DDoS Attacks 2019: A look back at the Developments over the Year

  • Katrin Gräwe
  • December 19, 2019

Table of content

    DDoS Attacks 2019: A look back at the Developments over the Year

    The experts from the Link11 Security Operation Center (LSOC) take a look back at the most important DDoS attacks in 2019 and summarize which new developments could be detected on the attacker side. In addition, the IT security specialists draw conclusions for the threat situation in the coming 12 months.


    The most significant DDoS attacks of the past year

    Telegram, Wikipedia, AWS: In 2019, there were new reports every month about DDoS attacks and their consequences for the economy, administration and society, ranging from blackmail and vandalism to political and economic protest. The following incidents attracted particular attention, as they had serious consequences.

    DDoS as a political tool

    The Anonymous group called for DDoS attacks against Zimbabwe’s state administrative and financial websites earlier this year as a political protest.

    In June, DDoS attacks crashed Telegram’s Messenger app. The Telegram boss suspected that the Chinese government was behind the attacks, as they coincided with the protests in Hong Kong.

    The British Labour Party’s website and other digital communication platforms were sabotaged in November in the middle of the election campaign.

    Attacks on educational institutions

    Networks and IT infrastructures of schools and universities are regularly targeted by attackers. In February, the Magister learning platform was unavailable to tens of thousands of secondary school pupils in the Netherlands – and, with that, also timetables, exercise material and homework information. The University of Albany in New York State was attacked more than a dozen times within two weeks in February/March.

    Over a period of one week in October, use of the University of Kiel’s 30,000 computers and their installed browser and mail programs was made slow or impossible.

    Danger from DDoS extortion

    A group called Turkish Hackers attacked numerous hosting and Internet service providers in Italy in May 2019 and demanded protection money in Bitcoins.

    Companies in Germany, Austria and Switzerland received serious blackmail emails purporting to be from Fancy Bear. By carrying out warning attacks, the perpetrators showed how serious they were about their demands.

    DDoS attacks with global repercussions

    At the beginning of September, Wikipedia pages went offline for hours in many countries of the world. IoT devices are said to have been misused for the attack.

    The fact that Amazon Web Services (AWS) was unavailable for eight hours in large parts of the world in October caused a huge media response and a presumed damage of over 100 million euros to companies that use it.

    New, old and decommissioned DDoS tools for attackers

    The mostly unknown attackers employed both tried and test techniques alongside new methods. Techniques such as UDP floods, which generate large attack volumes, have been in use since the early days of DDoS attacks 20 years ago. They have lost none of their danger and volume potential. By combining UDP floods with reflection amplification techniques, which send attacks via other servers and thus amplify them, there are no upper limits to the attack bandwidths. DNS reflection and CLDAP amplification were not only detected particularly frequently in 2019, but were also regularly the decisive vectors for increasing attack bandwidths.

    DDoS attackers are always looking for and finding new vulnerabilities and methods to bypass existing protection solutions and cause system overloads. According to observations by Link11, two new attack vectors appeared on the scene in the second half of 2019: They aimed WS Discovery and Apple Remote Protocol, both of which have been in service since 2005.

    At the same time, the half-life for new vectors appears to have decreased. Reflection amplification vectors such as memcached reflection or CoAP made headlines in 2018. In 2019, they were hardly seen anymore.

    Concern from security services around the world

    DDoS attacks are not only a growing challenge for companies, but also for security services worldwide. In Germany, the Federal Office for Information Security (BSI) spoke of a constantly tense threat situation in 2019. The Federal Office gave five reasons for this:

    • increasing attack volumes, which amount to several 100 Gbps
    • specialization by using new attack vectors
    • the use of ever new attack tools
    • intelligent multi-vector attacks that attack multiple layers of enterprise security
    • a growing range of DDoS for hire services.

    In Germany, DDoS attacks were the second most common type of attack in recent months after malware infections. According to the Cyber Security Survey by the Alliance for Cyber Security, they accounted for 18% of all attacks.

    According to Europol, DDoS attacks were among the biggest cyber threats after phishing and ransomware. The European police authorities cite extortion as the main driver of the attacks that were reported to the police. Europol identified the financial sector and the public sector as the most common targets.

    The U.S. Department of Homeland Security has drawn particular attention to the danger posed by growing attack volumes: DDoS bandwidths have increased tenfold over the past five years. The authority doubts whether the current network infrastructure will be able to withstand future attacks. The Ministry is also concerned about the growing number of unsafe IoT devices that can be misused for DDoS attacks.

    Learning from current DDoS attacks for 2020

    DDoS attacks and combating them will remain an important topic for IT security managers in 2020. What types of attacks will companies and the public sector face in the coming months?

    Volume attacks

    According to LSOC observations, the average attack bandwidth increased by approx. 10% in one year. For 2019 it was 5.1 Gbps. And rising! In view of companies’ very narrow-band external connections, comparatively low bandwidths are unfortunately still sufficient to cause the greatest possible damage with minimum effort.

    Complex attack patterns

    The proportion of intelligent multi-vector attacks increases every year. In 2019 it was over 50 percent. The attackers used the different attack techniques either simultaneously or in a staggered manner, whereby they targeted different levels and vulnerabilities. This attack methodology requires more defensive effort, since all individual vectors must be identified in order to recognize a pattern.

    Attacks from the cloud and to the cloud

    DDoS attacks carried out using cloud servers, among other things, are no longer the exception, but the rule. While in 2018 it was only every third attack, in 2019 it was every second attack. At the same time, attackers are increasingly targeting the cloud instances and products themselves, often turning the cloud into a weapon against the companies themselves.

    Constantly new attack techniques

    DDoS attackers are under pressure to constantly identify new vulnerabilities and thus increase the chances of success of their attacks. It remains to be seen which new methods and protocols will shape the threat landscape in the coming months. What is certain, however, is that they will come.

    The dynamic threat situation described above will present companies with ever new challenges in 2020. This applies to both detecting and combating attacks. A security strategy that takes into account the latest threat scenarios is absolutely essential. Companies should therefore seek external advice to determine which specialized security solutions minimize the risks from attacks. AI-based systems promise effective protection in this regard, which significantly exceeds that of conventional solutions.

    New Round of DDoS Blackmailing by XMR-Squad (allegedly)
    Zero-day vulnerability in HTTP/2 protocol: How to protect yourself effectively