DDoS Attack Counts and Peak Sizes
Distribution of Peak Sizes
From the monthly data in the last three years, the number of large-scale attacks (> 100 Gbps) soared in 2018 and then fluctuated at a high level over a two-year period. In 2017, the number of
such attacks reached 11,800, only 48% of the number in 2018 (24,500). 2019 saw 21,400 largescale attacks peaking above 100 Gbps (according to data by November 2019), on a par with 2018 (22,000 by November 2018). Besides, super-sized attacks (> 300 Gbps) have increased year by year from an average of 30 per month in 2017 to 247 in 2018 and then to 262 in 2019. Arguably, it has become a normal thing for super-sized attacks to keep increasing in number.
Of all DDoS attacks, 22.2% peaked at 1–5 Gbps, making up the largest proportion. Compared with 2018, 2019 saw more DDoS attacks with small peak sizes. Those peaking below 10 Gbps increased slightly to account for 49.9% and attacks peaking at 1–5 Gbps increased multiple times.
On a quarterly basis, small-scale DDoS attacks peaking below 20 Gbps have continued to grow. In 2019 Q4, small-scale attacks made up 66% of all DDoS attacks detected in this quarter, and in Q2
of this year, small-scale attacks peaking below 5 Gbps accounted for 41.5%. Super-sized attacks (> 300 Gbps) declined in proportion, but rose slightly in number. By November 2019, altogether 2894 such attacks had been spotted, a bit more than 2018 (2673). By contrast, 2017 saw only 350 such attacks. Compared with this figure, super-sized attacks in the last two years have increased more than 7 times.
Attack Counts and Traffic
By November 2019, 167,400 DDoS attacks had been detected, generating a total of 436,800 TB traffic. On a year-on-year basis, the number of attacks increased 30.2%, but the total attack traffic
decreased 26.4%, marking the first decline since 2017 when the total traffic doubled from the previous year.
In terms of the monthly attack count, DDoS attacks stabilized in 2019. In terms of the attack traffic, DDoS attacks began to take a downslide turn in the latter half of the year. We believe that the overall trend of DDoS attacks was linked with the rise of cryptocurrency price. In the 2017 DDoS and Web Application Attack Landscape1, we pointed out that, with the appreciation of cryptocurrency, hackers on the black market began to divert prime botnet resources to cost-efficient cryptomining activities from costly DDoS attacks. In 2019, with a pickup in cryptocurrency prices, cryptomining became more lucrative. In this context, attackers were less inclined to launch DDoS attacks to garner profits, which was especially the case in the latter half of the year.
Comparing the monthly Bitcoin price with the monthly DDoS attack traffic, we get the Pearson correlation coefficient of –0.53, indicating a negative correlation between the two, which attests to
the truth of our viewpoint given before.
Maximum and Average Peak Sizes of Individual Attacks
At the beginning of 2019, new DDoS attack tools came into view. For example, in early February, a fast evolving botnet Cayosin2 made up of devices infected with QBot, Mirai, and other malware families grabbed people’s attention because of widely spreading through such media as YouTube. In mid-March, a variant of Mirai3 surfaced, boasting a larger database of exploits besides broadening its scope of targets.
According to data collected by November 2019, the average peak size of DDoS attacks in 2019 was 42.9 Gbps, on a par with that in 2018 over the same period (41.1 Gbps). In the first half of 2019, the average peak size per month was virtually larger than that over the same period of 2018. However, starting from July, 2019 lagged behind of 2018 in the average peak size per month.
In terms of the maximum attack peak size, from January to May, the curve of 2019 was above that of 2018, but starting from June, the two curves changed positions. In 2018, the maximum peak size of 1.41 Tbps was captured in June. In 2019, the maximum peak size stood at 885 Gbps, spotted in May.
To be continued.