A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
The primary motivation behind DDoS attacks is disruption of services and operations for targeted organizations. The attacks flood bandwidth, overload servers and application resources and prevent legitimate users from accessing websites, networks or applications. Service outages can lead to lost revenue, dissatisfied customers and damage brand reputation for victims.
DDoS attacks have become increasingly common in recent years. According to Imperva, there was an average of 4 large-volume DDoS attacks per month in 2022, an 81% increase from the previous year. As methods and tools for carrying out attacks proliferate, DDoS incidents are on the rise in both frequency and scale. Defending against them remains an ongoing challenge for businesses and organizations.
History of DDoS Attacks
DDoS attacks first emerged in the 1990s as the internet was growing rapidly. One of the earliest known DDoS attacks occurred in 1996 against Panix, an internet service provider based in New York. According to the SENKI DDoS Attack Preparation Workbook, hackers used a SYN flood attack against Panix by spoofing the IP address of the source of the attack, making it difficult to block.
Another major early DDoS attack occurred in 1999 against the University of Minnesota, which affected networks across 14 countries. According to Wikipedia, this attack reached a peak bandwidth of about 900 Mbps and demonstrated the ability of distributed attacks to generate huge amounts of traffic from multiple sources.
In the early 2000s, some of the largest DDoS attacks targeted high-profile companies such as Amazon, eBay, and Yahoo. These attacks showed how DDoS could be used to cause major disruption to prominent online businesses and services.
Motivations for DDoS Attacks
There are several different motivations behind DDoS attacks. Some of the most common include:
Political Motivations
DDoS attacks are sometimes used to make political statements or promote political causes. Hacktivist groups like Anonymous have launched DDoS attacks against organizations they disagree with politically (Source: https://www.pentasecurity.com/blog/ddos-top-6-hackers-attack/). By taking down websites or services, the attackers draw attention to their cause.
Criminal Motivations
Cybercriminals sometimes use DDoS attacks as a distraction or smokescreen when carrying out other illegal activities like data theft. The DDoS overload makes it harder for the victim organization to notice the data exfiltration. Ransomware attackers may also launch DDoS attacks on backup servers or infrastructure to maximize damage (Source: https://businessdegrees.uab.edu/blog/ddos-attacks-what-they-are-and-what-they-can-do/).
Personal Motivations
Disgruntled employees or customers with a personal grudge may initiate DDoS attacks just to cause disruption and damage to the target organization. Personal vendettas are a common motive in DDoS extortion schemes as well (Source: https://sucuri.net/guides/what-is-a-ddos-attack/).
Recent Major DDoS Attacks
In recent years, there have been several major and highly disruptive DDoS attacks that made headlines across the cybersecurity industry. These high-profile attacks demonstrate the increasing scale and impact of modern DDoS campaigns.
In February 2022, a massive DDoS attack struck AWS infrastructure, reaching a peak of 2.3 Tbps and causing issues for many AWS customers (Source). This attack set the record at the time for the largest amount of traffic from a DDoS attack.
Perhaps the most disruptive DDoS attack came in October 2016, when the Mirai botnet was used to overwhelm DNS provider Dyn with malicious traffic. This massive DDoS attack impacted major sites and services like Twitter, Netflix, Spotify, Reddit, and others (Source).
In June 2022, Cloudflare mitigated a DDoS attack peaking at 65 million requests per second against an unnamed Cloudflare customer in the financial services industry (Source). This highlighted the growing DDoS threat to the finance sector.
These major attacks all used botnet armies to overwhelm targets with junk traffic. They show how DDoS tactics and capabilities continue to evolve to greater scales and sophistication.
Attacks by Year
DDoS attacks have been growing in frequency and size over the past several years. According to Radware’s 2022 report, the number of DDoS attacks increased by 150% from 2021 to 2022 1. In 2021, there was an average of 957 DDoS attacks per week globally. This jumped to 2,416 attacks per week in 2022, more than double the previous year.
The largest year-over-year increase was from 2019 to 2020, when the number of DDoS attacks grew by 223%. This massive spike in 2020 was likely due to the COVID-19 pandemic, as cybercriminals took advantage of remote workforces and increased internet usage during lockdowns. Since 2020, the growth rate has slowed but attacks continue to rise each year. Comparitech predicts the number of DDoS attacks per year will surpass 15 million globally in 2024, up from around 10.4 million in 2021 2.
DDoS attacks are also increasing in size and duration. The average attack bandwidth jumped 86% from 2020 to 2021, and rose another 28% from 2021 to 2022 according to Radware. As attack sophistication grows, organizations must continue strengthening their DDoS defenses each year.
Attacks by Industry
According to the DDoS threat report for 2023 Q4, the cryptocurrency industry suffered the highest volume of DDoS attack traffic in Q4 2023, with over 330 billion HTTP requests directed at it. The gaming industry came second, followed by finance and then software/technology.
Looking at the previous quarter, Q3 2023, the top attacked industries by volume were finance, cryptocurrency, and then technology, according to Cloudflare’s report. The gaming industry jumped to fourth place in Q3 from sixth place in Q2.
Over the years, these industries involving online transactions, gaming, and digital assets have consistently been among the top targets for DDoS attacks. The motives typically involve extortion, disruption of operations, or unfair competitive advantages.
Largest DDoS Attacks
There have been several record-breaking DDoS attacks over the years as attack sizes continue to grow. Some of the largest include:
In February 2020, Amazon Web Services (AWS) mitigated a 2.3 Tbps DDoS attack, the largest attack ever reported at that time according to Google Cloud. The attack originated from approximately 2,000 IPs.
In August 2020, Google blocked a DDoS attack peaking at 46 million requests per second (RPS), the largest attack ever reported on Google Cloud. According to Cloudflare, this translated to roughly 1.7 Tbps.
In June 2021, Cloudflare mitigated a 17.2 million RPS HTTP DDoS attack, one of the largest network layer attacks ever reported. At its peak, the attack reached 5.4 million RPS from over 15,000 bots.
Attacks by Type
DDoS attacks can be categorized into three main types based on the layer they target: volumetric, protocol, and application layer attacks (Imperva).
Volumetric Attacks: These attacks aim to flood the network layer with a substantial amount of seemingly legitimate traffic. Examples include UDP floods, ICMP floods, and SYN floods. Volumetric attacks can exhaust bandwidth capacity and overwhelm infrastructure. They are one of the most common DDoS attack types (Cloudflare).
Protocol Attacks: These attacks target vulnerabilities at the network layer protocol level. Examples are Ping of Death, Smurf, and SYN flood attacks. By sending malformed packets, protocol attacks exploit weaknesses in the TCP/IP communication processes.
Application Layer Attacks: These attacks target web application layer resources and can be difficult to detect. Examples include HTTP request flooding, slowloris, and GET/POST attacks. Application layer attacks focus on disrupting the logic of applications.
Defending Against DDoS
There are several strategies and tools available to help defend against DDoS attacks. Some common mitigation methods include:
Restricting traffic to specific locations – This can be done by blocking IP addresses or traffic from certain geographic regions using firewall rules and access control lists. According to Cloudflare, restricting traffic makes it more difficult for an attacker to overwhelm resources with requests from unknown sources (https://www.cloudflare.com/learning/ddos/how-to-prevent-ddos-attacks/).
Implementing a load balancer – Load balancers distribute traffic across multiple servers, which makes it harder for attackers to overwhelm a single target. Load balancers can detect DDoS attacks by monitoring for spikes in traffic and can redirect bad traffic or employ other mitigation strategies (https://aws.amazon.com/shield/ddos-attack-protection/).
Using DDoS protection services – There are services like Cloudflare and AWS Shield that monitor traffic patterns to detect anomalies indicative of DDoS attacks. They can filter out bad traffic before it reaches websites or applications. These services use distributed networks of data centers to absorb and disperse attack traffic.
Blocking traffic from known bad IP addresses – Blacklists of IP addresses known to propagate DDoS attacks can help block malicious traffic. Solutions like Arbor Networks provide regularly updated lists of IPs linked to botnets, malware, and prior attacks.
Overprovisioning bandwidth and resources – Having extra capacity makes it easier to absorb spikes in traffic from DDoS assaults. This won’t completely mitigate attacks but can reduce impact.
Many tools and techniques exist for defending against DDoS, though attacks are always evolving. A layered security approach using both automated solutions and expert monitoring provides optimal protection.
The Future of DDoS
Experts project that DDoS attacks will continue to evolve and grow more complex. According to a report by F5 Labs, despite an overall decline in attacks in 2022, DDoS remains a significant threat that is likely to increase in the future [1]. Attackers are innovating new DDoS techniques using emerging technologies like AI and cloud infrastructure.
One concerning trend is the rise in ransom-based DDoS extortion threats. Attackers send an organization a ransom demand, threatening to hit them with a massive DDoS attack if they do not pay up. These extortion schemes are becoming more persuasive with the help of research and reconnaissance. Attackers can now demonstrate their capabilities ahead of issuing demands.
Experts also predict growth in DDoS attacks abusing web APIs and IoT botnets. As more devices connect to the internet, from cars to smart home tech, attackers are weaponizing insecure IoT devices into massive botnets capable of overwhelming bandwidth. Meanwhile, application-layer attacks target APIs with nuanced application traffic to evade defenses.
To combat these threats, organizations must implement layered DDoS protection across networks, applications, DNS, origin servers, and more. As attacks continue to evolve, proactive threat intelligence and innovative mitigation techniques will become critical for the future of DDoS defense.