Distributed denial-of-service (DDoS) attacks in 2021 showed some fascinating developments. Analysis of attack data collected by F5’s Silverline team, which provides managed DDoS protection services, among others, revealed some interesting trends: the overall number of DDoS attacks declined marginally compared with 2020, while the size and complexity of those attacks grew significantly (see Figure 1). Attacks targeting SSH, often used by attackers to build out new botnets for DDoS attacks, have declined slowly but steadily. Meanwhile, vulnerabilities in consumer devices, such as routers, were rapidly exploited to join them to these botnets. Reports, such as Europol’s Internet Organized Crime Threat Assessment (IOCTA), highlight that threat actors are increasingly using DDoS attacks to pressure victims into paying ransomware attack demands. Groups known to use this method include Avaddon, DarkSide, Ragnar Locker and Sodinokibi.1 Even organized cybercriminals recognize the threat of DDoS attacks. The IOCTA also reported that administrators of online illegal marketplaces have improved their own defenses to defend against DDoS attacks from competitors.
- Silverline mitigated its largest-ever DDoS attack, which peaked at just under 1.4 Tbps, almost 5.5 times larger than the largest attack in 2020.
- The overall number of DDoS attacks declined 3% between 2020 and 2021.
- Small to medium-size DDoS attacks (up to 250 Gbps) declined by 5%.
- DDoS attacks larger than 250 Gbps grew by 1,300%.
- Finance, the target of over 25% of all attacks, became the most attacked sector in 2021.
- Volumetric (network flood) DDoS attacks are still the most prevalent, accounting for 59% of all attacks.
- Protocol and application DDoS attacks both grew in 2021 by 2% and 5%, respectively.
- TCP DDoS attacks almost doubled in 2021 compared with 2020 and accounted for 27% of all attacks.
Mapping the ATT&CKs
Our recent reports have made increasing use of the MITRE ATT&CK framework in an attempt to present findings and conclusions in a way that is consistent within our own body of work and that also allows for simple comparisons with other research.2 To this end, this report will include ATT&CK technique IDs to allow for easy cross-referencing. Table 1 shows the mapping between DDoS terminology and ATT&CK techniques.
|F5 DDoS category||ATT&CK technique||Purpose of attack||ATT&CK sub-technique||Examples|
|Volumetric||Network Denial of Service T1498||Consume network bandwidth||Direct Network Flood T1498.001||TCP flood
|Reflection Amplification T1498.002||DNS reflection
|Protocol||Endpoint Denial of Service T1499||Overwhelm network device||OS Exhaustion Flood T1499.001||SYN floods
|Application||Endpoint Denial of Service T1499||Consume application resources||Service Exhaustion Flood T1499.002||HTTP flood
|Application Exhaustion Flood T1499.003||Heavy URL
Intensive SQL queries
|Application or System Exploitation T1499.004||Exploit a vulnerability to crash a system or service|
2021 DDoS Attacks by the Numbers
We analyzed the raw attack data from the Silverline teams to see how attacks had changed in size, complexity, and frequency compared with 2020.
Attacks Are Getting Larger
DDoS attacks showed a marked decline from the start of 2021 through the end of the year, though the attack frequency remained somewhat consistent for the past two years with 2021 seeing only 3% fewer than 2020. But while Figure 2 shows an overall decline in attack frequency during 2021, it also shows that attack sizes have grown considerably. While peak attack sizes remained consistent throughout 2020, at around 200 Mbps, things changed in February 2021, when the F5 Silverline team detected and mitigated the largest attack it had ever seen, weighing in at 500 Mbps. This record did not last long, however, as 2021 saw larger and larger attacks, culminating with the 1.4 Tbps attack in November. As well as peak attack sizes, the average attack size has also grown. The mean attack size in Q1 2020 was 5 Gbps and over 21 Gbps in Q4 of 2021.
Figure 3 shows the frequency of DDOS attacks by size, with 100 Mbps or lower being the most common. We might have expected a uniform drop in frequency by size, but Figure 3 also shows that attacks ranging from 1 to 3 Gbps are extremely popular, more so than smaller attacks. Similarly, attacks between 10 and 30 Gbps are more common than those between 6 and 10 Gbps. This is consistent with the findings in our DDoS Attack Trends from 2020, which shows a similar trend.
Silverline Defends Against Largest-Ever Attack
In November 2021, Silverline observed and mitigated the largest attack it had ever seen (see Figure 4). The onslaught, targeting an ISP/hosting customer, lasted just four minutes and reached its maximum attack bandwidth of almost 1.4 Tbps in only 1.5 minutes.
The attack used a combination of volumetric (DNS reflection) and application-layer (HTTPS GET floods) methods. Interestingly, the huge amount of network traffic, generated by a reflected DNS amplification attack, dwarfed the 100 Mbps of network traffic created by the HTTPS GET flood. This does not make the application-layer attack less serious. The goal of an application-layer DDoS attack is not to consume network bandwidth but to overwhelm the application server, so while 100 Mbps of traffic seems tiny compared to the flood of DNS responses, the resources and queries being requested by the HTTPS attack traffic could have easily consumed a web or database server.
The onslaught lasted just four minutes and reached its maximum attack bandwidth of almost 1.4 Tbps in only 1.5 minutes.
The geographic location of attacking IP addresses, or target IP addresses, is largely irrelevant today. Attackers happily compromise vulnerable devices wherever they are located in the world, and defenders like Silverline have scrubbing centers in all major continents to distribute the attack loads. That being said, it is interesting to observe that the majority of attack traffic was handled by Silverline scrubbing centers in Singapore, the U.S. East Coast, and Germany, suggesting that the majority of attacking devices were located in Asia (see Table 2).
|Percentage of attack seen|
|U.S. East Coast||27%|
|U.S. West Coast||6%|
Complex Attacks Are Increasing
Throughout 2021, the most prevalent form of DDoS attack continued to be volumetric, or the Direct Network Flood T1498.001 technique, to use ATT&CK lexicon. Volumetric attacks are simple and effective, requiring no vulnerability, compromised third-party system, or advanced expertise. Publicly available DDoS tools or services (known as stressers) can launch an attack that sends more traffic to the victim than their network bandwidth can cope with. Combined with UDP reflection attacks, which mask the attackers’ real IP addresses, volumetric denial of service will continue to be the go-to DDoS attack for many threat actors.
But while volumetric attacks continue to dominate DDoS figures, Figure 5 shows that 2021 did see a slight shift toward protocol- and application-type attacks. While volumetric attacks are generally trivial to mitigate, protocol and application attacks can be significantly more challenging, since they can appear as genuine application traffic. Application DDoS attacks saw the biggest change, with a growth of almost 5% compared with 2020).
In 2021, we saw a significant shift in the protocols used for DDoS attacks. UDP has long been the favored transport protocol of choice for attackers, since it is stateless, allowing threat actors to hide their real IP address and perform reflection attacks. In 2020, 83% of all attacks were UDP-based, with only 17% of attacks using TCP. This changed considerably in 2021, with TCP being used for 27% of attacks. This correlates with more complex protocol and application DDoS attacks (Endpoint Denial of Service T1499), which often need the stateful TCP protocol.