What 2022 taught us about DDoS attacks

By Microsoft Security

Microsoft mitigated an average of 1,435 distributed denial-of-service (DDoS) attacks per day in 2022. This trend represents a significant threat for businesses, as DDoS attacks work by targeting websites and servers to disrupt network services and exhaust an application’s resources. Threat actors will often use DDoS attacks to flood a site with errant traffic, resulting in poor website functionality or knocking it offline altogether.

While this trend poses an additional challenge for security teams, there are also many lessons to be learned from the past year. By examining core 2022 DDoS attack trends to learn which methods cybercriminals favored and which protections performed best, we can further strengthen our protections for 2023 and beyond.

4 key ​​DDoS attack trends in 2022

In 2022, we saw attackers refine their techniques and use sophisticated methods to maximize their impact while evading strengthened cybersecurity protections. They often favored short, frequent attacks over lengthier approaches, and many attackers even tailored their attack window to cause the greatest amount of damage possible.

Here are some of the key DDoS attack trends from 2022:

1. DDoS attacks spike during the holiday season. This is due to multiple factors. Web traffic is higher during the holidays, especially on eCommerce and gaming sites, and organizations typically don’t have as many resources available to monitor their networks and applications.

 In total, Microsoft mitigated more than 520,000 unique attacks against our global infrastructure in 2022. These attacks ranged anywhere from 680 daily attempts on the low end to upwards of 2,215 on the high end. And while we saw incidents slow from June to August, threat actors increased activity from mid-September until the end of December to capitalize on the busy holiday season.

The good news is that organizations can guard against the constant barrage of DDoS incidents. We recommend that you avoid having a single virtual machine backend so it is less likely to get overwhelmed. If your security stack allows it, you can also configure autoscaling to absorb the initial burst of attack traffic while mitigation kicks in.

2. TCP attacks continue to be the most common threat vector. According to Microsoft’s internal data, transmission control protocol (TCP) attacks comprised 63% of all DDoS attack traffic in 2022. This is likely to continue in 2023, as TCP is currently the most common networking protocol. In particular, TCP-reflected amplification attacks are becoming more common. This attack vector targets improper TCP stack implementation in middleboxes like firewalls and deep packet inspection devices to elicit amplified responses. Organizations should always ensure that protocol is configured properly.

We also recommend monitoring for user datagram protocol (UDP) flood and UDP amplification attacks, as they accounted for 22% of all DDoS incidents in 2022. We observed a significant uptick in DDoS attacks on the gaming industry in 2022. Because this sector primarily uses UDP, we recommend implementing a security solution that’s designed to protect against volume-based attacks.

3. Attackers favor short, frequent attempts over a longer, more drawn-out approach. Threat actors will often use multiple short attacks over the span of multiple hours to make the most impact while using the fewest number of resources. In 2022, 89% of DDoS attacks lasted less than one hour, and 26% lasted just one to two minutes.

This attack style is popular because it takes advantage of the delay between breach detection and system mitigation. And while this may only take minutes, the information during those short attacks can make it into the backend of services and impact legitimate usage. For example, if a short attack causes systems to reboot, legitimate users could unwittingly trigger subsequent internal attacks as they try to reconnect. We recommend using a centralized Web Application Firewall (WAF) to protect web applications from this style of attack.

4. The U.S., India, and East Asia were the top regions targeted by attackers. As in previous years, U.S.-based resources bore the brunt of DDoS attacks in 2022—accounting for 45% of all incidents. However, India and East Asia were also significant targets—accounting for 13% and 11% of DDoS attacks respectively. As smartphone adoption and online gaming continue to grow more popular in Asia, we expect DDoS attackers to increase their focus on this region.

Russia’s war on Ukraine has also contributed to the geographic concentration of attacks. As that conflict stretches on, we’ve observed a ripple effect of attacks on Western countries like the U.S., the UK, and Germany. UK financial services firms, in particular, experienced a significant increase in DDoS attacks as they were targeted by nation-states and hacktivists looking to disrupt Ukraine’s allies. As geopolitical tensions continue to emerge globally, we will likely continue to see DDoS being used as a tool for cyberattacks by hacktivists. Organizations should conduct frequent and regular DDoS simulation testing to help ensure consistent protection for their services.

5 DDoS protection tips for 2023

 While we expect the above attack trends to persist in 2023, cybercriminals are also experimenting to find new and efficient attack vectors. For example, DDoS attacks are increasingly being used as distractions to hide more sophisticated attacks happening at the same time—like extortion and data theft. We also expect new IoT DDoS botnets to emerge in the coming months. Finally, we’ve seen a rise in DDoS attacks from account takeovers where malicious actors gain unauthorized access to resources to launch DDoS attacks.

Below are five ways your organization can protect itself against DDoS attacks in 2023:

1. Evaluate your risks and vulnerabilities. Start by identifying the publicly-exposed applications within your organization. By tracking the normal behavior of applications, it will help you respond quickly if they begin behaving differently than expected.

2. Make sure you’re protected. With DDoS attacks at an all-time high during the holidays, your DDoS protection service must have advanced mitigation capabilities that can handle attacks at any scale. We recommend prioritizing service features such as traffic monitoring; adaptive real-time tuning; DDoS protection telemetry, monitoring, and alerting; and access to a rapid response team.

3. Create a DDoS response strategy. Having a response strategy is critical to help identify, mitigate, and quickly recover from DDoS attacks. As part of this strategy, assemble a DDoS response team with clearly defined roles and responsibilities. The goal of this team is to identify, mitigate, and monitor any potential attacks and coordinate with internal stakeholders and customers.

4. Reach out for help during an attack. If you think you are experiencing an attack, reach out to the appropriate technical professionals like your DDoS response team. They can help investigate during the attack and with conducting a post-attack analysis once it is concluded.

5. Learn and adapt after an attack. In the event of a DDoS attack, it’s important to continue to monitor your resources and conduct a retrospective investigation. This analysis should consider if there was any disruption to the service or user experience due to a lack of scalable architecture. It’s also important to understand which applications or services suffered the most, how effective your DDoS response strategy was, and how it can be improved moving forward.

 Ready to learn more about DDoS protection strategies in 2023? Download our helpful DDoS infographic and check out Security Insider for the latest threat intelligence and cybersecurity insights.

Source: https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/