During peak usage, enterprises have far more to lose, so attackers become even more motivated to engage in DDoS tactics. ITC (Information Technology Industry Council) estimates that the average cost of an outage is $5,600 per minute. That means a successful DDoS attack today could cost a business as much as $336,000 for every hour of downtime. Due to these rising downtime costs, some organizations may be more motivated to pay ransom to DDoS attackers to get their network infrastructure or web properties up and running again.
Q1 2020 attacks became smaller and faster
Most of the network layer attacks that we observed during Q1 2020 were small attacks, as measured by bit rates. 92% of the attacks were under 10 Gigabits per second (Gbps), compared to 84% in Q4 2019. In terms of packet rates, the majority of the attacks peaked below 1 million packets-per-second (pps). This rate, along with the bit rate, indicates that attackers at this time were focusing their efforts and resources on generating small scale attacks.
In addition to packet and bit rates, attack durations decreased as well. 79% of DDoS attacks in Q1 2020 lasted between 30 to 60 minutes — compared to attacks that can last days or months. This may sound like good news, but it’s not. One theory for this trend toward smaller, shorter attacks is that it is now easier and cheaper to launch a DDoS attack than it was in the past. Indeed, distributed denial-of-service attacks are now available as a service. A 5-minute attack may cost as little as $5 in the darker corners of the Internet, according to Kaspersky.
Large attacks still prevalent
Though most attacks observed in Q1 2020 were under 10Gbps, larger attacks were still prevalent. In March, the largest attack for the quarter was observed to peak at over 550 Gbps. Starting in mid-March, Cloudflare noticed a rise in bigger DDoS attacks targeting larger enterprises. These attacks may be the work of nation-state actors, hacktivists, or ransom-driven cyber criminals aiming to disrupt businesses whose employees are working remotely. Other attackers may attempt to take advantage of vulnerable utilities, such as electrical grids and oil operations, in times of distress.
Tracking attack vectors
The average number of attack vectors employed in DDoS attacks per IP per day has been steady at approximately 1.4. The maximum number of attack vectors targeted on one IP in a day was observed to be 10. Over the past quarter, we've seen over 32 different types of attack vectors on layer 3 and 4 (L3/4). ACK (acknowledgement signal) attacks formed the majority (55.8%) in Q1, followed by SYN (synchronize request) attacks with 14.4%, and in third place, Mirai (botnet malware), which still represents a significant portion of the attacks (13.5%). Together, SYN & ACK DDoS attacks form over 70% of all L3/4 attack vectors in Q1.