Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:05 AM
Connect Directly

DDoS Attacks Doubled in Q2 Compared with Prior Quarter

Most attacks were small, but the big ones got bigger than ever, Cloudflare says.

The number of network layer–distributed denial-of-service (DDoS) attacks — like almost every other threat category in recent months — doubled last quarter compared with the previous three months.

Between April and June, security vendor Cloudflare observed an increase in the number of both small and large DDoS attacks, growth in attack sizes, and average duration of attacks. Security researchers have reported similar increases in phishing, business email compromise (BEC), ransomware, and other attacks in the months since the COVID-19 pandemic forced a large-scale shift to remote work at many organizations around the world.

Nearly 90% of the DoS attacks that Cloudflare helped its customers mitigate last quarter were relatively small and topped out at under 10 Gbit/s. More than three-quarters (76%) of the attacks peaked at less than 1 million packets per second and 83% lasted between 30 and 60 minutes.

"The trends that we saw in first-quarter 2020 of increasing DDoS attacks continued and even accelerated over the last few months," says John Graham-Cumming, CTO at Cloudflare. "The number of Layer3/Layer 4 DDoS attacks observed over our network doubled compared to that in the first three months of the year," he says.

Cloudflare attributed the increase in smaller, short-duration attacks to the increased availability of inexpensive DDoS-for-hire-services that allow almost anyone to launch attacks quickly.

At the same time, Cloudflare researchers observed an increase in larger, high-volume DDoS attacks as well, in the second quarter of 2020. In fact, 88% of attacks involving more than 100 Gbit/s of DDoS traffic were launched after COVID-19-related shelter-in-place mandates went into effect.

The biggest attack that Cloudflare mitigated last quarter involved some 754 million packets per second at its peak. The attack lasted four days between June 18 and June 21 and involved traffic from some 316,000 unique IP addresses around the world. A DDoS attack generated by a Mirai-based botnet called Moonbot that generated UDP traffic peaking at 654 Gbit/s was another major incident that Cloudflare detected and blocked last quarter. That particular attack was part of an eight-day campaign aimed at one of Cloudflare's customers.

"We were surprised that not only did the number of attacks increase but also the scale of the largest [Level 3/Level 4] DDoS attacks increased significantly," Graham-Cumming says. "In fact, we observed some of the largest attacks ever recorded over our network in this time frame."

Big Increase
Other vendors have reported observing similarly big spikes in DDoS attacks after a majority of organizations began implementing COVID-19-related work-from-home measures earlier this year. In June, Nexusguard reported a staggering 542% increase in DDoS attacks in the first quarter of 2020 compared with the previous quarter. The vendor described the attacks as being driven by adversaries trying to take advantage of the increased reliance on online services by employees working from home. Akamai in June reported mitigating an attack involving 385 million packets per second and a peak bandwidth of 1.5 Tbit/s.

According to Cloudflare, some 40% of all Layer 3 and Layer 4 DDoS attacks in the second quarter happened in May. More than six in 10 of DDoS attacks that peaked at over 100 Gbit/s were launched that month.

"As the global pandemic continued to heighten around the world in May, so did our reliance on the Internet," Graham-Cumming says. Attackers were especially eager to leverage this dependence to try and take down websites and other Internet properties, though their motivations are unclear, according to Cloudflare. It's also not clear how many of the DDoS attacks were opportunistic rather than targeted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...