The number of distributed denial-of-service (DDoS) attacks grew fourfold in the first half of 2021, with attack volume doubling, new data shows.
Security firm Imperva culled the intelligence from nearly 5,600 network-level attacks encountered by its clients to find that attackers continued to increase the intensity of attacks as they also shortened attack duration. More than half of the attacks lasted eight minutes or less, with attackers repeatedly inundating the same companies with floods of data — including one attack that topped 1 Tbps, according to Imperva.
Companies have trouble responding to such attacks in an agile way, says David Elmaleh, senior product manager of edge services at Imperva.
"There's an inherent imbalance between the infrastructure that attackers can leverage and the capability of the target's infrastructure to withstand increased levels of traffic," he says. "There's a gap between the enterprise connectivity and the attacker's capacity, which means that no organizations can confidently rely on its current infrastructure — even if it can handle a large volume of gigabits per second."
While the top attack bandwidth and packet rates are not setting records — Google saw larger attacks a year ago — Imperva's data shows both are quickly rising. The increase in volume and cadence of attacks is likely because attackers have more tools at their disposal and the pandemic has left companies with a greater range of services to target, he says.
The price of a cup of coffee can disrupt access to corporate cloud services, while $100 can take down a network for hours, if not days, Imperva states in its report.
"Resources are now readily available to attackers, and the barrier to entry is lower than ever," Elmaleh says. "The acceleration of digital transformation has expanded the attack surface, and more organizations now have some or all of their business online. This means attackers have more opportunity to feast on a larger array of targets."
The changes recorded by Imperva could be explained by defenders who are maturing their capabilities and shutting down attacks quickly. However, it is more likely that attackers see short, high-bandwidth attacks as the best way to cause disruption, Elmaleh says. Attacks with shorter duration — called burst or pulse-wave attacks — allow attackers to overwhelm on-premise solutions and shut down an application. This makes mitigation more difficult, especially when attackers repeatedly hit the same target, he says.
"Shorter attacks are purposefully designed to challenge the target’s DDoS protection, observe its response, and define an attack cadence that will overwhelm it," he says. "This approach is very efficient and effective at overwhelming hybrid cloud and on-premises DDoS solutions, causing damage before backup cloud mitigation can start."
Imperva researchers noticed other trends as well. In addition to larger volumes, attackers are also returning to sending traffic using the Transmission Control Protocol (TCP), which can appear more legitimate and make attacks harder to initially recognize. The communication protocol behind most Web traffic, TCP requires the sender and receiver of traffic to create a communications session through a process known as a handshake. TCP traffic increased to 32%, up from 10% in 2020, the report shows.
The most common type of attack traffic, however, remains the User Datagram Protocol (UDP), which accounted for 43% of all attack traffic and which is typically used to send domain name service (DNS) requests and in video streaming. The third most common traffic used in attacks is SYN packets, accounting for 21%.
The company also recorded the largest share of attacks against the computing and IT sector, which suffered 29% of attacks. The business and financial sectors came in second and third, with 25% and 22% share of attacks, respectively.
Bad Bots the Majority
Automated DoS attacks are not the only threat. Automated bots — from search and data-scraping bots to vulnerability scanners — make up almost two-thirds of traffic to websites in the first half of 2021, according to a report published by security firm Barracuda Networks. Only 36% of the average daily traffic to a website is made up of requests from humans.
While DDoS attacks tend to make a site or service unusable, bad bot traffic typically performs unwanted activities, such as attempting to log in to a site using a large number of credentials or scraping pricing data from e-commerce sites, the company said.
"These advanced bots try their best to evade standard defenses and attempt to perform their malicious activities under the radar," Barracuda researchers stated in the report. "In our dataset, the most common of these persistent bots were ones that went after e-commerce applications and login portals."
Barracuda's and Imperva's data differ significantly on the level of automated traffic, however, suggesting that the amount of automated traffic may have jumped in the first half of 2021, or that the companies have significant different user bases. A previous report by Imperva found that bots — both "good" and "bad" — only accounted for 41% of traffic in 2020, compared to Barracuda's findings of 64% bot traffic in the first half of 2021.