.
Significant DDoS Attacks of 2022
In September 2022, we saw the largest DDoS attack ever detected in Europe. Peaking at 704.8 Mpps, the attack was a long way shy of the largest attacks worldwide—but still more than enough to cripple any business network without thorough mitigation strategies.
The attack, which used the UDP protocol, targeted over 1800 IPs spread across eight subnets and six physical locations. Significantly, the attackers’ command and control (C2) infrastructure enabled them to scale the distributed aspect of the attack from 100 to 1,813 IPs in just 60 seconds. Without advanced detection and automated remediation, protecting against this type of attack is impossible.
Casting the net wider, the Q3 attack against the Wynncraft Minecraft server was among the largest DDoS attacks ever observed at 2.5 Tbps. The attack employed a variant of the well-known Mirai botnet to initiate a mixture of UDP and TCP floods, cycling vectors to evade defences.
Meanwhile, pro-Russian hacktivist group Killnet took responsibility for a series of DDoS attacks against targets in Estonia and Lithuania. The attacks, which were the largest affected organisations had seen in over a decade, disrupted over 200 websites. Killnet also took responsibility for an attack that succeeded in disrupting the US Congress website for a short time, during which the group claimed it was “testing a new DDoS method.”
Of course, no roundup of 2022 would be complete without recognising Google Cloud’s successful blocking of the largest Layer 7 (application) DDoS attack of all time—which peaked at a remarkable 46 million requests per second (rps). To put the scale of the attack in context, Google likened it to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.”
A Broader View of DDoS
While it’s always interesting to read about the largest DDoS attacks—and we all know they get most of the publicity—it’s not particularly helpful. To an average organisation, there’s no difference between a 2.5 Tbps attack and a 500 Mbps attack. Without effective (and automated) detection and mitigation, either attack (and possibly a much smaller one) will wreak havoc.
So the question is, how big a problem is DDoS really?
According to the Verizon 2022 Data Breach Investigations Report (DBIR), DDoS attacks account for roughly 40% of all cybersecurity incidents. That’s… a lot. While DDoS attacks are sometimes used to distract defenders during a targeted attack, the attacks themselves don’t compromise data. The more significant characteristic of DDoS attacks is the damage and disruption they cause—which can be just as costly as a data breach under the right circumstances.
DDoS attacks target organisations in every industry… but not equally. The median DDoS attack lasts just a few hours, and most victims are hit with 10 or fewer attacks per year. Damaging, costly, and disruptive, certainly—but not always crippling.
This begs an obvious question: If most organisations only face 10 DDoS attacks per year, how come DDoS accounts for 40% of all cybersecurity incidents?
Simple. A small proportion of organisations experience over 1,000 attacks each year. That’s roughly three attacks per day, and for some organisations, the true number is much higher.
This is partly why we believe so firmly in a custom strategy for DDoS mitigation that matches your organisation’s needs. Everybody needs fast, effective detection—but appropriate mitigation measures vary wildly depending on your organisation’s nature, attack profile, and network topology.
Research found that network-layer DDoS attacks rose by 97% in 2022 compared to the previous year. While there have been ups and downs in DDoS activity, the big picture is that the number of attacks worldwide has grown steadily over the last two decades. Since DDoS is still such a successful tactic for bad actors, don’t expect this to change any time soon.
Of course, that doesn’t mean the DDoS space is devoid of change. While the broad tactics have been around for many years, the last decade has seen an array of new techniques designed to increase the effectiveness of attacks while making them more difficult to detect and mitigate. These include:
- Increased use of malware-driven botnets to enslave Internet-connected devices and use them to conduct attacks of previously impossible volume.
- Further use of reflection and amplification techniques—including many more sophisticated than long-used NTP amplification techniques.
- Use of sophisticated C2 infrastructure that allows attackers to cycle attack techniques, targets, and vectors rapidly to evade detection and mitigation.
Understanding DDoS Attackers
Broadly, cyberattack motivations have been solved: it’s around 90% financially motivated, with the remaining 10% consisting of espionage, cyber warfare, and other state-sponsored activity.
The thing is, DDoS completely bucks this trend.
No doubt you’ve heard about DDoS extortion attacks, where criminal groups target an organisation with volumetric attacks and demand payment before they stop. These attacks are roughly equivalent to an organised crime protection racket and usually target organisations in ecommerce and finance that stand to suffer large financial losses from extended downtime.
While these happen, they are far less common than you might expect. Aside from the obvious barriers to receiving payment, it’s easier, safer, and less costly for a financially motivated group to use ransomware than to extort using DDoS. No surprise, then, research finds extortion attacks account for just 9-19% of DDoS incidents over the last five quarters.
So… why? Why go to all the effort of conducting a major (and criminal) cyberattack if not to make money? It can’t be espionage since a DDoS attack has no network intrusion component. There has to be another purpose.
There are at least four other motivations for DDoS attacks:
- Ideological — hacktivism, revenge, grudges, etc.
- Political — cyber warfare, disruption, sabotage, etc.
- Competitive — disruption or sabotage of a rival
- Obscuration — distracting defenders from more subtle cyber activities
- Personal — fun, intellectual challenge, “because they can”
So, which is it? Unfortunately, unless a group announces its intention, it’s not always easy to understand the motivation behind an attack. Hacktivist groups like Killnet frequently do this, but rivals, hostile governments, advanced threat groups, and plain old-fashioned basement hackers are rarely so public about their motivations.
Thankfully, we can draw a few conclusions about the most common motivations based on observable factors:
- DDoS is the attack vector most accessible to individual hackers because the tools and infrastructure can be rented or purchased at minimal cost. As a result, a very high proportion of personal and grudge-based attacks use DDoS.
- Obscuration attacks do happen, but they are rare and most likely to be the domain of high-level criminal and state-sponsored groups.
- Due to their effectiveness at disrupting operations, many DDoS attacks fall into ideological and political categories. For example, most military action today is coupled with DDoS (and other cyber) activity, spikes in patriotic ‘hacktivism’ can be seen on both sides of modern conflicts.
Protect Your Organisation with FastNetMon
At FastNetMon, we believe in a bespoke DDoS mitigation strategy that fits your organisation’s needs. Whether you’re a multinational that faces hundreds of attacks per day or an SME that needs to protect against a handful per month, our goal is to help you implement a protective strategy that matches your needs, network topology, and budget.
Either way, effective DDoS mitigation starts with fast, accurate detection. As one of the fastest DDoS detection tools on the market, our solution can uncover even complex multi-vector attacks in seconds and apply the appropriate mitigation strategies.
Integrating seamlessly with all your network hardware, mitigation controls, and analytics, FastNetMon adapts to your network—and can be configured to automatically apply and switch between mitigation strategies during an attack to match changes in attack volume and vectors.
Want to keep your network safe? Try FastNetMon FREE for one month.