Link11 H1 2020 DDoS Report Reveals a Resurgence in DDoS Attacks During COVID-19 Lockdowns

Attacks in April, May and June 2020 more than double compared with Q2 2019, and attacks using public cloud infrastructure increase

Link11, Europe’s leading security provider in cyber resilience, has released findings from its H1 2020 DDoS Report, which revealed a resurgence in DDoS attacks during the global COVID-19 related lockdowns.

In April, May and June 2020, the number of attacks registered by Link11’s Security Operations Center (LSOC) averaged 97% higher than the during the same period in 2019, peaking at a 108% increase in May 2020. There is a potential danger that cyber criminals could take advantage of home working, and it is important that companies do not allow their digitalisation strategies to be undermined by cyber criminals.

Key findings from the annual report include:

• Multivector attacks on the rise: One in two attacks (52%) combined several methods of attack, making them harder to defend against. One attack included 14 methods; the highest number of vectors registered to date.
• Growing number of reflection amplification vectors: Most commonly used vectors included DNS, CLDAP and NTP, while WS Discovery and Apple Remote Control are still frequently used after being discovered in 2019. Since the beginning of the year, the vector set for DDoS attackers has also been expanded by DVR DHCPDiscovery. The LSOC discovered the vector that exploits a vulnerability in digital video recorders (DVR devices vulnerability). The new method of attack was used hundreds of times for DDoS attacks in the second quarter of 2020.
• DDoS sources for reflection amplification attacks distributed around the globe: The top three most important source countries in H1 2020 were USA, China, and Russia. However, more and more attacks have been traced back to France.
• Average attack bandwidth remains high: The attack volume of DDoS attacks has stabilised at a high level, at an average of 4.1 Gbps. In the majority of attacks 80% were up to 5 Gbps. The largest DDoS attack was stopped at 406 Gbps.  In almost 500 attacks, the attack volume was over 50 Gbps. This is well over the available connection bandwidth of most companies.
• DDoS attacks from the cloud: At 47%, the percentage of DDoS attacks from the cloud was higher than the full year 2019 (45%).  Instances from all established providers were misused, but most commonly were Microsoft Azure, AWS, and Google Cloud. Attackers often use false identities and stolen credit cards to open cloud accounts, making it difficult to trace the criminals behind attacks.
• The longest DDoS attack lasted 1,390 minutes - 23 hours. Interval attacks, which are set like little pinpricks and thrive on repetition, lasted an average of 13 minutes.

The data showed that the frequency of DDoS attacks depends on the day of the week and time of the day, with most attacks concentrated around weekends and evenings. More attacks were registered on Saturdays, and out of office hours on weekdays.

Marc Wilczek, COO of Link11 said: “The pandemic has forced organizations to accelerate their digital transformation plans, but has also increased the attack surface for hackers and criminals – and they are looking to take full advantage of this opportunity by taking critical systems offline to cause maximum disruption.  This ‘new normal’ will continue to represent a major security risk for many companies, and there is still a lot of work to do to secure networks and systems against the volume attacks. Organizations need to invest in security solutions based on automation, AI and Machine Learning that are designed to tackle multi-vector attacks and networked security mechanisms.”

More information is provided in the full Link11 DDoS report for the first half of 2020.