This blog post was co-authored by Anupam Vij, Principal PM Manager, and Syed Pasha, Principal Network Engineer, Azure Networking.
2020 was a year like no other. It brought great disruption to both the physical and digital worlds, and these changes are evident in the cyberthreat landscape as well. The spread of DDoS attacks (Distributed Denial-of-Service) in 2020 has increased by more than 50 percent with increasing complexity and a significant increase in DDoS traffic volume.
With the COVID-19 pandemic, billions of people around the world have confined themselves to their home environments, working, studying and even socializing remotely, and internet traffic has exploded. Now, DDoS attacks are one of the biggest security concerns: the rise in Internet traffic makes it easier for attackers to launch DDoS attacks because they don’t need to generate as much traffic to shut down services. Cyber criminals can take advantage of huge traffic flows to launch DDoS attacks, making it difficult to distinguish between legitimate and malicious traffic.
At Microsoft, the Azure DDoS protection The team protects all properties in Microsoft and the entire Azure infrastructure. Over the past year, we continued to defend ourselves against DDoS attacks in the face of an evolving cyber landscape and unprecedented challenges. In this overview, we share trends and insights into DDoS attacks that we have observed and mitigated over the course of 2020.
2020 DDoS attack trends
COVID-19 led to a sharp increase in DDoS attacks
Over the year we mitigated an average of 500 unique attacks per day. In total, we fended off more than 200,000 unique DDoS attacks on our global infrastructure.
The main time of attack was from March to April 2020 with the outbreak of the COVID-19 outbreak, when countries around the world put lockdowns and measures stayed at home. We have mitigated around 800 to 1,000 attacks per day, more than 50 percent more than before COVID in the same time in previous years.
Number of DDoS attacks during the COVID-19 outbreak
Short, high volume attacks
In 2020, we saw a trend towards large-volume attacks with shorter duration. Multi-vector attacks also continued to be widespread.
The highest volume of attack bandwidth we recorded on a single public IP was 1 Tbps.In another case, we weakened a 1.6 Tbps reflex attack against multiple customers. These two attacks occurred during the main attack period from March to April 2020.
At the same time, we found that most of the attacks were short burst attacks. 87 percent of the DDoS attacks lasted less than an hour, 53 percent of the attacks lasted less than 10 minutes.
Increase in UDP flood and reflection attacks (User Datagram Protocol)
The most important attack methods were UDP flood attacks (User Datagram Protocol), followed by UDP reflection attacks and SYN flood attacks. The top reflection attacks were DNS, NTP, CLDAP, WSD, SSDP, Memcached and OpenVPN. This is due to the proliferation of IoT-connected devices with vulnerable operating systems that are being exploited to build botnets and launch reflective attacks.
Broader spectrum of attack sources and target industries
The main source countries for DDoS attacks were the USA and Russia, followed by the United Kingdom. Unknown sources indicate that the autonomous system numbers (ASNs) were either junk, fake, or private ASNs that we couldn’t translate.
Most of the attacks were concentrated in Europe, Asia and the US, as the financial services and gaming industries are particularly vulnerable to DDoS attacks, although we have also found a wider range of industries to be equally vulnerable.
New attacks observed
In 2020 we defended ourselves against three zero-day attack methods:
Electrum DDoS malware
We have discovered that Azure virtual machines (VMs) in Europe have been exploited with this malware running on TCP port 50002 and have been the target of DDoS attacks.
Trojan.ElectrumDoSMiner: Malwarebytes Labs Malwarebytes Labs detections
DVR take advantage of reflection attack
This exploit was specifically aimed at Azure gaming customers on UDP port 37810. The amplification factor of this attack was 30 times. This means that for every 1 byte of incoming data traffic, 30 bytes were sent as a response. AMP-Research / Port 37810 – Dahua DVR IP camera (refined payload) on the master Phenomite / AMP Research GitHub
MacOS vulnerability reflection attack using WSD
Low barriers to entry for DDoS attacks
The barriers to entry for DDoS attacks are decreasing and the easy availability of DDoS rental services makes it far easier and cheaper to generate targeted DDoS attacks. At Microsoft, our research team found that the average price for a one-hour DDoS attack in 2020 was $ 48, a one-day attack was $ 134, and a month-long attack was $ 1,000.
Trends and approximate average price for DDoS attack services for cyber criminals
Unfortunately, it remains easy for cyber criminals to evade law enforcement. The World Economic Forum Global Risks Report 2020 shows that in the US, the chances of catching and prosecuting a cybercrime actor are close to zero (0.05 percent).
No DDoS protection means devastating consequences
DDoS attacks can cause significant financial damage. At its core, companies would immediately suffer production and operational disruptions due to downtime and absorb significant recovery costs. According to Gartner research, the average cost of downtime for a small to medium-sized business is $ 5,600 per minute. This results in a huge loss of revenue and business opportunity, especially when intellectual property is stolen.
The intangible cost of reputational damage is particularly devastating, as such attacks lead to breaches and failure to protect sensitive customer data, which leads to customer churn over competitors.
What’s next for 2021?
At the beginning of the new year, the risk of cyber attacks will continue to increase. We have found that DDoS attacks are widely used as smoke protection to cover up major network intrusions that can cause immense damage to both businesses and users. There is also a new national security threat: as health organizations struggle to cope with the growing demands of COVID-19, they also become the main target of cyber attacks.
As the COVID-19 pandemic continues, the world will continue to depend heavily on digital services, and the availability and performance of services will become more important than ever. With cyber risks evolving, it is even more important for businesses and users to develop a robust system DDoS response strategyand be proactive in protecting your resources.
Azure DDoS protection standard
Azure DDoS Protection Standard offers advanced DDoS protection functions to protect against DDoS attacks. It is automatically optimized to protect all public IP addresses in virtual networks. Protection is easy to activate in a new or existing virtual network and does not require any application or resource changes. You can even leverage the size, capacity and efficiency of Azure DDoS Protection Standard to protect your on-premises resources by hosting a public IP address on Azure and redirecting traffic to the backend origin in your on-premises environment.
The main benefits of the Azure DDoS protection standard are as follows:
- Supported by the global Microsoft network: We offer tremendous DDoS mitigation capacity in each Azure region and we clean up traffic at the Azure network edge before it can affect the availability of your services. If we find that the attack volume is significant, we use Azure’s global scale to defend the attack from its origin.
- Cost protection: DDoS attacks often trigger the automatic scale-out of the service running in Azure. This could lead to a significant increase in network bandwidth, an increase in the number of virtual machines, or both. In the event of an attack, you can get Azure credits for every resource you scale, so you don’t have to worry about setting your application to autoscale or paying the additional cost of transferring outbound data.
- DDoS Rapid Response: During an active attack or after an attack, you can contact the DDoS Protection Rapid Response team for help investigating attacks and providing specialized support. The DDoS Protection Rapid Response team follows that Azure Rapid Response support model.
- Comprehensive attack analysis: DDoS attack analysis gives you access to detailed reports in five minute steps during an attack and a full summary when the attack is over. You can also stream DDoS mitigation flow logs to an online or offline security information and event management system (SIEM) for near real-time monitoring during an attack. review Azure DDoS Protection standard reports and flow logs Documentation to learn more. You can also connect logs to Azure Sentinel, view and analyze your data in workbooks, create custom alerts, and integrate them into investigation processes. For information about how to connect to Azure Sentinel, see Connect to Azure Sentinel Documentation.