News overview
Cybercriminals are constantly on the lookout for means and methods to make attacks more destructive. In Q4 2020, Citrix ADC (application delivery controller) devices became one such tool, when perpetrators abused their DTLS interface. The DTLS (Datagram Transport Layer Security) protocol is used to establish secure connections over UDP, through which most DNS queries, as well as audio and video traffic, are sent. To amplify the attack, the attackers sent requests to devices with the DTLS interface enabled, spoofing victims’ IP addresses. Consequently, the victims received reply packets several times larger in size. In the case of Citrix devices, the amount of junk traffic could increase by up to 36 times. After the attacks came to light, the manufacturer promptly released a firmware update for configuring verification of incoming requests. For those who do not use DTLS, it is recommended to simply disable this protocol.
Another notable attack in December targeted the website Bitcoin.org, which hosts Bitcoin Core, one of the most widely used software versions of bitcoin. While the resource was down, cryptocurrency newbies were invited to download a copy of Bitcoin Core via a torrenting service. Most likely, the attack is related to the bitcoin price, which has steadily risen over the past quarter. According to one of the developers behind Bitcoin.org, the site is always hit whenever bitcoin is on the up.
Overall, Q4 remained within the parameters of 2020 trends. Cybercriminals used the names of well-known APT groups to intimidate victims, demanded ransoms in cryptocurrency, and carried out demonstration attacks to back up their threats. Extortionists’ activity regularly made the news throughout 2020. In October, telecommunications firm Telenor Norway was another to fall victim.
Since the transition of schools and universities to remote learning, cybercriminals have tried to disrupt classes by flooding educational platforms with garbage traffic. This trend continued in the last months of 2020. In October, schools in Sandwich and Tyngsboro, Massachusetts, suffered network outages. In both cases, the institutions initially put the incident down to technical failure, and only later discovered the attack. In December, Canada’s Laurentian University reported a DDoS attack. But it dealt with the problem in a matter of minutes. Still, such attacks by year’s end were serious enough for the FBI to flag them in its December advisory as a major threat to teaching facilities. Educational institutions are recommended to use anti-DDoS solutions and strong firewall settings, and partner up with ISPs.
Gaming platforms didn’t escape cybercriminal attention either. According to ZDNet, Xbox and Steam were the targets of amplification attacks through Citrix devices. In early October, a DDoS attack was reported by the PUBG Mobile team.
Dear players,
The PUBG MOBILE team are currently actively working to resolve the DDoS attacks against our systems and the new hacking issues. For information, please check out here: https://t.co/DMYsxWTlCc
— PUBG MOBILE (@PUBGMOBILE) October 3, 2020
And Blizzard’s European servers were hit by threat actors twice in the quarter.
We are currently experiencing a DDoS attack, which may result in high latency and disconnections for some players. We are actively working to mitigate this issue #BlizzCS
— Blizzard CS EU (@BlizzardCSEU_EN) October 2, 2020
In late December, several dozen top streamers planned to celebrate the end of 2020 playing through Rust all on the same server. The show failed at the first attempt, apparently due to a DDoS attack, although there is no reliable data on this. Given the hype surrounding the event, it may have been caused by an influx of fans tuning in. In 2020, when much of life shifted online, internet resources repeatedly suffered from surges in totally legitimate activity.
As for the fightback, the most notable Q4 event was the conviction of a former Apophis Squad member responsible for a string of DDoS attacks, including for ransom, as well as for disrupting school classes worldwide through fake bomb alerts, and for storing child pornography. For his efforts, the perpetrator was sentenced to eight years in prison.
The resistance against individual attack vectors also continues. The Internet Engineering Task Force (IETF) published a proposal for Network Time Security (NTS), a secure standard for data transmission over the Network Time Protocol (NTP), which is used to synchronize time across a network. The document addresses, in particular, the problem of DDoS amplification through this protocol and prohibits the sending, in response to a request, of data packets larger than the request packet.
Quarter and year trends
This time, our forecasts came true exactly 50%: as expected, in Q4 2020 we observed indicators comparable to those for the same period in 2019, and even slightly higher. However, growth relative to Q3 2020, which we predicted as a possible alternative, did not occur. On the contrary, the total number of attacks fell by about 30%, and smart attacks by 10%.
Comparative number of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100% (download)
All the same, the qualitative indicators are noteworthy: the share of smart attacks increased slightly in Q4, and the data on attack duration showed a downward trend for short attacks and an upward trend for long ones.
Share of smart attacks, Q3/Q4 2020 and Q4 2019 (download)
Duration of DDoS attacks, Q3/Q4 2020 and Q4 2019; data for Q4 2019 is taken as 100% (download)
The drop in the number of DDoS attacks can be explained by growth in the cryptocurrency market. We already mentioned several times, including in the previous report, the inverse relationship between DDoS activity and the price of cryptocurrencies. When we made our Q4 forecasts, hardly anyone expected such rapid, frankly unprecedented growth. Unsurprisingly, then, botnet operators turned some of their capacity over to mining.
Interestingly, the noticeable fall in the number of DDoS attacks compared to the previous quarter came at the expense of easy-to-organize attacks, while smart attacks declined only insignificantly. This is perfectly logical: it is unprofitable for botnet operators to sell capacity on the cheap, losing out on mining profits; so when prices rise, the first to be cut loose are amateurs — schoolkids, prankers, hotheads — who have no real reason to organize a DDoS. As for professionals, their interests are undented by market fluctuations, especially in Q4 with its many holidays and online sales, so they continue to order and carry out attacks, and mostly smart ones, because they are focused on the result, not the attempt.
What Q1 2021 will bring is hard to say. However, we are becoming increasingly convinced that the DDoS market has stopped growing, having completely stabilized after the decline in 2018. The current fluctuations are mainly due to the dynamics of cryptocurrency prices, and will depend directly on them going forward. If cryptocurrencies begin to fall in price in Q1 2021, the number of DDoS attacks will rise, and vice versa. At the same time, we do not expect to see any explosive growth or dramatic fall. Barring the unexpected (although the unexpected was the name of the game last year), DDoS market fluctuations will remain within 30%.
Comparative number of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100% (download)
As for the results of 2020 as a whole, the market slightly less than doubled over the year. Note that this growth is purely quantitative: the share of smart attacks remained practically unchanged.
Share of smart attacks, 2019 and 2020 (download)
The attack duration data is of particular interest. In 2020, the average duration decreased by roughly a third, while the maximum increased noticeably overall, despite remaining almost on a par with last year in the case of smart attacks. This suggests that short attacks are getting shorter and long ones longer; we saw a similar trend in Q4. Although the reasons are hard to pinpoint, we can assume, as with every other trend last year, that it is related to the pandemic, the serious global instability and the eruptive growth in the cryptocurrency market. The DDoS market is changing under the influence of these factors, as too are the targets of attacks and those who order them, and with them the average attack duration.
Duration of DDoS attacks, 2019 and 2020; data for 2019 is taken as 100% (download)
Statistics
Methodology
Kaspersky has a long history of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.
A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes commands received by bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.
This report contains DDoS Intelligence statistics for Q4 2020.
In the context of this report, the incident is counted as a single DDoS-attack only if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.
The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.
DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.
Note that Q4 2020 saw a rise in the number of botnets whose activity is included in the DDoS Intelligence statistics. This may be reflected in the data presented in this report.
Quarter summary
- In Q4, as before, China (58.95%), the US (20.98%) and Hong Kong (3.55%) led the pack by number of DDoS attacks.
- Ditto the TOP 3 regions by number of targets: China (44.49%), the US (23.57%) and Hong Kong (7.20%).
- On the “quietest” days, the number of DDoS attacks did not exceed one per day.
- The most active day of the quarter in terms of DDoS was December 31, which recorded 1,349 attacks.
- The most DDoS attacks this quarter we saw on Thursdays, and the fewest on Sundays.
- The shares of very short attacks (71.63%) and very long attacks (0.14%) decreased in Q4, while the shares of all intermediate categories increased.
- Q4 reshuffled the distribution of DDoS attacks by type: UDP flooding returned to second place (15.17%), and GRE flooding, previously unmentioned in our reports, became the fourth most common (0.69%).
- Linux botnets were used in almost 100% of attacks.
- The majority of botnet C&C servers were located in the US (36.30%), the Netherlands (19.18%) and Germany (8.22%).
Attack geography
The TOP 3 countries by number of DDoS attacks in Q4 2020 remained the same as in the previous reporting period. China is still top (58.95%), but its share fell by 12.25 p.p. Second place goes to the US (20.98%), whose share, in contrast, climbed by 5.68 p.p. A similar pattern — a decline in China’s and an increase in the US share against Q3 — we also observed in the last three months of 2019.
Despite losing 0.92 p.p., the Hong Kong Special Administrative Region (3.55%) clung on to third place, which it has not vacated since the beginning of 2020. This is where the similarity with the Q3 picture ends: Singapore, fourth in the last reporting period, dropped out of the TOP 10. It was replaced by the UK (1.99%), which gained 1.72 p.p.
The fifth line is occupied by South Africa (1.31%), displacing Australia (0.97%), which dropped to seventh, despite increasing its share by 0.32 p.p.; Canada (1.04%) ranked sixth after missing out on the TOP 10 in Q3.
The Netherlands moved down one position to eighth (0.86%). India and Vietnam, like Singapore, left the TOP 10. The ranking is rounded out by Germany (0.71%) and France (0.64%), which both fell short of the Q3 TOP 10.
Distribution of DDoS attacks by country, Q3 and Q4 2020 (download)
The TOP 10 countries list by number of DDoS targets is traditionally similar to the ranking by number of attacks. The three leaders are the same: ahead is China (44.49%), whose share decreased by 28.34 p.p., but remains unchallenged. Second is the US (23.57%), whose share increased by 7.82 p.p., and in third place is Hong Kong, adding 7.20%.
South Africa failed to make the TOP 10 by number of targets, but not Singapore (2.21%), despite dropping out of the ranking by number of attacks. While its share increased by 1.74 p.p., it lost ground relative to Q3 and moved down to fifth place. This is because all the TOP 10 countries, except China, increased their share. For instance, the fourth-placed Netherlands (4.34%) grew by 4.07 p.p.
As for countries lower down, only their order of appearance distinguishes this list from the ranking by number of attacks. Canada (1.97%) outstrips the UK (1.77%), while Australia (1.29%) places last, behind France (1.73%) and Germany (1.62%).
Distribution of unique DDoS-attack targets by country, Q3 and Q4 2020 (download)
Dynamics of the number of DDoS attacks
As expected, Q4 was more turbulent than its predecessor. The start of the reporting period was quite calm: on October 3–6, we observed only one attack per day. However, come October 20, 347 attacks were recorded, which exceeds the Q3 maximum (323 attacks in one day). In late October and November, DDoS activity fluctuated between close to zero and 200 attacks per day.
The last days of November saw the start of significant growth, which continued through quarter’s end, most likely due to the increase in the number of botnets monitored by Kaspersky, as well as the Christmas and New Year vacations, the runup to which is usually accompanied by a spike in cybercriminal activity. The overall rise in online shopping (holiday-related and other) probably also played a role. The hottest day in terms of DDoS this quarter was December 31, with 1,349 attacks recorded worldwide.
Dynamics of the number of DDoS attacks, Q4 2020 (download)
In Q4, Thursday remained the most active day of the week (17.67%), although its share dropped by 1.35 p.p. against the previous quarter. But the title of quietest day changed hands again: this time, cybercriminals preferred to put their feet up on Sundays (11.19%). What’s more, the spread in the number of attacks on “calm” and “stormy” days narrowed to 6.48 p.p., down from almost 9 p.p. last quarter. In the last three months of the year, the number of attacks conducted on Tuesdays, Wednesdays and Fridays increased, and for other weekdays, decreased.
Distribution of DDoS attacks by day of the week, Q3 and Q4 2020 (download)
Duration and types of DDoS attacks
The average duration of DDoS attacks in Q4 increased relative to the previous reporting period. This can be attributed to the significant decline in the share of very short attacks lasting under four hours (71.62% versus 91.06% in Q3), as well as the increase in the number of longer attacks. Specifically, the share of attacks lasting 5–9 (11.78%), 10–19 (8.40%), 20–49 (6.10%), 50–99 (1.86%) and 100–139 (0.10%) hours increased this quarter.
In contrast, the share of ultra-long attacks decreased by 0.09 p.p. to 0.14%, yet remained higher than the share of attacks lasting 100–139 hours, while the duration of the longest attack exceeded 12 days (302 hours), which is noticeably longer than the Q3 maximum (246 hours).
Distribution of DDoS attacks by duration (hours), Q3 and Q4 2020 (download)
The distribution of DDoS attacks by type changed dramatically in Q4. The lead is still held by SYN flooding, but its share fell by 16.31 p.p. to 78.28%. Meanwhile, the share of UDP flooding shot up (15.17%), having been under 2% in the first three quarters. TCP attacks (5.47%) also increased in number, but ICMP flooding, previously ranked second after SYN attacks, was negligible in Q4, so we did not include it in the statistics.
Instead, a type of attack previously unmentioned in our reports, GRE flooding (0.69%), showed up on the Q4 radar. GRE (Generic Routing Encapsulation) is a traffic-tunneling protocol used primarily for creating virtual private networks (VPNs). GRE flooding was employed, for instance, by the Mirai botnet to attack the blog of journalist Brian Krebs in 2016.
Distribution of DDoS attacks by type, Q4 2020 (download)
This quarter, for the first time since our observations began, the share of Windows botnets fell to almost zero (0.20%). Almost all recorded DDoS attacks were carried out using Linux-based bots.
Ratio of Windows/Linux botnet attacks, Q3 and Q4 2020 (download)
Botnet distribution by country
The bulk of C&C servers in control of DDoS botnets in Q4 2020 were located in the US, which accounted for 36.30% of the total number of servers. In second place was the Netherlands with a 19.18% slice. Germany completes the TOP 3 with 8.22%.
Romania came fourth by number of C&C servers (4.79%), while fifth and sixth positions were shared by France and the UK, both on 4.11%. This quarter’s seventh-, eighth- and ninth-ranking countries likewise had the same share: Canada, Hungary and Vietnam all posted 3.42%. China (2.05%) wraps up the TOP 10 countries by number of recorded botnet C&C servers.
Distribution of botnet C&C servers by country, Q4 2020 (download)
Conclusion
Q4 was both ordinary and extraordinary. On the one hand, there were no unexpected changes in the geographical distribution of DDoS attacks and targets; on the other, the distribution by attack type shifted radically: the share of UDP flooding was up; ICMP attacks were displaced by GRE flooding. In addition, for the first time in our observation history, Linux botnets have almost totally captured the DDoS market.
We would very much like to see the data for an alternative 2020 — one with no pandemic, no dramatic cryptocurrency growth, no shocks to the DDoS market. The coronavirus outbreak spurred the market (see our Q1 and Q2 reports), while the cryptocurrency upswing curbed it (see our Q3 report). Perhaps these opposing forces ultimately canceled each other out, and the picture would have been similar without them, but in 2020 they combined to create a perfect storm on the DDoS market, blowing half of our predictions off course.
It is hard to guess what to expect in 2021 — we cannot predict how the pandemic or cryptocurrency prices will behave. Therefore, our forecast is very tentative: no sharp shocks will equal little change on the DDoS market. We see no preconditions for major growth or decline, both in Q1 and throughout 2021. The watchword is stability, which is what we expect.