Blocked DDoS attack volumes rose 40 percent-plus in Q2 – Radware

A report from Radware reveals that second quarter blocked DDoS attack volumes were up more than 40 percent compared to the same period in 2020. The report provides an overview of DDoS attack trends by industry, as well as across applications and attack types.

The Q2 2021 DDoS attack report disclosed:

  • On average, a company had to detect and block nearly 5,000 malicious events and a volume of 2.3TB per month during the second quarter of 2021.
  • During Q2 of 2021, the average number of blocked malicious events per company was up more than 30 percent and the average blocked volume per company increased by more than 40 percent compared to the second quarter of 2020.
  • During the first half of 2021, a company located in the Americas or Europe, the Middle East and Africa (EMEA) had to repel, on average, twice as much volume compared to a company located in in Asia-Pacific (APAC).The Americas and EMEA accounted for about 80 percent of the blocked attack volume during that same period.

Pascal Geenens, director of threat intelligence for Radware, said: “While large ransomware attacks are capturing headlines, companies need to pay attention to other cyber threats. From an increase in DDoS extortion campaigns and DDoS hit-and-run assaults, to a hactivist group targeting financial organisations in the MiddleEast, the second quarter saw a concerning amount of cyber activity compared to the activity levels we saw during the same quarter last year.

Geenens added: “The results of this report should serve as a strong reminder to enterprises that no company is immune from being a target.”

Tech under fire

According to Radware’s report, the most attacked industry in the quarter was technology, with an average of almost 3,000 attacks per company, followed by healthcare (2,000 attacks per company) and finance (1,350 attacks per company).

Attacks in retail, communications and telecommunications averaged between 600and 1,000 per company. Gaming averaged more than 400 attacks per company, while an average of approximately 280 attacks targeted government and utility organisations.

In terms of blocked volume, retail endured the highest volumes in the second quarter, followed by gaming, telecommunications and technology, which blocked the second, third and fourth highest volumes respectively.

Radware’s attack report also revealed there were notable burst attacks during the second quarter of 2021. These targeted companies in finance and technology.These ‘hit-and-run’ DDoS assaults use repeated short bursts of high-volume attacks and were particularly aggressive in their amplitude (attack size) and frequency (number of bursts per unit of time).

One attack showed multiple consistent 80Gbps bursts, lasting two to three minutes and repeating every four minutes. This resulted in 12 attack bursts of 80Gbps within a 45-minute timeframe.

Ransom DDoS campaigns resurge

The second quarter saw a renewed DDoS extortion campaign by an actor posing as  Fancy Lazarus. By the end of May, Radware had numerous emergency onboardings of its cloud security services from organisations that received these ransom letters.

Ransom denial-of-service (RDoS) attacks, in which the victim receives a letter witha demand to pay a ransom or become the target of a DDoS attack, have been a persistent component of the DDoS threat landscape since August of 2020.

During the second quarter of 2021, companies, on average, blocked almost2,000 scan events by unsolicited vulnerability scanners. According to the attack report, of those scans, 40 percent were performed by potentially malicious scanners looking to actively exploit known vulnerabilities and attack an organisation. Vulnerability scanners are automated tools that allow organisations to check if their networks and applications have security weaknesses that could expose them to attacks.

“Organisations are being challenged by well organized threat actors,” Geenens said. “The window between the disclosing and weaponising of new vulnerabilities is getting very slim. In some cases, we observed less than 24 hours between a manufacturer publishing a patch and malicious activity trying to exploit the vulnerability.”

Radware’s full Q2 DDoS Attack Report can be found  here along with charts and graphics. The data for the report is based on a sample set of Radware devices deployed in Radware’s cloud scrubbing centers and on-premise managed devices in Radware hybrid and peak protection services.