zeroBS continuously collects informations and status reports on the subject of infrastructure and application security vs DDoS-Threats. In this article we provide an condensed overview of trends and developments.
additionally we track DDoS-ThreatLevels in different flavors:
2024
Summary
- headless browsers account for 30% of attacks
- volumetric: TCP/Ack is more often used than the usual amplification/reflection-vectors
- DNS DDoS (Layer7-DNS-Attacks) are as common as HTTP-Layer-7-Attacks
- HTTP/2 - protocol-attacks continue to deliver new vectors, this time: HTTP/2 Continuation Flood
- AI is coming to help defending (Botdefense an ML-based adaptive defense by Google and Cloudflare)
- Proxies (residential/mobile IP ranges, with geo-choosing) are now kinda widespread. as predicted , we might also see a price-drop soon
- API-attacks and protection starts to be a thing
- ransom-ddos is back again
- using cloudservices for esp. layer-7-attacks is state of the art amongst professionals
- Threat actor capabilities skyrocketing: ""The tools and capabilities that allowed threat actors to carry out such randomized and sophisticated attacks were previously associated with capabilities reserved for state-level actors or state-sponsored actors. But, ... these capabilities have made their way to the common cyber criminal." (CF)
References, Reports and selected Readings
- Cloudflare DDoS Threat Report for 2024 Q1
https://blog.cloudflare.com/ddos-threat-report-for-2024-q1 - Cloudflare DDoS Threat Report for 2024 Q2
https://blog.cloudflare.com/ddos-threat-report-for-2024-q2 - NETSCOUT DDoS THREAT INTELLIGENCE REPORT 2023/02 https://www.netscout.com/threatreport/wp-content/uploads/2024/04/Threat_Report_2H2023.pdf
- NETSCOUT DDoS THREAT INTELLIGENCE REPORT 2024/01
https://www.netscout.com/threatreport/wp-content/uploads/2024/09/TR_1H2024_Web.pdf - AKAMAI SOTI / Scraping Away Your Bottom Line: How Web Scrapers Impact Ecommerce 2024
https://www.akamai.com/resources/state-of-the-internet/web-scraping-report-2024 - AKAMAI SOTI / Navigating the Rising Tide, Attack Trends in Financial Services 2024
https://www.akamai.com/resources/state-of-the-internet/financial-services-trends-2024 - Cloudflare Application Security report: 2024 update
https://blog.cloudflare.com/application-security-report-2024-update - Imperva 2024 DDoS Threat Landscape Report
(its a boring one, no usefull information found)
https://www.imperva.com/resources/gated/reports/Imperva-2024-DDoS-Threat-Landscape-Report.pdf - Google Threat Horizons H2 2024 Report
https://services.google.com/fh/files/misc/threat_horizons_report_h2_2024.pdf - Google Cloud Cybersecurity Forecast 2024
https://services.google.com/fh/files/misc/google-cloud-cybersecurity-forecast-2024.pdf - F5: DDoS Attack Trends 2024
https://www.f5.com/labs/articles/threat-intelligence/2024-ddos-attack-trends - GCore Attack Trends H1/2024
https://hello.gcore.com/hubfs/wp-security-gcore-radar-q1-2-2024.pdf
- DNSBomb, a advanced amplification/reflection method, published 2023
- TuDOOR, an attack against DNS, published 2023 (tl;dr: no POC, not affecting BIND)
- Cloudflare: Using machine learning to detect bot attacks that leverage residential proxies
- Mandiant: Global Revival of Hacktivism Requires Increased Vigilance from Defenders
- OVH: The Rise of Packet Rate Attacks: When Core Routers Turn Evil
physical DDoS
- French SNCF high-speed trains (TGV) railways have been targeted by coordinated physical attacks, via Twitter https://x.com/SwitHak/status/1816732722666061949
Avg Botnet-Size
- IoT: up to 5.000 (Nokia)
- Server: 1000 - 5000 (Nokia)
- Max: 135.000 (Qrator)
- DDoSia by Noname: ca 20.000 by 2023-as seen during swiss-attacks
TA DDoS
- NoName057 | analysis
- H0lyAlliance
- Cyber Army of Russia Reborn
- Deadnet
- Anonymous Sudan | interview
- there are a lot lot more groups, especially in Asia, that we track only loosely
2023
Summary
- hacktivsm continues and grows, with groups and targets are found worldwide, fuling nearly any conflict
- a strong shift towards layer-7/stack/protocol-attacks are seen across many vendors, while the numbers of volumetric attacks decrease
- within layer7, HTTP/2 - attacks are becoming a well used tool for sophisticated threat actors
- browserbots are very common among booterservices and botnet-to-rent
- GeoIP-restriction-mitigation has been seen in larger attacks and adopted by booterservices, utilizing open and paid proxy-services
- sophistication continues to advance amongst threat-actors, whilst they develop new TTPS to evade mitigation-systems, as Akamai stated it: "Dynamic and adaptive strikes, based on defenders’ responses"
- the more professional actors also targeting APIs and "supplychain" (API-Integration, like payment-providers)
- the trend towards serverbased-botnets, as seen since 2021, continues, with the strongest attacks attributed to them
- IoT-botnets raise in size globally from total of 200.000 to 1.000.000 infected devices cummulated
- simple UDP reflection/amplification is declining
- direct-path, complex and multivector - attacks are taking the lead
- direct DNS - attack (DNS Layer 7 aka DNSFlood) outstrip DNS reflection/amplification attacks (UDPFlood)
- botnet-providers find telegram as a good sales-channel
References, Reports and selected Readings
- Akamai "A Retrospective on DDoS Trends in 2023 and Actionable Strategies for 2024"
https://www.akamai.com/blog/security/2024/jan/a-retrospective-on-ddos-trends-in-2023 - Akamai SOTI 2023 The High Stakes of Innovation: Attack Trends in Financial Services
https://www.akamai.com/resources/state-of-the-internet/high-stakes-of-innovation - Qrator Q2 2023 DDoS attacks statistics and overview https://blog.qrator.net/en/q2-2023-ddos-attacks-statistics-and-overview_177/
- Imperva DDoS Landscape Report 2023 https://www.imperva.com/resources/reports/the-imperva-global-ddos-threat-landscape-report-2023.pdf
- Cloudflare DDoS threat report for 2023 Q1
https://blog.cloudflare.com/ddos-threat-report-2023-q1/ - Cloudflare DDoS threat report for 2023 Q2
https://blog.cloudflare.com/ddos-threat-report-2023-q2/ - Cloudflare DDoS threat report for 2023 Q3
https://blog.cloudflare.com/ddos-threat-report-2023-q3/ - Cloudflare DDoS threat report for 2023 Q3
https://blog.cloudflare.com/ddos-threat-report-2023-q4 - F5 2023 DDoS Attack Trends
https://www.f5.com/labs/articles/threat-intelligence/2023-ddos-attack-trends - Netscout Threat Report 2023
https://www.netscout.com/threatreport/wp-content/uploads/2023/04/Threat-Report-2H2022.pdf - Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack https://twitter.com/menscher/status/1711715943385325958
- FSISAC+Akamai: DDoS: Here to Stay, Report on Financial Sector https://www.fsisac.com/hubfs/Knowledge/DDoS/FSISAC_DDoS-HereToStay.pdf
- Cloudflare DDoS-Radar: Analytics and insights https://radar.cloudflare.com/security-and-attacks?dateRange=28d
- Booter-Service development and Capabilities https://blog.kybervandals.com/booter-service-development-and-capabilities/
- Hacktivism Unveiled, April 2023 Insights Into the Footprints of Hacktivists https://www.radware.com/security/threat-advisories-and-attack-reports/hacktivism-unveiled-april-2023/
- Nokia ThreatIntel-Report on DDoS and Botnets: https://pf.content.nokia.com/t00902-trust-threat-intelligence-report/report-nokia-threat-intelligence-report-202
- Interview with Anonymous Sudan https://intelcocktail.com/anonymous-sudan-interview/
- How the FBI goes after DDoS cyberattackers https://techcrunch.com/2023/08/12/fbi-ddos-for-hire-cyberattackers/
- IEEE: The Strange Story of the Teens Behind the Mirai Botnet https://spectrum.ieee.org/mirai-botnet
- New tactics from booterservices mitigates GeoIP-Restrictions https://blog.kybervandals.com/new-tactics-from-booterservices/
- Detaillierter Analysebericht zu den DDoS-Angriffen «NoName057(16)»
https://www.ncsc.admin.ch/ncsc/de/home/dokumentation/berichte/fachberichte/ddos-bericht-6-2023.html
physical DDOS // Cheap Radio Hack Disrupted Poland's Railway System
- https://twitter.com/lukOlejnik/status/1695439622426202443
- https://www.wired.com/story/poland-train-radio-stop-attack/
Avg Botnet-Size
- IoT: up to 5.000 (Nokia)
- Server: 1000 - 5000 (Nokia)
- Max: 135.000 (Qrator)
- DDoSia by Noname: ca 20.000 by 2023-as seen during swiss-attacks
TA DDoS
- NoName057 | analysis
- XAKNet (HackNet)
- Cyber Army of Russia
- Deadnet
- KillNet / UserSec
- Anonymous Sudan | interview
2022
due to the mass of events and new actors, we stopped recording the known attacks
Summary
-
general trend: frequency goes down, quality goes up
-
OSINT is the big newcomer in 2022, giving attackers the ability to find and attack weak spots in targets networks/application (hello kitty KillNet/Noname et al
-
once-sophisticated Attacks hit the Mainstream (TCP-DirectPath, Carpetbombing, DNS-DDoS): Neustar & Netscout are seeing CarpetBombing arriving in the mainstream, where in Q3/Q4 50% of attacks against networks are leveraging CarpetBombing-Attacks (Neustar, Netscout)
-
Server-based Botnets are back again and have a stable 5-10k - size
-
TCP DirectPath has been seen as a dominant and most successful attackvector in more-than-average-attacks
-
DDoS - Threat actors custom-tailor each attack ("surgical methods", Lumen) to bypass multiple layers of DDoS mitigation and protection, both cloud-based and on premises.
-
HitAnd Run-Attacks (Short-term, Testing defense only)
-
DDoS as third ransom-vector by Ransomware-Gangs
-
strong hacktivism-activities due to geopolitical events (Ukraine-War, Iran uprising etc) fuel the DDoS-Threat-Landscape
References & Reports
- Cloudflare DDoS attack trends for 2022 Q4
- Cloudflare DDoS attack trends for 2022 Q3
- Cloudflare Radar DDoS attack trends for 2022 Q2
- Cloudflare Radar DDoS attack trends for 2022 Q1
- NETSCOUT THREAT INTELLIGENCE REPORT
- Akamai: Cyberterrorists Target Record Number of Victims with DDoS Attacks in Q2
- Lumen Quarterly DDoS Report Q2 2022
- Cloudflare blocks 15M rps HTTPS DDoS attack
- Akamai: The Relentless Evolution of DDoS Attacks
- How Google Cloud blocked largest Layer 7 DDoS attack yet, 46 million rps | Google Cloud Blog
TA DDoS
- NoName057
- XAKNet (HackNet)
- Cyber Army of Russia
- Deadnet
- KillNet
2021
TL;DR: attackers get more advanced, but experienced protectors know how to cope with the attacks
- a more detailed timeline of current events are tracked in our DDoS-Incidents Logbook 2021
- a german version as PDF-Download is available as well (TLP:GREEN)
current Trends and what we expect in the near future:
The DDoS-Threat-Situation has not really improved in recent years, and DDoS-based extortion still seems lucrative enough. Furthermore, we see a Renaissance of DDoS-Attacks in 2021 for many actors, either extortion, hacktivism or your average "sportsman".
since 2020, a DDoS ransomware gang with changing names has been very active (tracked by us here ), attacking unprotected companies with highly targeted attacks. Trademark of this gang:
- customized and targeted attacks after reconnaissance with high penetrating power.
- APT-mocking with constantly new names (Fancy Bear, Armada Collective, Lazarus Group, or REvil lately)
- attacks on multiple targets of one industry (so far: banks, travel, ISP, telcos, VOIP providers, gaming industry, email providers)
- global scale attacks
- DDoS campaigns in 2021 have become more targeted, multi-vector and persistent (Neustar, Netscout)
- Ransom DDoS (RDDoS) campaigns got a substantial boost (ENISA, Cloudflare, Netscout)
- cybercrime-as-a-service (aka: Booter/Stresser-services) works as an amplifier of web-based and volumetric DDoS attacks
technical trends
- TCP-based attack vectors are coming into focus due to
new researchpapers (link to paper directly ), which suggest a huge potential in TCP volumetric attacks - TCP-Amplification and Reflection will become a major threat in the coming years, especially with amplification-rates > 1000. we expect advanced adversaries using this vector more and more successfully, and already have seen well done TCP-attacks
- DDoS is moving towards mobile networks and IoT (ENISA), supporting localised DDoS where an attacker interferes with the connectivity of a specific area threating services like onlinebanking and any service with a large customerbase using mobile devices/connection
- Recon, target-analysis and mitigation-monitoring is quite common with Ransom DDoS and advanced attackers (multiple sources and DFIR)
- Botnet-Size of 50.000 Bots and more is the new norm for IoT-Botnets
- 1TB/s volumetric attacks defines the new upper level and has been seen by many providers (Netscout, Cloudlfare, Google, Neustar)
- streetprices for DDoS-Attacks kept stable in the last 2 years
- DTLS and GRE are emerging vectors
- 60% of all DDoS-Attacks are application-based and non-volumetric
Reports and Analysis
disclaimer: we refer to reports and analysis with benefit for technical personel/blueteams
- The current ENISA-REPORT covers DDoS in detail in section 8. THREATS AGAINST AVAILABILITY AND INTEGRITY. Organizations in Europe should be aware that "... the threat potential of DDoS attacks is higher than its current impact in the EU ...", which may well lead to an increase in attacks in the EU area.
- NETSCOUTs 2021 Threat Intelligence Report provides a very detailed development, analysis and overview of the DDoS threat situation in 2021, compared to previous years. One of the keyfindings (besides whatr has been covered above): TB-attacks starts to become "the norm"
- Cloudflares report on a 17.2Mio RPS DDoS attack offers an interesting insight into a large Mirai-Botnet.
- DDoS Attack Trends for Q3 2021 by Cloudflare gives an excellent overview about the global activities and trends.
- Google: Exponential growth in DDoS attack volumes from 2020 ist a very interesting read about large-scale DDoS-Attacks, trends and attacker-capabilities
2018
Intro
zeroBS sammelt die wichtigsten Informationen und Status-Reports (Akamai, Neustar, Verisign, Qihoo 360) zum Thema Infrastruktursicherheit / Lage auf dem DDoS-Sektor, und gibt in diesem Artikel eine Übersicht über die wichtigsten Aussagen, Trends und Inhalte.
https://ddosmon.net/insight/
https://blogs.akamai.com/2018/06/summer-soti---ddos-by-the-numbers.html
https://securityledger.com/2018/06/akamai-report-finds-ddos-attacks-more-sophisticated-adaptive/
https://www.corero.com/blog/890-the-current-state-of-ddos-attacks-are-they-getting-smarter.html
https://www.verisign.com/en_GB/security-services/ddos-protection/ddos-report/index.xhtml
https://www.security.neustar/blog/Neustar-DDoS-and-Cyber-Security-Report-Wins-InfoSec-Award-for-Research-Report
visibility / tools
https://blog.radware.com/security/2016/03/how-to-prepare-for-a-ddos-attack/
Member discussion: