The sector with the largest single attack in 2021, however, was ISP/Hosting, which saw attacks peak at 1.4 Tbps.

Where DDoS Attacks Come From

Denial-of-service attacks are most frequently launched from compromised servers or consumer devices, such as Internet-of-Thing (IoT) products and broadband routers.

In producing this report, we made use of data not only from F5’s Silverline DDoS scrubbing service but also attack data captured by our partner Effluxio. What we discovered was a fascinating attack campaign targeting a well-known consume router brand. This research is ongoing and will feature in an upcoming article.

Conclusions and Considerations

Despite a small drop in the number of attacks in 2021 compared with 2020, DDoS attacks are not abating. Far from it. They are growing in both size and complexity. Attackers are using volumetric network denial-of-service (T1498) attacks to mask the more complex protocol and application endpoint (T1499) techniques.

With many DDoS attacks lasting less than an hour, and some only a few minutes, it is reasonable to question the efficacy and, therefore, the motivation of attackers. But threat actors know that even a short interruption to a service can have dramatic consequences. A well-timed attack could interrupt a timed product launch, disrupt ticket sales, and impact brand and reputation. Alternatively, a short-lived but high-bandwidth attack could cause the victim to incur a large network bill from their cloud or hosting provider.

Beyond this, the motivation behind DDoS attacks remains varied. Nation-states continue to use these to taunt political adversaries and attack their critical national infrastructure, while students take out petty grudges against educational institutions. Organized crime groups make widespread use of denial-of-service attacks to threaten and extort their targets. Criminals use the threat of DDoS attacks to extort a ransom from their victims as well as to further harass the subject of an ongoing ransomware attack.

Today, denial-of-service attacks can be mitigated by using a DDoS mitigation service. Risk cannot be fully off-loaded, however, and so a truly effective solution will involve the use of a managed service working in close collaboration with internal application and network security teams. The “Recommended Mitigations” section that follows goes into more detail about how each control can help differing DDoS attack techniques.

Recommended Mitigations

The MITRE ATT&CK framework has an extremely short list of recommended mitigations to control DDoS attacks, in fact, only one:

Filter Network Traffic (M1037)

The crux of this control is to prevent malicious traffic from reaching your network, devices, or services before it can do any harm. Typically, this requires upstream controls which make use ISPs, cloud security services, or content delivery networks to inspect and limit the amount of traffic that reaches the endpoints (web servers).

Despite using the term network, this mitigation method refers to the identification, inspection, and control of not just network packets but application traffic too. To do this effectively, it is important to understand your web app and APIs. Which web pages or database queries cause heavy CPU or memory utilization? A worthy DDoS cloud-scrubbing service should be able to automatically detect increased latency to back-end services and apply controls, such as rate limiting, CAPTCHA enforcement, or IP address–based blocking. However, having a deep understanding of your application will allow for fine-tuned controls that will limit the impact to legitimate customers.

The following technical/preventive security controls are recommended to protect against DDoS attacks:

• Implement DDoS protection using an on-premises solution, DDoS scrubbing service, or hybrid.
• Use both network and web application firewalls.
• Use antivirus solutions to curb malware infections.
• Use a network-based intrusion-detection system.
• Apply patches promptly.
• Block traffic with spoofed source IP addresses.
• Use rate limiting to restrict the volume of incoming traffic.