Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:05 AM
Connect Directly

DDoS Attacks Doubled in Q2 Compared with Prior Quarter

Most attacks were small, but the big ones got bigger than ever, Cloudflare says.

The number of network layer–distributed denial-of-service (DDoS) attacks — like almost every other threat category in recent months — doubled last quarter compared with the previous three months.

Between April and June, security vendor Cloudflare observed an increase in the number of both small and large DDoS attacks, growth in attack sizes, and average duration of attacks. Security researchers have reported similar increases in phishing, business email compromise (BEC), ransomware, and other attacks in the months since the COVID-19 pandemic forced a large-scale shift to remote work at many organizations around the world.

Nearly 90% of the DoS attacks that Cloudflare helped its customers mitigate last quarter were relatively small and topped out at under 10 Gbit/s. More than three-quarters (76%) of the attacks peaked at less than 1 million packets per second and 83% lasted between 30 and 60 minutes.

"The trends that we saw in first-quarter 2020 of increasing DDoS attacks continued and even accelerated over the last few months," says John Graham-Cumming, CTO at Cloudflare. "The number of Layer3/Layer 4 DDoS attacks observed over our network doubled compared to that in the first three months of the year," he says.

Cloudflare attributed the increase in smaller, short-duration attacks to the increased availability of inexpensive DDoS-for-hire-services that allow almost anyone to launch attacks quickly.

At the same time, Cloudflare researchers observed an increase in larger, high-volume DDoS attacks as well, in the second quarter of 2020. In fact, 88% of attacks involving more than 100 Gbit/s of DDoS traffic were launched after COVID-19-related shelter-in-place mandates went into effect.

The biggest attack that Cloudflare mitigated last quarter involved some 754 million packets per second at its peak. The attack lasted four days between June 18 and June 21 and involved traffic from some 316,000 unique IP addresses around the world. A DDoS attack generated by a Mirai-based botnet called Moonbot that generated UDP traffic peaking at 654 Gbit/s was another major incident that Cloudflare detected and blocked last quarter. That particular attack was part of an eight-day campaign aimed at one of Cloudflare's customers.

"We were surprised that not only did the number of attacks increase but also the scale of the largest [Level 3/Level 4] DDoS attacks increased significantly," Graham-Cumming says. "In fact, we observed some of the largest attacks ever recorded over our network in this time frame."

Big Increase
Other vendors have reported observing similarly big spikes in DDoS attacks after a majority of organizations began implementing COVID-19-related work-from-home measures earlier this year. In June, Nexusguard reported a staggering 542% increase in DDoS attacks in the first quarter of 2020 compared with the previous quarter. The vendor described the attacks as being driven by adversaries trying to take advantage of the increased reliance on online services by employees working from home. Akamai in June reported mitigating an attack involving 385 million packets per second and a peak bandwidth of 1.5 Tbit/s.

According to Cloudflare, some 40% of all Layer 3 and Layer 4 DDoS attacks in the second quarter happened in May. More than six in 10 of DDoS attacks that peaked at over 100 Gbit/s were launched that month.

"As the global pandemic continued to heighten around the world in May, so did our reliance on the Internet," Graham-Cumming says. Attackers were especially eager to leverage this dependence to try and take down websites and other Internet properties, though their motivations are unclear, according to Cloudflare. It's also not clear how many of the DDoS attacks were opportunistic rather than targeted.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-12-01
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.
PUBLISHED: 2020-12-01
Kia Motors Head Unit with Software version: SOP., SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to i...
PUBLISHED: 2020-12-01
We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.
PUBLISHED: 2020-12-01
ThinkAdmin version v1 v6 has a stored XSS vulnerability which allows remote attackers to inject an arbitrary web script or HTML.
PUBLISHED: 2020-12-01
An issue was discovered on Western Digital My Cloud OS 5 devices before 5.06.115. A NAS Admin authentication bypass vulnerability could allow an unauthenticated user to execute privileged commands on the device via a cookie, because of insufficient validation of URI paths.