Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:20 AM
Connect Directly

2020 Marked a Renaissance in DDoS Attacks

Amid the global pandemic, cybercriminals ramped up use of one of the oldest attack techniques around.

Distributed denial-of-service (DDoS) attacks have been a staple of adversary toolkits longer than perhaps any other attack technique. Yet it's popularity among cybercriminals shows no signs of abating.

In fact, 2020 witnessed what some vendors are describing as a renaissance of the venerable attack technique. Amid major changes fostered by a global pandemic, cybercriminals deployed more DDoS attacks against more organizations in more industries than any time before. DDoS attacks became larger in volume, and the number of attacks exceeding 50 Gbps increased sharply as well.

Related Content:

Preventing and Mitigating DDoS Attacks: It's Elementary

Special Report: 2021 Top Enterprise IT Trends

New From The Edge: Building Your Personal Privacy Risk Tolerance Profile

Organizations targeted in DDoS attacks not only had to contend with volumetrically larger campaigns, but also attacks that combined multiple vectors at the same time — and in some cases lasted longer than ever before. One example is an attack that Akamai encountered last year, which topped 1.4 Tbps and 809 million packets per second.

The attacks, targeted at a large European bank and an Internet hosting company, combined as many as nine different attack vectors, including ACK Flood, NTP Flood, SYN Flood, UDP Flood, and SSDP Flood. Akamai says 65% of the DDoS attacked it mitigated in 2020 involved multiple vectors — one involved 14.

One of the most troubling trends for organizations that vendors reported observing was an increase in so-called ransom DDoS attacks (RDDoS), where adversaries tried extorting money from organizations by threatening them with massive DDoS attacks. Multiple vendors, including Akamai, Cloudflare, and Neustar, reported an uptick in these attacks starting around mid-2020.

"DDoS attacks are a more prevalent threat than ever," says Michael Kaczmarek, vice president of product management at Neustar, which Thursday released a report summarizing DDoS activity it observed in 2020.

Sharp Uptick
Neustar's data shows a 154% increase in the overall number of DDoS attacks between 2019 and 2020. The vendor observed an increase in the use of existing DDoS attack vectors, as well as an increase in RDDoS attacks.

The sheer quantity of attacks in 2020 was surprising, Kaczmarek says.

"We always expect the number of attacks to increase year over year and quarter over quarter, but we didn't expect that the quantity would increase by over 150%," he says. "This truly reflects the impact of the pandemic and the challenging precedent the 'new normal' has set for cybersecurity."

The number of DDoS attacks that involved two or more vectors increased from 40% in 2019 to 72% in 2020, Kaczmarek added. "This means that the attackers as well as the tools they are using are improving," he says.

According to Neustar, while the use of DDoS to try and extort ransoms is not new, these attacks grew in persistence, sophistication, and targeting in 2020. Cyber extortionists purporting to belong to well-known nation-state groups went after organizations in industries they have not regularly targeted previously, such as financial services, government, and telecommunications.

"RDDoS attacks surged in Q4 2020 as groups claiming to be Fancy Bear, Cozy Bear, and the Lazarus Group attempted to extort organizations around the world," says Omer Yoachimik, product manager, DDoS protection at Cloudflare, another vendor that observed the same trend.

With many workforces continuing to be remote, cybercriminals are focusing on attacking organizations' back-end infrastructure, which is being used to keep employees connected and productive while working from home, Yoachimik says.

Unlike some vendors, Cloudflare says it observed a decline in the overall number of DDoS attacks targeted at the network layer during Q4 2020 compared to the prior quarter. At the same time, though, there was a sharp uptick in network layer attacks that averaged over 500 Mbps and 50,000 packets per second and in attacks that lasted over 24 hours. 

"While the total number of L3/L4 DDoS attacks decreased, the number of larger attacks saw a surge," Yoachimik says. This might be an indication that bad actors are launching fewer but larger attacks — attacks that are distributed, longer-lasting, and employing multiple attack vectors.

It's hard to say for sure why large attacks have begun increasing in number, Yoachimik says. But he points to a couple of potential reasons. In Mauritius, the country with the highest level of DDoS attacks, a series of anti-government protests may be linked to the increased DDoS activity, he says. Romania, which ranks No. 2 in the list of countries where most DDoS attacks are launched, has the cheapest, super-fast broadband Internet anywhere. This has made it much easier for adversaries to launch volumetric attacks from within Romania, he says.

RDP Reflection/Amplification
In another twist, in 2020 adversaries also ramped up abuse of Microsoft's RDP protocol for DDoS attack amplification/reflection, a study by Netscout uncovered. When enabled on UDP port 3389, the RDP service can be abused to amplify attacks by a ratio of almost 86:1, the company noted in a recent report.

Besides causing problems for targeted organizations, attacks leveraging the RDP protocol also inflicted collateral damage on organizations whose servers were used to launch the attacks, Netscout said. This included partial and even full interruption of remote-access services and other service disruptions caused by capacity consumption issues.

"We have seen this vector used as far back as [the second half of] 2019, says Richard Hummel, Netscout's manager of threat intelligence. "But the number of attacks increased 17% in just the [second half] of 2020. In total, we observed almost 12,000 attacks utilizing this vector in 2020."

One factor driving interest in this attack vector is the easy access to Internet-exposed RDP services, he says.

"In recent weeks, we've seen a significant uptick in attacks leveraging this vector, leading us to believe it has been weaponized in such a way that automated tools and services can now take advantage of this protocol to abuse targets of DDoS attacks," Hummel says.

He recommends that network operators conduct reconnaissance to identify Windows RDP servers that can be abused on their networks or of their downstream customers. "[They] should be accessible only via VPN services in order to shield them from abuse," he says.

If RDP servers offering remote access via UDP cannot immediately be moved behind VPN concentrators, it is strongly recommended that RDP via UDP/3389 be disabled as an interim measure, he advocates.

Kaczmarek points to several improvements that have been made on the mitigation front to help organizations minimize disruption from DDoS attacks. Among them are capabilities for identifying attacks sooner — such as the small test attacks that bad actors launch before the real one — so defensive measures can be implemented more quickly. Similarly, the availability of always-on mitigation services and advances in application security and Web application firewalls have made a difference, he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.