New analysis from F5 shows that despite a slight reduction in DDoS attacks in 2021, they are becoming larger and more complex in nature.
Data collected from F5 Silverline – a cloud-based managed services platform that detects and mitigates DDoS attacks in real-time – revealed a 3% year-on-year decrease in the total volume of attacks recorded in 2021.
While the volume of attacks may have decreased, the severity of attacks increased significantly over the course of the year.
By Q4 2021, the average attack size recorded was more than 21 Gbps, more than four times the level recorded at the start of 2020. Last year, the record for the largest-ever attack was also broken on multiple occasions.
“The volume of DDoS attacks has fluctuated by quarter, but the unmistakable trend is that these attacks are getting larger,” said David Warburton, Director of F5 Labs.
“While the peak size of attack remained steady throughout 2020, last year we saw it climb consistently. This includes Silverline DDoS Protection tackling several attacks that were successively the largest we had ever seen by an order of magnitude.”
While the majority of attacks recorded in 2021 were less than 100 Mbps, there were a few notable exceptions.
Following the largest attack of 2020, which measured 253 Gbps, there was one in February 2021 that measured 500 Gbps. The previous year’s record was shattered once more in November, with an attack weighing in at 1,4 Tbps—more than five times the previous year’s record.
Using a combination of volumetric (DNS reflection) and application-layer (HTTPS GET floods) methods, maximum attack bandwidth was reached in just 1.5 minutes and lasted only four minutes total, targeting an ISP/hosting customer.
Volumetric DDoS attacks, which use publicly available tools and services to flood a target’s network with more bandwidth than it can handle, remained the most common type of DDoS in 2021, accounting for 59% of all recorded attacks. This was a slight decrease from the previous year, as the prevalence of protocol and application-type DDoS attacks increased, with the latter increasing by nearly 5% year on year.
This slight shift was underlined by changing the utilization of protocols. 27% of attacks in 2021 harnessed TCP, up from 17% the previous year, and indicative of the requirements of more complex application and protocol-based attacks.
In terms of specific attack methods, there were some notable changes in prevalence: DNS query attacks increased by 3.5% year on year, while UDP fragmentation usage decreased by 6.5%. LDAP reflection was also reduced by 46%, and DNS reflection was reduced by 33%.
“Alongside changes in attack type, we continued to observe strong prevalence of multivectored attacks, including the 1,4 Tbps incident that utilized a combination of DNS reflection and HTTPS GETS,” said Warburton. “This was particularly true at the start of the year, when multivectored attacks significantly outnumbered single-vector assaults. It illustrates the increasingly challenging landscape for threat protection, with defenders needing to employ more techniques in parallel to mitigate these more sophisticated attacks and prevent a denial of service.”
Banking, financial services and insurance (BFSI) was the industry most targeted by DDoS attacks in 2021, subjected to more than a quarter of the total volume. That continued a trend that has seen attacks against BSFI steadily rising since the beginning of 2020.
By contrast, technology, the most targeted sector of 2020, fell into fourth place behind telecommunications and education. Between them, these four industries accounted for 75% of all recorded attacks, with a long tail of others including energy, retail, healthcare, transportation and legal that saw hardly any adverse activity.
“Even though the number of attacks tapered off slightly in 2021, the DDoS problem is by no means abating,” said Warburton. “Both the size and complexity of these attacks are increasing, demanding a more agile and multi-faceted response from defenders.
“Although it is reasonable to question the efficacy of attacks that may only last for a few minutes, threat actors know that even a short interruption to a service can have significant consequences and adversely impact brand and reputation.
“As the sophistication and variety of DDoS attacks increases, organizations will find themselves using a wide variety of measures to protect against them, including upstream controls to inspect and limit the traffic reaching endpoints, and managed service providers who can work alongside internal security teams both to prevent attacks and move quickly to mitigate those in progress.”
