The fight against the Hydra – Complexity and number of attacks increased again!
Over the last few years, a constant increase in distributed denial of service attacks has been recorded – primarily forced by waves of blackmailers. Geopolitical tensions are now being added to the already high level of previous years. Against the backdrop of the events in the Ukraine conflict, it is to be expected that cyberattacks will also continue to increase as a means of asymmetric warfare. The main focus here is on DDoS attacks, which cause complex IT infrastructures to fail, for example at public authorities or financial institutions, with the aim of sabotaging and unsettling them. The number of DDoS attacks measured in the Link11 network has already increased noticeably in the past year. As a specialized European IT security provider in the field of cyber-resilience, Link11 is today publishing new data on this in its in-house DDoS Report 2021.
According to the report, the number of DDoS attacks increased by 41 percent between 2020 and 2021. Compared to an already high level driven by cybercriminals looking to capitalize on the digitalization wave at the start of the pandemic, the volume of attacks has increased further.
Marc Wilczek (Managing Director, Link11):
“Private and business life is increasingly shifting into the digital space. This offers more and more attack surfaces. Our figures make it clear: not only the number of DDoS attacks is increasing, but their DNA is also changing. Complexity is growing, new attack vectors and methods such as “carpet bombing” are becoming established. In contrast, existing security tools are reaching their limits. This makes maximum precision and speed in detecting and defending against attacks all the more important.”
Attack bandwidths have also followed the same trend and have consistently increased. The highest bandwidth measured on the Link11 network was over 1 Tbps, adding up to over 4.5 Tbps of volume in just under two hours. Numerous other high-volume attacks occurred, especially in the second half of 2021. According to the report, the average attack bandwidth peak in 2021 was 437 Gbps, up from 161 Gbps in 2020. In contrast, the average total bandwidth fell from 1.5 to 1.4 Gbps due to the increase in so-called “carpet bombing”. Among other things, the new and massive botnet Meris was responsible for the increase in high-volume attacks. It can cause lasting disruption to even very robust networks by sending a large number of requests per second (RPS).
In addition, 71 percent of all attacks were identified as multi-vector. This means that the perpetrators used multiple access paths and methods – which is increasingly becoming the norm today. The challenge: The more vulnerabilities and protocols attackers use, the more difficult it is to detect and defend against attacks, thus increasing the likelihood of success for attackers. The bottom line is that these are different, synchronously running attacks that also have to be identified individually. In 2020, the proportion of multi-vector attacks was still 59 percent.
Jag Bains (Vice President Solution Engineering, Link11):
“Fighting multi-vector attacks is like fighting the Hydra: Defuse one vector and it’s replaced by two new ones.”
Furthermore, Link11 notes an increase in “carpet bombing,” or the concerted flooding of systems with single pinpricks. In these technically complex attacks, unlike high-volume attacks, the traffic per IP address is so low that many protection solutions fail to detect them as an anomaly. The attacks infiltrate the radar and are difficult to mitigate.
In addition, ransom DDoS once again strengthened as a trend: More and more cybercriminals are increasingly demanding ransom in DDoS attacks. This trend could be reinforced by the fact that DDoS attacks were often used last year disguised as a smokescreen, e.g., in connection with a ransomware attack. In the slipstream of a massive DDoS attack, hackers can thus penetrate unnoticed through the digital backdoor of network security and, for example, place malware before forcing the web servers to reboot.