Key Findings:
Maturity: The technical maturity of attackers keeps growing, opening more possibilities than DDoS attacks for attackers to garner profits.
Combination: Of all DDoS attacks in 2019, 12.5% employed multiple vectors. This percentage was even higher among super-sized attacks (> 300 Gbps) to reach more than one-third. These factors have posed a greater challenge to the performance of cleaning devices, the stability of cleaning lines, and the effectiveness of defense operations.
Recidivists: In 2019, a total of 1.3 million DDoS recidivists (involved in more than 20 attacks) were spotted, 7% of whom were responsible for 78% of attacks. Recidivist behavior deserves continuous attention.
Gangs: In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack groups.
IoT: More and more IoT devices have been involved in DDoS attacks. In 2019, a single DDoS attack gang was found to contain 31% of IoT devices, among others. This is a phenomenon deserving continuous attention.
Malware families: IoT malware families launched an increasingly large proportion of attacks, as demonstrated by Gafgyt and Mirai. But, in general, there was no obvious change in DDoS signatures, attack targets, and C&C distribution.
Location: In China, Hong Kong overtook Zhejiang to become the biggest target of DDoS attacks, leaving Zhejiang in the second place, followed by Guangdong, Beijing, and Jiangsu.
Attack Trend
This section presents the DDoS attack trend in 2019 from perspectives of attack peak, attack count, and attack traffic.
Attack Peak Size
2019 saw 21,400 large-scale attacks peaking above 100 Gbps (according to data by November 2019), on a par with 2018 (22,000 by November 2018). Besides, super-sized attacks (> 300 Gbps) have increased year by year from an average of 30 per month in 2017 to 247 in 2018 and then to 262 in 2019.
Arguably, it has become a normal thing for super-sized attacks to keep increasing in number.
Attack Counts and Attack Traffic
By November 2019, 167,400 DDoS attacks had been detected, generating a total of 436,800 TB traffic. On a year-on-year basis, the number of attacks increased 30.2%, but the total attack traffic decreased 26.4%, marking the first decline since 2017 when the total traffic doubled from the previous year.
To be continued.
