Our global Internet backbone, AS1299, gives us a unique perspective on the constantly evolving DDoS threat landscape, and the impact it’s having on the wider Internet. Every year we use our own network data to compile our DDoS Threat Landscape Report. This year, our report highlights the main global DDoS trends we observed in 2023 – from the overall network impact of DDoS and evolution of specific attacks vectors to the significance of major social and geopolitical events in a cyberattack context.
So, what did we learn?
Enough to bring down larger networks
First, peak DDoS traffic is still increasing – up 18% from 2022 – and peak attacks continue to have a considerable impact – reaching 960Gbps in 2023. So far, so depressing. Attacks of this size are enough to bring down many larger networks, which demonstrates the continued importance of volumetric protection.
While we saw a global decrease in large volumetric DDoS attacks last year, we also noticed an increase in such attacks at a national level. We put this is down to a combination of factors. One of them is improved recent cooperation across our industry – which we wholeheartedly support – which has made it more difficult for large amplification attacks to succeed. Another is the enabling of anti-spoof filters, which has forced attackers to use a ‘direct path’ when exploiting their botnets. This is making attacks easier to detect and take down, forcing cyber criminals to be more selective in choosing attack resources.
Unfortunately, our study suggests that they are. An overall decline in packets-per-second is deceptive and indicates that hackers are increasingly working ‘smarter, not harder’. For example, as DNS amplification has improved, fewer packets-per-second are needed for an effective attack. Following steady growth over the past four years, DNS amplification was the most common type of attack in 2023, and by the end of the year, it constituted 80% of all attacks.
Geopolitical conflicts
We also found that attack duration is down, which sounds like good news but is tempered by the fact that larger, more intensive attacks over slightly shorter periods are equally serious, causing the same amount of damage overall. We think it likely that average duration is being dragged down by unsuccessful attacks being called off quicker, with resources then reassigned to more vulnerable targets.
These days, of course, many attacks are state sponsored, with cyber warfare now an established part of geopolitical conflict. Our study found a clear correlation between the ebb and flow of the ground war in Ukraine and attack trends, not only in Russia and Ukraine but also neighbouring countries such as Poland. Attack targets aren’t limited to military or state assets, but frequently threaten private enterprise networks, making resilient cyber-defences more vital than ever.
DDoS protection
Add these findings to the fact that cyberattacks keep evolving and peak attack traffic continues to grow, and it’s not hard to see why we’re convinced that protection against DDoS attacks is essential – and even a basic level of protection will mitigate the impact of abundant smaller attacks (complemented by reliable insurance cover for the larger ones).
While there will always be a need for network owners to invest in their own defences, protection at the backbone level remains a key part of an effective solution. For our part, we are committed to supporting our customers and the wider global Internet community by focusing on core network DDoS protection, which we believe to be a crucial contribution to the ongoing war of attrition against malicious DDoS traffic.
For more detailed information on the DDoS attacks described above, as well insights into how they have evolved over the last year, download our DDoS Threat Landscape Report 2024.
Mattias Fridström, Chief Evangelist, Arelion