As we have done for prior DDoS Attack Trends reports, we recently analyzed attack data from the F5 Distributed Cloud DDoS Mitigation service to get a look at the DDoS traffic they handled for their customers in 2022. We continued our analysis by comparing 2022 data to that of 2021 and 2020. Some interesting trends emerged.
- Application layer attacks up by 165%
- The Technology sector takes the top spot as most attacked over 2022
- Overall observed events are down by -9.7%
- Peak Bandwidth up 216% from 2020
- All verticals should expect to see more Application and Multi-vector DDoS
A Note on the Analysis
Distributed Denial of Service (DDoS) has been an issue for a very long time, and while our defenses have come a long way since the earliest days, such attacks can still be devastating. Attackers continue to use these techniques to annoy, harass, and extort vulnerable targets, so tracking DDoS trends remains an important function of threat intelligence writ large. There are, however, a few things to keep in mind when reading any analysis of DDoS trends and events. Bringing a critical frame of mind to any data to determine relevance to your specific situation is key to being able to turn observations into action. Any dataset relating to DDoS traffic will only show what the collection point was able to observe, and this will be only a fraction of the total DDoS that occurred across the internet.
While the observations may be a small subset of the total landscape of DDoS, we nevertheless feel the trends observed in this data may be broadly comparable to the entire situation, as the F5 Distributed Cloud DDoS Mitigation service protects a diverse group of customers, ranging from small to large enterprises, and from many different industry verticals.
Terms Used in This Report
If you’re new to denial of service attacks and would benefit from a detailed look at the types and method of DoS attacks, and the motivations of the many threat actors who use them, take a look at our Learning Center article What is a Distributed Denial-of-Service Attack?
Nearly all DDoS attacks will have a ramp up and a ramp down period in terms of the bandwidth they use. The peak bandwidth is defined here as the maximum observed bandwidth in a single point in time during the attack. It does not indicate how long the total attack lasted, but does give some indication as to the resources the attacker put towards creating it, and to some extent, its intensity.
Attack Type Classifications
Because there is a large number of specific DDoS attack types, we’ve broken them out into the following categories. Our classification scheme roughly overlaps with the DDoS terms used by the MITRE ATT&CK framework.
Volumetric attacks use a variety of techniques to attempt to overwhelm the available bandwidth at the target. Such techniques include UDP floods, ICMP floods, and reflection attacks leveraging protocols such as NTP, Memcached, and DNS to amplify the amount of traffic received by the target.
Protocol attacks are those that specifically target the ability of network infrastructure to track and handle traffic. Examples include TCP Syn and TCP Ack flooding. These are also known as ‘computational’ attacks, since they often overload the compute capacity of network devices, such as routers and firewalls.
Application attacks are those that target higher level protocols, the most frequently observed being HTTP GET floods, TLS renegotiation, and DNS queries. We make the distinction here between DNS reflection, whose aim is to flood the targets internet connection with query response traffic, and DNS queries, which are made directly to the target’s DNS infrastructure, with the aim of denying legitimate requests the ability to resolve domain names.
We use the term “multiple-vector” for attacks which leverage more than one of the above methods. More details on the specific combinations observed are mentioned in passing in the rest of the report. While many DDoS attacks use a single vector, these multiple-vector methods are becoming increasingly common.
2022 DDoS Insights
In 2022, we saw the overall number of attacks trend down a small amount, and saw a sharp rise in the number of Application layer attacks.
Trend 1: Overall DDoS Attacks Were Slightly Down
In 2022, we note a slight reduction (-9.7%) in the overall events observed from that of 2021, continuing a similar reduction in overall events between 2020 and 2021 (-3.5%). The number of events observed per quarter does not vary much. Q1 2022 was significantly less than the same quarter in the year before, with a 50.7% reduction (Figure 1).
This is perhaps attributable to the beginning of the Russian invasion of Ukraine. At that time, it was noted by several threat research firms that there was significant turmoil among various cybercriminal organizations, as they determined what their approach would be regarding the conflict, and which side, if any, they would align with. Resources were redirected, at least briefly, to support one side or the other of the conflict, and several large-scale DDoS attacks against both Russian and Ukrainian targets made the news. This may account for the drop in Q1 events we observed, but we can’t be sure. The overall drop from Q4 2021 to Q1 2022 was -25%.
Politically motivated attacks are ongoing – as this report was being written, widespread DDoS attacks against hospitals were being reported, and attributed to Killnet, a Russian-aligned group which has launched such attacks against several verticals since the war began.1 Please see the section “Is Killnet a Sign of Things to Come?” below for more details.
The level of attacks ramped back up to approximately normal levels in the following quarters, increasing an average of 30% quarter to quarter, and although the overall yearly totals were down, Q4 2022 showed the highest observed number of events in a single quarter across all three years. See Figure 1.
Despite the overall decline in 2022 events, we agree with the consensus opinion that DDoS remains a threat which will grow in the future, with more attacks likely to occur going forward.
In the rest of the analysis, you may note that the numbers of observed events and the totals for various classifications don’t seem to match precisely. That is because some events (approximately 70 of them) were unable to be classified according to our scheme of Application, Protocol, Volumetric, and Multi-vector.
Trend 2: Application Vector Attacks are Becoming Far More Frequent
Breaking this out by category, we can see that in 2020 and 2021 the prevalent form of attack was Multi-Vector, closely followed by Volumetric attacks. In 2022, Application vector attacks grew dramatically, by 165%, even as the overall number of attacks went down.
This may be indicative of better defenses being brought to bear. We generally believe that attackers will use the minimum set of techniques that will achieve their goal, whether that is extortion or preventing the operations of their target. In the case of Application vector attacks, this may indicate that it’s becoming harder to reliably DDoS a target using solely Protocol or Volumetric means, and that AApplication attacks are more effective.
As a percentage of total traffic (Figure 2), Multi-vector attacks still lead the pack, but only barely. Protocol attacks remained stable at about 10% of observed events, and it appears from our data that more attacks are launched as purely Application attacks, rather than Multi-vector which was the norm before.
Trend 3: Peak Bandwidth Back on the Rise
Headlines love to talk about “the largest DDoS ever observed”, and we’ve done that ourselves from time to time, as we did in the 2022 DDoS Attack Trends report. It’s impressive and scary to see attacks in the terabit per second range, since they indicate the immense resources that attackers can bring to bear.
In 2022, the maximum peak bandwidth we observed was 800mbps, down from 1.39tbps the year before, a 42.4% decrease (Figure 3). In 2020 when we observed a peak bandwidth of a mere 253mbps, and so 2022 is still significantly higher, up 216%.
We can take this to mean that attacker capabilities in this area will continue to grow, and that high peak bandwidth attacks are on track to become more prevalent, but it’s worth noting that in our data set, attacks with a peak bandwidth of over 600gbps account for a very small amount of the total events observed. While such attacks can indeed be difficult to defend against, they are far from the most common.