DDoS Maximum Attack Size Nearly Tripled in 2021 over 2020
The total number of distributed denial-of-service (DDoS) attacks fell 13% in 2021 over 2020, but were still well above pre-pandemic levels, according to Nexusguard researchers in the recently released DDoS Statistical Report for 2021. Additionally, while the average attack size fell by 50% over 2021, the maximum attack size nearly tripled, growing 297% over the same period.
The top three DDoS attack vectors in 2021 were UDP (user datagram protocol) attacks, DNS (domain name system) amplification attacks, and TCP (transmission control protocol) acknowledgment attacks.
UDP attacks were still the most common form of DDoS attack, even though they accounted for a smaller percentage of attacks this year, falling from 59.9% in 2020 to 39.1% in 2021. UDP attacks can quickly overwhelm the defenses of unsuspecting targets, and they frequently serve as a smokescreen to mask other malicious activities such as efforts to compromise personal identifiable information (PII) or the execution of malware or remote codes.
DNS amplification attacks were the second most common, even though they, too, account for a smaller percentage of total attacks than they did 12 months ago, declining from 14.2% in 2020 to 10.4% in 2021. A DNS amplification attack occurs when UDP packets with spoofed target IP addresses are sent to a publicly accessible DNS server.
Each UDP packet makes a request to a DNS resolver, often sending an “ANY” request in order to receive a large number of responses. Attempting to respond, DNS resolvers send a large response to the target’s spoofed IP address. The target thus receives an enormous amount of responses from the surrounding network infrastructure, resulting in a DDoS attack.
TCP acknowledgment (ACK) attacks, on the other hand, accounted for a larger share of total attacks, rising to become the third most common form in 2022. In 2021, TCP ACK attacks accounted for 3.7%, which rose to 9.7%. In these kinds of attacks, a large quantity of ACK packets with spoofed IP addresses are sent to the victim server, forcing it to process each ACK packet it receives, rendering the server unreachable by legitimate requests.
“While the number and average size of DDoS attacks fell in 2021 over 2020, the threat level is still very high when compared to pre-pandemic levels,” said Juniman Kasman, chief technology officer of Nexusguard. “Attack vectors are also in flux, because while UDP attacks are still the most common, TCP ACK, which can exponentially amplify the effect of a DDoS event with a small amount of traffic, rose significantly. Organizations need to be prepared to deal with a wide array of vectors — DDoS remains a persistent, elevated threat.”
Read Nexusguard’s DDoS Statistical Report for 2021 for more information on attack vectors, stats and trends based on data gathered from CSPs, honeypots, botnet scanning and research on traffic moving between attackers and their targets.