As mentioned in the 2018 Year in Review State of the Internet / Security report, trends in DDoS are remarkably stable. The size of the largest attacks have grown by approximately 6% on an annual basis, with occasional outliers like the Mirai botnet. The median size of attacks has been much more changeable, with a cyclic growth and retreat on a two year basis. Unluckily, the ebb of DDoS is almost always higher than the previous high water mark.
But, when trying to track DDoS growth and shrinkage, it's important to remember that records come and go. When adversaries discover new methods of attack, we often see a new peak in attack size, followed by a downshift in attack size as these attack methods are either mitigated, taken down or contention for resources dilutes the resources. A good example of this was the Mirai botnet and its aftermath and the EUROPOL sweep targeting the DDoS marketplace.
When people think of DDoS attacks, they focus on the outliers, the massive Terabit attacks that generate headlines. But the smaller, more focused attacks can do just as much damage. More importantly, these smaller attacks are actually more common than their larger-scaled counterparts, as the graph below shows.
In the attack density map, the Y Axis represents attack size and uses an exponential scale, where each major grid line is ten times larger than the previous one. The brighter the dots, the more attacks of a particular size, and darker dots show fewer. While some attacks hit really hard on volume, most attacks were around the 1Gbps range. The lines show the overall trends of DDoS size by percentile, showing the 5th, 25th, 50th, 75th and 95th percentile. In other words, the middle line (black) is the median, with half of attacks are larger half smaller. Similarly, the top line (dashed red) displays the point where 95% of all attacks are below that size.
Between January 2017 and January 2018, DDoS attack density grew 39.8%, from 560 Mbps to 783 Mbps , but looking at 2018 as a whole, things were completely different. Over 2018, we noticed a 97.7% growth rate in attack size, with a median in January of .56 Gbps ballooning to 1.548 Gbps by December.
Looking back, 95% of all of the DDoS attacks in January 2017 were under 4.19 Gbps. One year later, and that number climbs to 5.91 Gbps. By December 2018, 95% of all of the DDoS attacks observed were hitting businesses 11.34 Gbps or less.
These evolving figures tell an interesting story to defenders, and pose a challenge. If they want to be protected to the same levels where at least 50% of their peers are, they'll need to focus on the 1.5 Gbps range. Organizations that rely on stable web presence to survive will need to contend with attacks that can start at around 11 Gbps and grow from there, according to our recent trends. Even a few minutes of downtime at the wrong time can make the difference in year's bottom line for some organizations.
The graph above explains DDoS attack vectors by week, with peaks shooting to well over 300 attacks. It's important to remember that a single DDoS attack can include multiple vectors, hence the difference between the Top 10 Vectors plot and the DDoS Attacks by Week blog. For example, a single DDoS attack might use DNS, NTP and SSDP flooding, . Akamai has seen attacks leverage common vectors, as well as uncommon ones such as IPMI (Intelligent Platform Management Interface) and IKE (Internet Key Exchange).
One of the largest attacks Akamai as ever witnessed against a customer happened in February 2018, where a software development company experienced a 1.35 Tbps DDoS attack using memcached UDP reflection.
Year-over-Year, you can see the DDoS attacks observed, at least when considering the number of attacks, remain pretty consistent - with one notable exception. While Akamai normally sees a slight dip in attack numbers during Q1, the 10% drop in Q2 2018 is significant.
In April of 2018 EUROPOL coordinated the takedown of webstresser.org, arresting the administrators behind the DDoS marketplace, which was responsible for more than 4 million attacks by the time the website was forced offline. Webstresser.org was responsible for attacks against financial services, governments, and gamers.
Shortly after the EUROPOL actions, DDoS traffic dipped to record lows until early July, followed by a record peak on August 12, 2018. Once DDoS traffic returned to expected levels, the banking, finance, and education industries were popular targets, along with the gaming industry, which was the top target throughout the year.
We are about a month into 2019, and we'll make sure to keep you updated on how the DDoS trends are changing and shifting.