As we have done for prior DDoS Attack Trends reports, we recently analyzed attack data from the F5 Distributed Cloud DDoS Mitigation service to get a look at the DDoS traffic they handled for their customers in 2022. We continued our analysis by comparing 2022 data to that of 2021 and 2020. Some interesting trends emerged.

Executive Summary

• Application layer attacks up by 165%
• The Technology sector takes the top spot as most attacked over 2022
• Overall observed events are down by -9.7%
• Peak Bandwidth up 216% from 2020
• All verticals should expect to see more Application and Multi-vector DDoS

A Note on the Analysis

Distributed Denial of Service (DDoS) has been an issue for a very long time, and while our defenses have come a long way since the earliest days, such attacks can still be devastating. Attackers continue to use these techniques to annoy, harass, and extort vulnerable targets, so tracking DDoS trends remains an important function of threat intelligence writ large. There are, however, a few things to keep in mind when reading any analysis of DDoS trends and events. Bringing a critical frame of mind to any data to determine relevance to your specific situation is key to being able to turn observations into action. Any dataset relating to DDoS traffic will only show what the collection point was able to observe, and this will be only a fraction of the total DDoS that occurred across the internet.

While the observations may be a small subset of the total landscape of DDoS, we nevertheless feel the trends observed in this data may be broadly comparable to the entire situation, as the F5 Distributed Cloud DDoS Mitigation service protects a diverse group of customers, ranging from small to large enterprises, and from many different industry verticals.

Terms Used in This Report

If you’re new to denial of service attacks and would benefit from a detailed look at the types and method of DoS attacks, and the motivations of the many threat actors who use them, take a look at our Learning Center article What is a Distributed Denial-of-Service Attack?

Peak Bandwidth

Nearly all DDoS attacks will have a ramp up and a ramp down period in terms of the bandwidth they use. The peak bandwidth is defined here as the maximum observed bandwidth in a single point in time during the attack. It does not indicate how long the total attack lasted, but does give some indication as to the resources the attacker put towards creating it, and to some extent, its intensity.

Attack Type Classifications

Because there is a large number of specific DDoS attack types, we’ve broken them out into the following categories. Our classification scheme roughly overlaps with the DDoS terms used by the MITRE ATT&CK framework.

Volumetric

Volumetric attacks use a variety of techniques to attempt to overwhelm the available bandwidth at the target. Such techniques include UDP floods, ICMP floods, and reflection attacks leveraging protocols such as NTP, Memcached, and DNS to amplify the amount of traffic received by the target.

Protocol

Protocol attacks are those that specifically target the ability of network infrastructure to track and handle traffic. Examples include TCP Syn and TCP Ack flooding. These are also known as ‘computational’ attacks, since they often overload the compute capacity of network devices, such as routers and firewalls.

Application

Application attacks are those that target higher level protocols, the most frequently observed being HTTP GET floods, TLS renegotiation, and DNS queries. We make the distinction here between DNS reflection, whose aim is to flood the targets internet connection with query response traffic, and DNS queries, which are made directly to the target’s DNS infrastructure, with the aim of denying legitimate requests the ability to resolve domain names.

Multiple Vector

We use the term “multiple-vector” for attacks which leverage more than one of the above methods. More details on the specific combinations observed are mentioned in passing in the rest of the report. While many DDoS attacks use a single vector, these multiple-vector methods are becoming increasingly common.

2022 DDoS Insights

In 2022, we saw the overall number of attacks trend down a small amount, and saw a sharp rise in the number of Application layer attacks.

Trend 1: Overall DDoS Attacks Were Slightly Down

In 2022, we note a slight reduction (-9.7%) in the overall events observed from that of 2021, continuing a similar reduction in overall events between 2020 and 2021 (-3.5%). The number of events observed per quarter does not vary much. Q1 2022 was significantly less than the same quarter in the year before, with a 50.7% reduction (Figure 1).

This is perhaps attributable to the beginning of the Russian invasion of Ukraine. At that time, it was noted by several threat research firms that there was significant turmoil among various cybercriminal organizations, as they determined what their approach would be regarding the conflict, and which side, if any, they would align with. Resources were redirected, at least briefly, to support one side or the other of the conflict, and several large-scale DDoS attacks against both Russian and Ukrainian targets made the news. This may account for the drop in Q1 events we observed, but we can’t be sure. The overall drop from Q4 2021 to Q1 2022 was -25%.

Politically motivated attacks are ongoing – as this report was being written, widespread DDoS attacks against hospitals were being reported, and attributed to Killnet, a Russian-aligned group which has launched such attacks against several verticals since the war began. Please see the section “Is Killnet a Sign of Things to Come?” below for more details.

The level of attacks ramped back up to approximately normal levels in the following quarters, increasing an average of 30% quarter to quarter, and although the overall yearly totals were down, Q4 2022 showed the highest observed number of events in a single quarter across all three years. See Figure 1.