Netscout: COVID-19 “added rocket fuel to the growth in DDoS attacks”
Cyber threats are shifting rapidly as attackers respond to the changing network conditions driven by the global coronavirus pandemic. In new analysis of dedicated denial of service attacks during the first half, network monitoring and assurance company Netscout said that DDoS attacks are becoming “shorter, faster and more complex” as attackers focus on online platforms that are more crucial than ever in a period of extended work-from-home, distance learning and higher reliance on telehealth and online financial services.
These conclusions are drawn from a new report from Netscout on threat intelligence in the first half of 2020, the most intense period of global lockdowns. Netscout said that DDoS attack frequency in the first half of the year was up 15% compared to the same period in 2019, and jumped even higher — up 25% year-over-year — during the “peak pandemic lockdown” months of March-June. There were 929,000 DDoD attacks in May alone, the company said, which represents that “single largest number of attacks ever seen in a month.”
“The first half of 2020 witnessed a radical change in DDoS attack methodology to shorter, faster, harder-hitting complex multi-vector attacks that we expect to continue,” said Richard Hummel, threat intelligence lead at Netscout. “Adversaries increased attacks against online platforms and services crucial in an increasingly digital world, such as e-commerce, education, financial services, and healthcare. No matter the target, adversary, or tactic used, it remains imperative that defenders and security professionals remain vigilant in these challenging days to protect the critical infrastructure that connects and enables the modern world.”
In North America, DDoS attack frequency was up 20% compared to the first half of 2019, the maximum throughput of attacks was up 23% and the duration of the attacks were down 22%. Similar patterns were seen around the world, in what Netscout described as increasing reliance on “hit and run” methods that conserve attack resources and shorten the widow of time in which defenders can respond.
On a global basis, Netscout found that attack duration dropped by more than 50% compared to the same period last year. “Why? It’s all about the money,” the company said. “Shorter attacks consume fewer resources for the bad guys and, even better (from their point of view), narrow the response window for defenders.”
Meanwhile, network defenders have to pay for resources to do their work, but attacks can be had for a pittance: Netscout noted that booter/stressor services “are so cheap and easily available that a ten-minute attack can be rented for as little as 35 cents.” Given the small investment, attackers are upping the complexity of their attacks: the use of 15-plus vector attacks, which were outliers as recently as three years ago, spiked 126% year over year and have risen 2,851% since 2017. Single-vector DDoS attacks were down 43% in the first half.
“This adds up to a giant headache for defenders, giving them less time to react to more difficult mitigation scenarios,” Netscout said, going on to add that “Such scenarios only highlight the vital role of advanced and automated DDoS technology.”
What was being targeted? Everything that has become more important to people and businesses during the pandemic: E-commerce, healthcare, and educational services in particular. “Unsurprisingly, as schools closed and online usage increased, we also saw a surge in attacks on broadband networks, which translates largely to online gaming,” Netscout noted.
In North America, the company said, non-store retailers (which include e-commerce shopping) saw a 20% growth in frequency of DDoS attacks, and attacks on educational services grew 13%.
Netscout also pointed out in its report that DDoS attacks don’t only impact businesses and their customers, they wantonly suck up internet bandwidth without paying for it — which means that the cost of that traffic ultimately impacts every business and individual who does pay for internet service. Netscout developed what it called the DDoS Attack Coefficient, or DAC, to summarize the amount of DDoS traffic traversing regional networks at a given time and the “DDoS tax” that everyone pays as a result of DDoS traffic. A DAC of zero would mean that no traffic in a region was attributable to DDoS, the company explained. What the company actually found was a spike in DAC throughput and DAC bandwidth consumed by DDoS attacks in March, a slight drop in the following months as new norms took hold, and then huge increases in June around the globe as attackers found their footing.
“This traffic essentially imposes an enormous and unending tax on every internet-connected organization and individual across the globe,” Netscout said.