Omer Yoachimik and Vivek Ganti from Cloudflare published a blog post about Network-layer DDoS attack trends for Q3 2020, considering attacks on Cloudflare. While DDoS attacks are surging both in frequency and sophistication, the total number of network layer attacks observed in Q3 doubled again. Compared to the pre-COVID levels in the first quarter, the number of network layer attacks quadrupled.
Network layer DDoS trends in Q3
While SYN, RST, and UDP floods continue to dominate the landscape, Cloudflare discovered an explosion in protocol-specific attacks such as mDNS, Memcached, and Jenkins DoS attacks. The majority of the attacks that cause service disruptions are under 500 Mbps and 1 Mpps. The researchers also estimated that most attacks under 1 hour in duration will continue. In addition to this, ransom-driven DDoS attacks (RDDoS) are on the rise as groups claiming to be Fancy Bear, Cozy Bear and the Lazarus Group extort organizations around the world.
Month by month, September witnessed the largest number of attacks overall, August saw the largest attacks. Ninety-one percent of large attacks in Q3 took place in August. While the total number of attacks between 200-300 Gbps decreased in September, Cloudflare saw more global attacks on its network in Q3.
In early July, Cloudflare faced one of the largest-ever attacks on its network generated by Moobot, a Mirai-based botnet. “The attack peaked at 654 Gbps and originated from 18,705 unique IP addresses, each believed to be a Moobot-infected IoT device. The attack campaign lasted nearly 10 days, but the customer was protected by Cloudflare, so they observed no downtime or service degradation,” written in the blog post.
The data shows that small attacks of under 500 Mbps are many times sufficient to create major disruptions for Internet properties that are not protected by a Cloud-based DDoS protection service. Many organizations have uplinks provided by their ISPs that are far less than 1 Gbps. These small DDoS attacks can easily take down Internet properties.
Attack vectors
SYN floods constituted nearly 65% of all attacks observed in Q3, followed by RST floods and UDP floods. TCP based attacks like SYN and RST floods continue to be popular. UDP-protocol specific attacks like mDNS, Memcached, and Jenkins are the top emerging attack vectors.
Multicast DNS (mDNS) is a UDP-based protocol that is used in local networks for service/device discovery. The most popular emerging attacks in the second and third place are Memcached and Jenkins attacks. When we look at the country-based distribution, the United States observed the most number of L3/4 DDoS attacks, followed by Germany and Australia.