Even as internet and cloud solution providers are scrambling to reliably handle increased traffic due to the sudden shifts to distributed workforces in the face of COVID-19, they're also battling strains against their bandwidth from a decidedly less legitimate front. According to several pieces of research out recently, DDoS attackers are turning up the heat in the quarantine era.
"DDoS attack count, bandwidth, and throughput all saw significant increases since the start of the global COVID-19 pandemic," wrote Roland Dobbins and Richard Hummel of NETSCOUT's ASERT Research Team in a recent analysis.
They explained that in the month-long period between March 11 and April 11, 2020 their research team observed more than 864,000 DDoS attacks worldwide. This is the largest number of attacks the team has ever recorded during a month-long stretch and was a 17% increase over the previous peak that happened at the end of 2019.
DDoS attacks are not only ramping up in number of attacks, but also in the amount of bandwidth and throughput consumed, as well as the complexity of attacks. A different report released by Link 11 showed that the maximum bandwidth of DDoS attacks almost doubled in Q1 of 2020 compared to the same quarter last year. Additionally, the percentage of attacks that use multiple types of DDoS vectors rose markedly. Last quarter 64% of attacks used more than one DDoS vector, up from 47% in Q1 of 2019. Among them were a smattering of attacks that used 10 or more different vectors, an unheard of feat before this year.
This acceleration of DDoS follows up on what was already a record-breaking year in 2019. A recent report looking back at 2019 DDoS trends by Neustar found that the number of DDoS attacks increased by 180% in 2019. That report showed that though the maximum attack intensity was 252% higher in 2019 than 2018, the average attack size and intensity remained consistent year over year.
This is because of the growing prevalence of smaller-scale DDoS attacks of 5Gbps and below that at are meant to simply diminish site performance rather than take out a target in an effort to distract defenders from the attackers true malicious activity elsewhere on the target network.
“Large, headline-making DDoS attacks do still take place, but many cybersecurity professionals believe that smaller attacks are being used simply to degrade site performance or as a smokescreen for other forms of cybercrime, such as data theft or network infiltration, which the perpetrator can execute more easily while the target’s security team is busy fighting a DDoS attack,” said Rodney Joffe, senior vice president, senior technologist and fellow at Neustar.
Joffe warns that as cybersecurity pros work to mitigate DDoS threats in the quarantine era, they should expect more attacks against VPN infrastructure.
"During the shift to teleworking at scale, we would not be surprised to see the VPN protocol ports added to these targeted attacks," Joffe says.
The good news in all of this increase in DDoS activity amid overall traffic increases is that the service providers have managed so far to handle the situation with aplomb.
"Despite the massive increases in overall traffic across the entire internet and the large increase in DDoS Attacks, service operators and ISPs have risen to the challenge and performed an amazing feat to maintain access continuity and provide the much-needed critical Infrastructure for businesses and consumers alike," Dobbins and Hummel wrote.
Where they are most concerned now is for organizations of all types to keep in mind that with recent increases in both the number of attack instances and average bandwidth and throughput for each attack, everyone needs to plan accordingly for the aggregate strain of the DDoS environment. They say the most significant DDoS-related metric in the last month is the sheer amount of bandwidth and throughput consumed by DDoS attacks. Aggregate bandwidth was up over 1.01 pbps and throughput was 208 gpps during that monthlong period.
"The sheer magnitude of DDoS attack traffic that takes place on an ongoing basis represents an enormous, untold, and seemingly perpetual tax on every internet-connected organization and individual across the globe," they wrote.