Executive Summary
In 2019, the average peak size of DDoS attacks rose steadily from 2018 to 42.9 Gbps, indicating that techniques employed by large and medium scale attacks are advancing year by year. After
a sharp rise in 2018, super-sized DDoS attacks (> 300 Gbps) were relatively stabilizing in 2019, increasing slightly by around 200.
On the other hand, the total traffic of DDoS attacks in 2019 declined 26.4% compared with 2018, a signal that more mature attack techniques do not make attackers more inclined to launch DDoS
attacks. The booming of the Bitcoin market and the functional migration of botnets may be the main reasons behind this. Botnets go far beyond DDoS attacks and remote controls. Attackers may
choose to combine botnets with ransomware or cyptomining trojans for attacks or use botnets for distributed cracking. With full-featured attack tools readily available on black and grey markets, attackers are capable of following the market trend closely to maximize their illegal gains.
At the same time, Internet of Things (IoT) devices are making more presence in DDoS attacks. Throughout the year of 2019, approximately 170,000 IoT devices were found in DDoS attacks. Of
all DDoS gangs we have detected, one gang contains 28,000 IoT devices, among others, available for various attacks, accounting for 31% of the total number. IoT devices are massive in quantity.
Besides, they stay connected in most of the time and often contain vulnerabilities that fail to be addressed in time. For these reasons, they become the hotbed of exploits, making it an urgent need
to enhance people’s security awareness and make more efforts in prevention and governance of related threats.
Chapter 2 presents an overview of DDoS attacks in 2019. In chapter 3, we, from perspectives of attack resources, gang behavior, IoT, and botnets, anatomize the changes and evolution of DDoS
attacks in 2019 in terms of attack counts, traffic, types, time, and locations, in hopes of helping organizations make informed decisions on how to continuously improve their network defense systems and techniques.
Overview of DDoS Attacks in 2019
2019 vs. 2018
- The total attack count increased 30.2%, but the total traffic declined 26.4%.
- The number of small-scale attacks (1–5 Gbps) increased greatly, and that of large-scale attacks (> 300 Gbps) grew slightly.
- The average attack peak size rose a little to 42.9 Gbps and the technical maturity of large- and medium-scale attacks has grown year by year.
- UDP floods, SYN floods, and ACK floods still dominated DDoS attacks, and, in super-sized attacks, those combining multiple vectors stole the limelight.
- IoT devices were more frequently seen in DDoS attacks.
- The exploit payload of IoT botnet families in 2019 shared similarities with that in 2018, mainly targeting smart IoT devices. Meanwhile, attack methods were diversified and a trend of assigning different jobs to different roles on the kill chain took shape.
Key Findings
- Maturity: The technical maturity of attackers keeps growing, opening more possibilities than DDoS attacks for attackers to garner profits.
- Combination: Of all DDoS attacks in 2019, 12.5% employed multiple vectors. This percentage was even higher among super-sized attacks (> 300 Gbps) to reach more than one-third. These factors have posed a greater challenge to the performance of cleaning devices, the stability of cleaning lines, and the effectiveness of defense operations.
- Recidivists: In 2019, a total of 1.3 million DDoS recidivists (involved in more than 20 attacks) were spotted, 7% of whom were responsible for 78% of attacks. Recidivist behavior deserves
continuous attention. - Gangs: In 2019, a total of 60 DDoS gangs were detected, including 15 ones that contained more than 1000 attack sources. The largest gang, formidably, consisted of 88,000 attack sources. On average, 35,000 attack sources remained active every month. Therefore, we should keep vigilant on gang behavior and attack groups.
- IoT: More and more IoT devices have been involved in DDoS attacks. In 2019, a single DDoS attack gang was found to contain 31% of IoT devices, among others. This is a phenomenon
deserving continuous attention. - Malware families: IoT malware families launched an increasingly large proportion of attacks, as demonstrated by Gafgyt and Mirai. But, in general, there was no obvious change in DDoS
signatures, attack targets, and C&C distribution.
To be continued.