New research from F5 Labs has found that distributed denial of service (DDoS) attacks have made a comeback after a period of decline. The new “2024 DDoS Attack Trends” report from F5 Labs recorded 2,127 DDoS attacks in 2023, a 112 per cent increase from 1,003 in 2022. The incident analysis, conducted through the F5 Distributed Cloud platform and enriched with data from F5’s Security Incident Response and Threat Analytics and Reporting teams, showed that organizations faced an average of 11 attacks in 2023. According to the data collected, the most affected organization suffered as many as 187 separate attacks during the year, including the largest single attack recorded by F5 Labs.
“The combination of geopolitical tensions, easily exploitable vulnerabilities and the emergence of new botnets has caused denial of service attacks to explode since the last DDoS Attack Trends report in February 2023,” said David Warburton, director of F5 Labs. “DDoS attacks are constantly evolving and, as this analysis shows, also growing rapidly. In a volatile environment, there is no room to let your guard down.” According to F5 Labs’ findings, attack sizes remained significant throughout 2023, holding consistently above 100Gbps, and several exceeded 500Gbps. February was an exception, with the largest attack of the month reaching less than 10Gbps.
Attacks change shape
DDoS attacks have changed in size and affected different levels, from volumetric attacks that seek to consume network bandwidth to protocol attacks that target network devices to application attacks that consume available memory or CPU cycles. By 2022, a clear trend had been observed: application-level attacks (including HTTP(S) floods and DNS queries) were growing, reaching nearly 40 percent of all attacks in the first quarter of 2023.
However, during 2023, this trend reversed, with application-level attacks decreasing to about 25%, while both volumetric and protocol attacks increased their share. This had an impact on the size of the attacks themselves. Application attacks were mainly concentrated in the 50-200Mbps range, classified as DDoS micro-attacks. The other two categories, however, have a much wider distribution, including attacks up to 1Tbps.
Sectors and geographies under fire
In 2023, the sharp increase in DDoS activity hit specific industries particularly hard. The software and IT services industry remained the most targeted, recording more than double the number of attacks compared to the previous year. Thirty-seven per cent of attacks hit this industry, although they were relatively small incidents, peaking at 200Gbps in November. The telecommunications sector observed a massive 655 per cent increase in attacks last year, accounting for nearly a quarter (23 per cent) of all DDoS attacks recorded by F5 Labs in 2023. The third most affected sector was supporting services, which accounted for 11 per cent of total attacks. This sector suffered the largest recorded attack, which occurred in March and measured 1Tbps. In this case, cybercriminals attempted to bring down the organization with a SYN TCP attack.
The duration of a DDoS attack
The media sector also experienced a significant increase in attacks, proving that geopolitical dynamics also influence DDoS attacks. In a year when global tensions and conflicts frequently appeared in our headlines, F5 Labs recorded a 250 per cent increase in denial-of-service attacks. Thus, most attacks are focused on a few specific sectors, and so are the countries affected. Only six nations- the United States, France, Saudi Arabia, Italy, Belgium, and the United Kingdom- were affected by 80% of all DDoS attacks last year. The United States alone accounted for 38 per cent of the total: its organizations suffered more than twice as many incidents as France, the second most affected country.
The EMEA region experienced 57% of all attacks in 2023, more than tripling from 2022. Throughout the year, there was a marked and steady increase in the number of attacks and their peak bandwidth. The average peak bandwidth increased dramatically from 50 Mbps in January to 5 Gbps in December. The largest attack occurred in June, measuring just under 500 Gbps. The duration of a DDoS attack may be short, but its impact on a company’s reputation can be long-lasting. A managed service monitored by experts facing DDoS attacks daily and supported by multi-terabit bandwidth capabilities certainly offers the broadest and most comprehensive protection possible. It can often be deployed with minimal disruption. However, for data privacy and compliance reasons, organizations in some industries may need to maintain at least one element of on-premises DDoS mitigation.