Link11’s 2019 DDoS Report Reveals Complexity and Volume of Attacks Continues to Grow
February 2020 by Link11
Link11 has released findings from its annual DDoS Report for 2019, which revealed a rising number of multivector and cloud computing attacks over the last twelve months.
The latest Link11 DDoS report is based on data from repelled attacks on web pages and servers protected by Link11’s Security Operations Center (LSOC). Key findings from the annual report include:
• Multivector attacks on the rise: The share of multivector attacks – which target and misuse several protocols - grew significantly from 46% in the first quarter to 65% in the fourth quarter.
• DNS amplification most popular for DDoS attackers: DNS amplification was the most used technique for DDoS attackers in 2019 having been found in one-third of all attacks. The attackers exploited unsecure DNS servers, of which there were over 2.7m worldwide by the end of 2019, according to the Open Resolver Project.
• Average attack bandwidth increases: The average bandwidth of attacks keeps increasing by more than 150% within four years, reaching 5 Gbps in 2019, up from 2 Gbps in 2016. The maximum attack volume has also nearly doubled compared to 2018; from 371 Gbps to 724 Gbps.
• Attacks on corrupted cloud servers rising: The proportion of DDoS attacks that involved corrupted cloud servers was 45% between January and December; this is a 16% increase over the same time period the previous year. The proportion rose to 51% over the last six months of 2019. The number of attacks traced to cloud providers was roughly proportionate to their relative market share, with more cases of corrupt clouds registered for AWS, Microsoft Azure and Google Cloud.
• The longest DDoS attack lasted 6,459 minutes; more than 100 hours.
The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and between 4pm and midnight on weekdays.
There was also a number of new amplification vectors registered by the LSOC last year including WS–Discovery, Apple Remote Management Service and TCP amplification, with registered attacks for the latter doubling compared to the first six months of the year. The LSOC also saw an increase in ‘carpet bombing’ attacks in the latter part of 2019, which involves a flood of individual attacks that simultaneously target an entire subnet or CIDR block with thousands of hosts. This popular method spreads manipulated data traffic across multiple attacks and IPs. The data volume of each is so small that it stays under the radar and yet the combined bandwidth has the capacity of a large DDoS attack.
Marc Wilczek, COO of Link11 said: “There was a noticeable surge in attack bandwidths and volumes, and in multivector attacks in 2019, due in part to the increased malicious use of cloud resources and the popularity of IoT devices. The growing trend for attackers to use methods that strike at the network and application level means organizations need to invest in protective solutions that are designed to detect multi-layer anomalies and networked security mechanisms.”