The number of network layer–distributed denial-of-service (DDoS) attacks — like almost every other threat category in recent months — doubled last quarter compared with the previous three months.
Between April and June, security vendor Cloudflare observed an increase in the number of both small and large DDoS attacks, growth in attack sizes, and average duration of attacks. Security researchers have reported similar increases in phishing, business email compromise (BEC), ransomware, and other attacks in the months since the COVID-19 pandemic forced a large-scale shift to remote work at many organizations around the world.
Nearly 90% of the DoS attacks that Cloudflare helped its customers mitigate last quarter were relatively small and topped out at under 10 Gbit/s. More than three-quarters (76%) of the attacks peaked at less than 1 million packets per second and 83% lasted between 30 and 60 minutes.
"The trends that we saw in first-quarter 2020 of increasing DDoS attacks continued and even accelerated over the last few months," says John Graham-Cumming, CTO at Cloudflare. "The number of Layer3/Layer 4 DDoS attacks observed over our network doubled compared to that in the first three months of the year," he says.
Cloudflare attributed the increase in smaller, short-duration attacks to the increased availability of inexpensive DDoS-for-hire-services that allow almost anyone to launch attacks quickly.
At the same time, Cloudflare researchers observed an increase in larger, high-volume DDoS attacks as well, in the second quarter of 2020. In fact, 88% of attacks involving more than 100 Gbit/s of DDoS traffic were launched after COVID-19-related shelter-in-place mandates went into effect.
The biggest attack that Cloudflare mitigated last quarter involved some 754 million packets per second at its peak. The attack lasted four days between June 18 and June 21 and involved traffic from some 316,000 unique IP addresses around the world. A DDoS attack generated by a Mirai-based botnet called Moonbot that generated UDP traffic peaking at 654 Gbit/s was another major incident that Cloudflare detected and blocked last quarter. That particular attack was part of an eight-day campaign aimed at one of Cloudflare's customers.
"We were surprised that not only did the number of attacks increase but also the scale of the largest [Level 3/Level 4] DDoS attacks increased significantly," Graham-Cumming says. "In fact, we observed some of the largest attacks ever recorded over our network in this time frame."
Other vendors have reported observing similarly big spikes in DDoS attacks after a majority of organizations began implementing COVID-19-related work-from-home measures earlier this year. In June, Nexusguard reported a staggering 542% increase in DDoS attacks in the first quarter of 2020 compared with the previous quarter. The vendor described the attacks as being driven by adversaries trying to take advantage of the increased reliance on online services by employees working from home. Akamai in June reported mitigating an attack involving 385 million packets per second and a peak bandwidth of 1.5 Tbit/s.
According to Cloudflare, some 40% of all Layer 3 and Layer 4 DDoS attacks in the second quarter happened in May. More than six in 10 of DDoS attacks that peaked at over 100 Gbit/s were launched that month.
"As the global pandemic continued to heighten around the world in May, so did our reliance on the Internet," Graham-Cumming says. Attackers were especially eager to leverage this dependence to try and take down websites and other Internet properties, though their motivations are unclear, according to Cloudflare. It's also not clear how many of the DDoS attacks were opportunistic rather than targeted.