DDoS attacks more than doubled last year, hitting software and telecoms industries hardest
July 2024 by F5 Labs
New research from F5 Labs has found that DDoS (Distributed denial of service) attacks came back with a vengeance last year after several years of decline.
F5 Labs’ 2024 DDoS Attack Trends report recorded 2,127 attacks in 2023, which is a 112% rise compared to 1,003 in 2022.
Analysis of incidents recorded via the F5 Distributed Cloud platform – combined with insights from F5’s Security Incident Response and Threat Analytics and Reporting teams – also showed that organisations faced an average of 11 attacks in 2023. The most targeted organisation was subject to 187 separate attacks during the year, including the largest single attack recorded by F5 Labs.
“Through a combination of geopolitical unrest, trivially exploited vulnerabilities, and the emergence of new botnets, denial of service incidents have exploded since our 2023 DDoS Attack Trends report in February 2023,” said David Warburton, director of F5 Labs. “Clearly, the threat from DDoS attacks is constantly evolving, and as this report shows it is also growing. In a volatile environment, there can be no room for complacency.”
According to F5 Labs’ analysis, attack sizes remained high throughout 2023, staying consistently above 100Gbps, and many over 500Gbps. February was the outlier with the biggest attack of that month reaching less than 10Gbps.
“The early months of 2023 were defined by a major law enforcement operation undertaken by Europol and international partners in December 2022,” Warburton explained. “They intervened to shut down servers responsible for much DDoS activity, including one that had facilitated 30 million attacks. The impact of this was substantial but short-lived. After a notably quiet February, by March we observed the largest recorded attack of the year, and over the course of 2023 we saw DDoS attacks bounce back to higher levels of activity than before.”
Attacks change shape
DDoS attacks did not just vary in size: they also attacked different layers, from volumetric attacks that seek to consume network bandwidth, to protocol attacks that target networking devices, and application attacks that aim to consume available memory or CPU cycles.
In 2022, a clear trend had been visible: application layer attacks (including HTTP(S) floods and DNS queries) were growing, peaking at close to a 40% share of all attacks by Q1 of the 2023 calendar year.
However, over the course of 2023, that shift reversed, with attacks targeting the application layer falling back to around 25% of all attacks, with both volumetric and protocol attacks increasing their share.
This had a bearing on attack size. Those that target applications were notably clustered around the 50-200Mbps range, categorised as micro-DDoS attacks. While the other two attack categories have a much wider distribution that includes attacks up to, and including, 1Tbps.
Industries and geographies in the firing line
The sharp rise in DDoS activity hit certain industries particularly hard in 2023. Software and computer services remained the most targeted and experienced more than twice the number of attacks in 2023 as the previous year. The sector was the target of 37% of all attacks, although they were relatively small in size, peaking with a 200Gbps attack in November.
The biggest target was telecommunications, with companies in the industry being hit by a 655% increase in attacks last year, accounting for almost a quarter (23%) of all DDoS attacks recorded by F5 Labs in 2023.
The third-most targeted sector was support services, which accounted for 11% of total attacks. This sector was also subject to the largest recorded attack, which occurred in March and measured 1Tbps. In this instance, threat actors attempted to take down the affected organisation with a deluge of TCP SYN packets.
Media was another sector to experience a notable upsurge in attacks, highlighting DDoS’ shifting geopolitical dimensions. In a year where global tensions and conflict were rarely out of the headlines, F5 Labs recorded a 250% increase in denial of service attacks.
Just as relatively few sectors experienced the vast majority of attacks, they were also concentrated by country. Six nations – the United States, France, Saudi Arabia, Italy, Belgium and United Kingdom – were subjected to 80% of all DDoS attacks last year. The US alone made up 38% of the total, with its organisations experiencing more than double the number of incidents as those in France, the second-most affected country.
The EMEA region as a whole endured 57% of all incidents in 2023, with incidents more than tripling compared to 2022. Throughout the year, there was a marked and consistent increase in both the quantity of attacks and their peak bandwidth. The mean peak-bandwidth saw a dramatic rise from 50 Mbps in January to 5 Gbps by December. The largest attack occurred in June, measuring just under 500 Gbps
“The DDoS landscape is more complicated than ever, as companies not only deal with a growing volume of attacks but also a range of activity that is not necessarily malicious, but which can result in denial of service – such as reseller bots attempting to purchase large amounts of inventory or web scrapers seeking to obtain product and pricing information,” said Warburton.
“While many of the attacks monitored may be small, mitigation can be complex and remains essential. The duration of a DDoS attack may be fleeting, but its impact on reputation can be long lasting. A managed service, monitored by experts who deal with DDoS attacks every day and backed by multi-terabit bandwidth capabilities, certainly offers the widest protection possible and can often be deployed with very little disruption. However, data privacy and compliance reasons may mean that organisations in some sectors need to retain at least an element of on-prem DDoS mitigation.”
For those that cannot wholly rely on a managed DDoS service, F5 Labs recommends deploying DNS firewalls, ensuring malicious IP addresses are blocked, and that solutions are in place to identify bots and non-human traffic.
In addition, the report emphasises the importance of safeguarding against new DoS attack vectors that often rely on unpatched software or hardware solutions. There is also an ongoing need to stay on top of geopolitical events. The F5 Labs report also emphasised that robust cyber threat intelligence is key to providing a deeper insight into threat actor activity and their intensions for conducting DDoS and other cyber-attacks.