Internet traffic spiked in Q1 2020. Did network-layer DDoS attacks spike too?
Q1 2020 saw a huge spike in Internet traffic and network-layer DDoS attacks. With global shelter-in-place, the Internet became the enabling factor for the remote workforce, maintaining community connections, online education and shopping, personal time on social media, and Internet-based services like food delivery and gaming. Some countries saw web traffic increase by as much as 50%. As online activity increased, so did DDoS attacks at the network layer. When online activity ramps up, DDoS attackers smell blood in the water. They know that higher Internet usage drives higher revenue-per-minute for online businesses. During peak usage, enterprises have far more to lose, so attackers become even more motivated to engage in DDoS tactics. ITC (Information Technology Industry Council) estimates that the average cost of an outage is $5,600 per minute. That means a successful DDoS attack today could cost a business as much as $336,000 for every hour of downtime. Due to these rising downtime costs, some organizations may be more motivated to pay ransom to DDoS attackers to get their network infrastructure or web properties up and running again.
Q1 2020 attacks became smaller and faster
Most of the network layer attacks that we observed during Q1 2020 were small attacks, as measured by bit rates. 92% of the attacks were under 10 Gigabits per second (Gbps), compared to 84% in Q4 2019. In terms of packet rates, the majority of the attacks peaked below 1 million packets-per-second (pps). This rate, along with the bit rate, indicates that attackers at this time were focusing their efforts and resources on generating small scale attacks.
In addition to packet and bit rates, attack durations decreased as well. 79% of DDoS attacks in Q1 2020 lasted between 30 to 60 minutes — compared to attacks that can last days or months. This may sound like good news, but it’s not. One theory for this trend toward smaller, shorter attacks is that it is now easier and cheaper to launch a DDoS attack than it was in the past. Indeed, distributed denial-of-service attacks are now available as a service. A 5-minute attack may cost as little as $5 in the darker corners of the Internet, according to Kaspersky.
Large attacks still prevalent
Though most attacks observed in Q1 2020 were under 10Gbps, larger attacks were still prevalent. In March, the largest attack for the quarter was observed to peak at over 550 Gbps. Starting in mid-March, Cloudflare noticed a rise in bigger DDoS attacks targeting larger enterprises. These attacks may be the work of nation-state actors, hacktivists, or ransom-driven cyber criminals aiming to disrupt businesses whose employees are working remotely. Other attackers may attempt to take advantage of vulnerable utilities, such as electrical grids and oil operations, in times of distress.
Tracking attack vectors
The average number of attack vectors employed in DDoS attacks per IP per day has been steady at approximately 1.4. The maximum number of attack vectors targeted on one IP in a day was observed to be 10. Over the past quarter, we've seen over 32 different types of attack vectors on layer 3 and 4 (L3/4). ACK (acknowledgement signal) attacks formed the majority (55.8%) in Q1, followed by SYN (synchronize request) attacks with 14.4%, and in third place, Mirai (botnet malware), which still represents a significant portion of the attacks (13.5%). Together, SYN & ACK DDoS attacks form over 70% of all L3/4 attack vectors in Q1.
Summary Q1 2020 learnings
Shutting the window of opportunity on DDoS attacks
With DDoS attacks more ubiquitous than ever, every online entity across the globe needs to develop a security posture that assures that their networks, applications, and websites are secure, fast, and reliable. We’ve already seen what the cost can be in terms of potential revenue loss for just a single hour of denial of service.
So what is the most cost-effective approach to achieve these goals in the everything-is-connected era, where enterprises must quickly separate the good from the bad in the form of legitimate and unwanted traffic?
One method for mitigating DDoS attacks is the use of hardware boxes to scan and filter traffic on-prem at the network perimeter. The downside to this approach is that these shorter attacks require quick mitigation tactics as fast as 10 seconds or less. Many legacy vendors provide Time To Mitigate SLAs as long as 15 minutes.
Other DDoS mitigation methods include rerouting network traffic through scrubbing centers to filter malicious traffic from legitimate traffic. But since many DDoS attacks are localized, scrubbing centers aren’t a feasible solution as they are limited in number and geographically dispersed which can introduce a “choke point” because traffic must be routed back and forth from them.
A cloud-based network is the only truly viable defense against today’s sophisticated DDoS attacks. It puts DDoS protection on a single control plane at the network edge to stop distributed attacks as close to their source as possible — so origin servers remain safe and secure whether they’re located on-premise or in the cloud. Such unified, large-scale network protection is capable of learning continuously from every attack while automatically sharing intelligence to thwart the next attack. And it delivers robust DDoS security across your enterprise without slowing network and application performance, which can negatively impact revenue.
These findings were drawn from the Cloudflare network, which spans 200+ cities in 90+ countries while blocking over 45 billion cyber threats per day. Because of our unique 360-degree view across the DDoS threat landscape, Cloudflare is able to collect a wealth of data about these pervasive attacks as they evolve.
This article is part of our series on the latest trends and topics impacting today’s technology decision-makers.
Dive deeper on this topic. Learn about the 5 best ways to defend against DDoS attacks.