Distributed denial-of-service (DDoS) attacks have become a major threat in recent years. These attacks attempt to overwhelm websites and online services by flooding them with fake traffic from a botnet of infected devices. DDoS attacks can be very disruptive, causing targeted sites and services to become unavailable. Given the potential impact of these attacks, many organizations are interested in understanding the current DDoS threat landscape – including how frequently these attacks occur. In this article, we will provide an overview of the available data on the number of DDoS attacks per month.
- How many DDoS attacks occur globally each month?
- Has the number of attacks been increasing or decreasing over time?
- Which industries and regions are most targeted?
- What are the patterns and trends in DDoS attack frequency?
By examining data from cybersecurity firms that monitor and mitigate DDoS attacks, we can develop a profile of the current DDoS threat landscape. Understanding the frequency and distribution of these disruptive attacks is key for organizations looking to defend themselves.
Global DDoS Attack Frequency
Cybersecurity firms that operate DDoS protection services have visibility into global attack trends based on the incidents they mitigate for clients. Analysis of this data can provide approximate numbers for how many DDoS attacks are occurring worldwide each month.
According to Neustar, a cybersecurity firm, the number of DDoS attacks observed per month from January 2021 to September 2021 was as follows:
This data shows between 2,800 and 3,400 DDoS attacks observed per month by Neustar on average. The months with the lowest and highest number of attacks were January 2021 and September 2021 respectively.
Another cybersecurity firm, Kaspersky, reported the following number of DDoS attacks mitigated per month from Q3 2020 to Q2 2021:
This equates to roughly 30,000 to 62,000 attacks mitigated by Kaspersky per month. Again, we see an increase in attacks towards 2021 compared to late 2020.
Based on these samples, it appears the total number of worldwide DDoS attacks per month is likely on the order of tens of thousands. Estimates from cybersecurity firms range from around 30,000 to 60,000 attacks monthly.
DDoS Attack Frequency Trends
Looking at the attack frequency numbers over recent years provides insight into the overall trends. Are DDoS attacks increasing or decreasing?
Cybersecurity analysts have observed a steady rise in DDoS attacks, especially since the start of the COVID-19 pandemic in 2020. More internet users and digital services coupled with insecure devices and networks have expanded the potential attack surface.
Some key trends highlighted in industry reports include:
- Kaspersky saw a 4.5 times increase in Q2 2020 vs Q2 2019.
- Imperva observed a roughly 20% increase in 2020 vs 2019.
- Netscout saw a 15% increase in attacks in 2020 and 2.3 times more attack traffic volume.
- Neustar noted a 36% rise in attacks in Q1 2021 compared to Q1 2020.
The data points to continued growth in DDoS attacks. Factors fueling this growth include:
- Increasingly sophisticated attack methods using botnets of hundreds of thousands of devices.
- Ransom DDoS extortion campaigns against organizations.
- More connected devices susceptible to infection (IoT, mobile, etc).
- Attackers exploiting pandemic remote work reliance on internet access.
Organizations must stay vigilant, as the DDoS threat shows no signs of abating.
DDoS Attack Frequency by Industry
DDoS attackers target organizations across all industries. But some sectors do attract more attacks than others. Understanding which industries are most targeted can help inform defenses.
According to Kaspersky, the top 5 industries impacted by DDoS in 2021 were:
|Internet and Telecom||46%|
Organizations in telecom and internet infrastructure were impacted the most, potentially due to the cascading effects of disrupting connectivity providers. Gaming was the second most affected industry, highlighting the ongoing vulnerabilities of gaming networks and communities to DDoS disruption.
Analysis by Neustar of over 1 million DDoS attacks throughout 2021 uncovered similar industry patterns:
|Software and Technology||34%|
Once again, tech companies and telecoms were top targets. But education emerged as a heavily impacted sector as well, potentially due to e-learning reliance on digital platforms.
Understanding these industry patterns can help inform risk management. Sectors like telecom and gaming should potentially invest more in DDoS defenses given their prominence as targets.
DDoS Attack Frequency by Region
DDoS attacks also vary across geographic regions. Tracking where these attacks originate can provide insight into which parts of the world contribute most to the global DDoS threat.
Kaspersky’s data on the origin countries of DDoS attacks in Q2 2021 found:
China was the top attacking country by a significant margin. The US and Russia were also major sources of DDoS attacks.
Analysis by NETSCOUT of DDoS traffic origin in 2020 uncovered similar patterns:
China launched close to a quarter of DDoS traffic. The US and India were also leaders.
These insights into the regional concentration of DDoS attacks can guide policy and law enforcement efforts. Targeted crackdowns on botnets and cybercriminal groups in top attacking countries could help reduce the global frequency of attacks.
Attack Vector Frequency and Trends
There are different technical vectors that DDoS attackers use to overwhelm their targets. Two of the most common attack types are:
- Volumetric attacks – Floods targets with a huge amount of fake traffic to consume bandwidth.
- Protocol attacks – Exploits weaknesses in network protocols like SYN floods.
Understanding trends in these attack vectors provides insight into the evolving technical sophistication of DDoS activities.
According to Kaspersky, the most frequent DDoS attack vectors in 2021 were:
UDP and SYN floods were the predominant attack types – both protocol-based assaults. But other traffic flooding attacks like ICMP and HTTP were also common.
Analyzing recent trends, Imperva noted that so-called “megattacks” exceeding 100 Gbps of traffic are becoming more frequent, spurring an arms race for greater DDoS bandwidth capacity. TCP-layer attacks like SYN floods are also rising, requiring more advanced behavioral attack detection.
As powerful botnets allow larger volumetric attacks, and attackers grow more sophisticated, DDoS protection systems must constantly evolve to keep pace with the threat.
Attack Duration Patterns
In addition to frequency, the duration of DDoS attacks provides useful insights. Lengthier attacks cause greater disruption.
Neustar examined the duration of DDoS attacks in 2021 and found:
|Less than 30 minutes||78%|
|30 minutes to 1 hour||10%|
|1 to 2 hours||5%|
|2 to 6 hours||3%|
|6 to 12 hours||2%|
|12 to 24 hours||1%|
|Over 24 hours||1%|
Most attacks were short, lasting less than 30 minutes. But a sizable minority lasted for multiple hours, maximizing disruption. Just 1% of attacks went over a day.
Imperva’s data revealed a similar breakdown:
|Less than 30 minutes||76%|
|30 minutes to 2 hours||20%|
|2 to 10 hours||3%|
|10 to 24 hours||0.8%|
|Over 24 hours||0.2%|
Again, short attacks predominated. But a key takeaway is that a sizable portion of attacks do last for hours, requiring sustained defense efforts.
To conclude, examination of DDoS attack frequency data from cybersecurity firms reveals that:
- Globally, tens of thousands of DDoS attacks likely occur per month, with upwards of 30,000 to 60,000 observed monthly.
- The number of attacks continues to steadily rise year-over-year, highlighting the growing DDoS threat.
- Telecom, technology, and gaming organizations attract the most attacks across industries.
- China, the US, and Russia originate many of the world’s DDoS attacks.
- UDP and SYN protocol-based floods are the most common attack vector.
- Most attacks last less than 30 minutes, but a concerning portion lasts for multiple hours.
This threat intelligence helps inform DDoS defense strategies and policies. Organizations should utilize real-time monitoring, always-on protection, large-capacity mitigation, and expert emergency response to contend with the high frequency of diverse, sophisticated DDoS attacks. Proactive collaboration between public and private sectors is also key to reducing global attack levels through botnet takedowns and improved security practices. The DDoS threat landscape will continue to evolve, requiring vigilant tracking of attack trends and patterns to maintain effective defenses.