Q1 2021 saw the appearance of two new botnets. News broke in January of the FreakOut malware, which attacks Linux devices. Cybercriminals exploited several critical vulnerabilities in programs installed on victim devices, including the newly discovered CVE-2021-3007. Botnet operators use infected devices to carry out DDoS attacks or mine cryptocurrency.
Another active bot focused on Android devices with the ADB (Android Debug Bridge) debug interface. The botnet was dubbed Matryosh (from the Russian word matryoshka — nesting doll) due to the multi-step process for obtaining the C&C address. It is not the first bot to attack mobile devices through a debug interface. This loophole was previously exploited by ADB.Miner, Ares, IPStorm, Fbot, Trinity, and other malware.
Q1 was not without yet another iteration of Mirai. Cybercriminals infected network devices, exploiting relatively recently discovered vulnerabilities, plus several unknown bugs. According to the researchers who identified the attack, it might have affected several thousand devices.
In Q1 2021, cybercriminals also found a host of new tools for amplifying DDoS attacks. One of them was Plex Media Server for setting up a media server on Windows, macOS, or Linux computers, network-attached storages (NAS), digital media players, and the like. Around 37,000 devices with Plex Media Server installed, accessible online directly or receiving packets redirected from specific UDP ports, turned out to be vulnerable. Junk traffic generated by Plex Media Server is made up of Plex Media Service Discovery Protocol (PMSSDP) requests and amplifies the attack by a factor of approximately 4.68.
A major amplification vector was the RDP service for remote connection to Windows devices. RDP servers listening on UDP port 3389 were used to amplify DDoS attacks. At the time of publishing the information about the misuse of the remote access service, 33,000 vulnerable devices had been found. The amplification factor was significantly higher than in the case of Plex Media Server: 85.9. To prevent attacks via RDP, it is recommended to hide RDP servers behind a VPN or disable UDP port 3389.
That said, a VPN is no panacea if it too is vulnerable to amplification attacks. In Q1 2021, for instance, attackers went after Powerhouse VPN servers. The culprit turned out to be the Chameleon protocol, which guards against VPN blocking and listens on UDP port 20811. The server response to requests on this port was 40 times larger than the original request. The vendor released a patch when they learned about the problem.
Alas, not all users of vulnerable programs and devices install updates promptly. For instance, as of mid-March, there were around 4,300 web-based servers for DDoS amplification through the DTLS protocol — this method was covered in our previous report. Vulnerable devices were either misconfigured or missing the latest firmware version with the required settings. Cybercriminals have wasted no time in adding this amplification method (as well as most others discovered just this past quarter) to their arsenal of DDoS-for-hire platforms.
Non-standard protocols are of interest to cybercriminals not only as a means of amplification, but as a tool for carrying out DDoS attacks. In Q1, a new attack vector appeared in the form of DCCP (Datagram Congestion Control Protocol), a transport protocol for regulating the network load when transmitting data in real time, for example, video streaming. The built-in mechanisms to protect against channel congestion did not prevent attackers using this protocol to flood victims with multiple connection requests. What’s more, on the side of the junk packet recipients, there were no online-accessible DCCP applications. Most likely, the attackers were randomly looking for a way to bypass standard DDoS protection.
Another unusual DDoS vector was the subject of an FBI warning about the rise in attacks on emergency dispatch centers. TDoS (telephony denial-of-service) attacks aim to keep the victim’s phone number permanently busy, flooding it with junk calls. There are two main TDoS methods: via flash mobs on social networks or forums, and automated attacks using VoIP software. Neither is new, but TDoS against critical first-responder facilities poses a very serious threat. “The public can protect themselves in the event that 911 [the emergency number across North America] is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area,” the FBI advised.
On the whole, the quarter was rich in media-reported DDoS attacks. In particular, DDoS ransomware continued to attack organizations worldwide at the start of the year. In some cases, they demonstrated impressive capabilities. For example, a European gambling company was bombarded with junk traffic, peaking at 800 GB per second. Maltese Internet service provider Melita was also hit by ransomware: a showcase DDoS attack disrupted services. At the same time, ransomware operators, having already started to steal victims’ data before encryption, also turned their eyes on DDoS as an extortion tool. The first attack on the website of a victim unwilling to negotiate occurred late last year. In January, Avaddon’s operators jumped on the bandwagon, followed in March by the group behind the Sodinokibi (REvil) ransomware.
Ransomwarers were likely spurred on by the upward movement of cryptocurrency prices, which continued in Q1 2021. In early February, Tesla announced a massive investment in Bitcoin, which led to even more hype around digital money. Several cryptocurrency exchanges could not cope with the resulting influx of sign-ups and suffered downtime. There was no avoiding DDoS either: British exchange EXMO reported an attack on its systems. Company representatives admitted that not only the site was affected, but the entire network infrastructure.
As many users were still working (and playing) from home in Q1 2021, cybercriminals made sure to target the most in-demand resources. In addition to the aforementioned Melita, Austrian provider A1 Telekom (article in German), as well as Belgian telecommunications firm Scarlet, suffered DDoS attacks (albeit without the ransomware component). In both instances, customers faced communication disruptions, and in the case of A1 Telekom, users all across the country experienced problems.
Online entertainment was likewise targeted by cybercriminals throughout the quarter. For example, Blizzard reported a DDoS attack in early January. The barrage of junk traffic caused players, especially those trying to connect to World of Warcraft servers, to experience delays. There were also cases of players getting kicked off the server. Towards the end of the month, cybercriminals attacked League of Legends. Players attempting to enter tournaments in Clash mode experienced login issues and intermittent connection failures. In February, a DDoS attack temporarily disabled the television service of Icelandic provider Siminn. And in March, LittleBigPlanet servers were unavailable for several days. Players blamed a disgruntled fan for the attack.
By early 2021, many schools had switched to on-campus or hybrid mode, but that did not stop the DDoS attacks. Only now, instead of flooding online platforms with junk traffic, cybercriminals sought to deprive educational institutions of internet access. For instance, in February, US schools in Winthrop, Massachusetts, and Manchester Township, New Jersey, were hit by DDoSers. In the second case, the attack forced the institutions to temporarily return to remote schooling. In March, CSG Comenius Mariënburg, a school in Leeuwarden, Netherlands, also fell victim to a DDoS attack. The attack was organized by students themselves. Two of them were quickly identified, but school officials suspect that there were other accomplices.
The most significant event in Q1 was COVID-19 vaccination. As new segments of the population became eligible for vaccination programs, related websites suffered interruptions. At the end of January, for example, a vaccine registration website in the US state of Minnesota crashed under the load.The incident coincided with the opening of appointments to seniors, teachers and childcare workers.In February, a similar glitch occurred on a vaccine appointment portal in Massachusetts as retirees, people with chronic illnesses and staff of affordable senior housing tried to sign up for a shot. In both cases, it is not known for certain whether it was a DDoS attack or an influx of legitimate traffic; all the same, cybersecurity company Imperva recorded a spike in bot activity on healthcare resources.
Nor was Q1 without political DDoS attacks. In February, cybercriminals flooded the websites of Dutch politician Kati Piri and the Labor Party, of which she is a member, with junk traffic. The Turkish group Anka Nefeler Tim claimed responsibility. In late March, a DDoS hit the website of the Inter-Parliamentary Alliance on China (IPAC). Representatives of the organization note that this is not the first such attack in living memory. On top of that, several government agencies in Russia and Ukraine reported DDoS attacks in early 2021. The victims included the websites of the Russian Federal Penitentiary Service and the National Guard, the Kiev City State Administration, the Security Service of Ukraine, the National Security and Defense Council, as well as other Ukrainian security and defense institutions.
Since the start of 2021, a number of media outlets in Russia and abroad have been targeted by DDoS attacks. In January, attackers downed the websites of Kazakh newspaper Vlast and Brazilian nonprofit media organization Repórter Brasil. In the second case, the attacks continued for six days. The Ulpressa portal, based in the Russian city of Ulyanovsk, came under a much longer attack lasting several weeks. The website was attacked daily during peak hours. The KazanFirst news portal initially managed to repel the stream of junk traffic, but the attackers changed tactics and ultimately took the site offline. A similar scenario played out in the case of Mexican magazine Espejo: the administrators deflected the first attempts to down the site, but these were followed by a more powerful DDoS wave.
But it was not only legitimate organizations that suffered from DDoS in Q1 2021. In January, many resources on the anonymous Tor network, which is popular with cybercriminals, were disrupted. The Tor network may have been overloaded due to DDoS attacks against specific sites on the dark web. A February target was the major underground forum Dread, used, among other things, to discuss deals on the black market. The forum administration was forced to connect additional servers to defend against the attack.
But this quarter was not all doom and gloom: some DDoS organizers did get exposed. For example, a pair of high-ranked Apex Legends players who DDoSed anyone who beat them finally got banned. A slightly more severe punishment was dished out to a teenager who late last year tried to disrupt Miami-Dade County Public Schools’ online learning system. He escaped jail, but was sentenced to 30 hours’ community service and placed on probation.
In Q1 2021, DDoS market growth against the previous reporting period outstripped our prediction of around 30%, nudging over the 40% mark. Unusually, and hence interestingly, 43% of attacks occurred in the normally relatively calm month of January.
Comparative number of DDoS attacks, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100% (download)
The unexpected surge in DDoS activity can be attributed to the price of cryptocurrencies in general, and Bitcoin in particular, which began to fall in January 2021. The practice of previous years shows that rapid cryptocurrency growth is followed by a similarly rapid decline. It seems that the nimblest botnet owners expected similar behavior this year, and reverted back to DDoS at the first hint of a price drop. However, the Bitcoin price sometimes has a mind of its own: it rose again in February, plateaued in March and remains high at the time of posting. Accordingly, the DDoS market sagged in February and March.
Note that these two months were entirely in line with our forecast: the DDoS market showed slight growth relative to Q4, but no more than 30%. Another curiosity is that this year’s February and March indicators are very similar (within a few percent) to those of January 2020, which was a typically calm January. The same picture (abnormal January followed by standard February and March) was seen in 2019.
Comparative number of DDoS attacks, 2019–2021. Data for 2019 is taken as 100% (download)
Q1 2019 was fairly stable, almost benchmark standard, so it can be used to demonstrate deviations. Last year saw an explosive increase in DDoS activity in February and March, which we attributed, and continue to attribute, to the coronavirus outbreak, the switch to remote working, and the emergence of many new DDoS-vulnerable targets. This year’s January outlier is equally stark when compared with the 2019 data.
Note the significant lag in the Q1 figures overall against the same period of last year. This gap can be explained by the above-mentioned abnormally high numbers in 2020. Over the past year, the situation has changed: organizations have strengthened and learned how to protect remote infrastructure, so Q1 this year was simply ordinary, with no distortions. The slump in the numbers was caused specifically by the abnormal previous year, not the decline in the current one.
At the same time, the share of smart attacks in Q1 increased relative to both the end of 2020 (from 44.29% to 44.60%) and its start. This also indirectly confirms the theory that capacities are being redirected away from DDoS, which comes at the expense of attacks that are easy to organize and defend, since they have become unprofitable for botnet operators.
Share of smart attacks, Q1 2021, Q1 2020, and Q4 2020 (download)
In our Q4 2020 report, we noted a downward trend in the duration of short attacks and an upward one in the duration of long attacks. This trend continued this quarter as well, which is clearly seen from the duration data compared to Q4 of the previous year. We cautiously assume that this trend will continue in the future.
DDoS attack duration, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100% (download)
Kaspersky has a long history of combating cyberthreats, including DDoS attacks of all types and complexity. Company experts monitor botnets using the Kaspersky DDoS Intelligence system.
The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. The system is proactive, not reactive, meaning that it does not wait for a user device to get infected or a command to be executed.
This report contains DDoS Intelligence statistics for Q1 2021.
In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.
The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.
DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not cover every single DDoS attack that occurred during the review period.
Note that, starting Q4 2020, the number of botnets whose activity is included in the DDoS Intelligence statistics has increased. This may be reflected in the data presented in this report.
In Q1 2021:
- The US displaced China from top spot by both number of DDoS attacks and number of unique targets.
- We saw a spike in DDoS activity in January, peaking at over 1,800 attacks per day: 1,833 on the 10th and 1,820 on the 11th. On several other days in January, the daily number of attacks exceeded 1,500.
- The distribution of attacks by day of the week was fairly even: just 2.32 p.p. separated the most and the least active days.
- The number of short (less than 4 hours) DDoS attacks increased significantly.
- The most widespread this time was UDP flooding (41.87%), while SYN flooding dropped to third place (26.36%).
- Linux botnets continued to account for almost all DDoS traffic (99.90%).
In Q1 2021, the perennial leaders by number of DDoS attacks swapped places: the US (37.82%) added 16.84 p.p. to top the leaderboard, nudging aside China (16.64%), which lost 42.31 p.p. against the previous reporting period. The Hong Kong Special Administrative Region (2.67%), which had long occupied third position, this time dropped to ninth, with Canada (4.94%) moving into the Top 3.
The UK (4.12%) also lost ground, falling from fourth to sixth place, despite its share increasing by 2.13 p.p., behind the Netherlands (4.48%) and France (4.43%). South Africa, which finished fifth last quarter, dropped out of the Top 10 altogether.
Germany (3.78%) moved up to seventh place, displacing Australia (2.31%), which rounds out the ranking this quarter. Eighth place was taken by Brazil (3.36%), having rarely climbed higher than eleventh before.
Distribution of DDoS attacks by country, Q4 2020 and Q1 2021 (download)
The Top 10 countries by number of DDoS targets traditionally corresponds closely to the ranking by number of attacks. The Q1 leader was the US (41.98%), whose share increased by 18.41 p.p. By contrast, China’s share fell by more than four times — from 44.49% to 10.77%, pushing it into second place. However, there are some minor differences in the two rankings. Hong Kong, for instance, dropped out of the Top 10 countries by number of targets, and the Netherlands moved up to third place (4.90%). The UK (4.62%) consolidated its position in fourth spot, while Canada (4.05%) dropped from sixth to seventh, just a fraction of a percentage point behind Germany (4.10%) and France (4.08%).
Brazil (3.31%), as in the ranking by number of DDoS attacks, moved up to eighth place, while Australia (2.83%) climbed tenth to ninth place, allowing Poland (2.50%) to sneak in at the foot of the table. Like Brazil, Poland is an infrequent guest in the Top 10.
Distribution of unique DDoS-attack targets by country, Q4 2020 and Q1 2021 (download)
DDoS attack dynamics
Q1 2021 got off to a dynamic start. DDoS activity peaked on January 10 and 11, when the number of attacks exceeded 1,800 per day. January posted several more days on which our systems recorded more than 1,500 attacks. As mentioned above, this surge in activity is most likely due to the brief drop in the Bitcoin price.
After a stormy start, there followed a relatively calm February, when for several days in a row — from the 13th to the 17th — the daily rate of DDoS attacks remained under 500. The quietest day was February 13, when we recorded just 346 attacks. Early March saw another peak, more modest than the January one: 1,311 attacks on the 3rd and 1,290 on the 4th. Note that, as before, this was preceded by a fall in the Bitcoin price.
Dynamics of the number of DDoS attacks, Q1 2021 (download)
In Q1 2021, DDoS attacks by day of the week were far more evenly spread than in the previous reporting period. The difference between the stormiest and the quietest days was 2.32 p.p. (versus 6.48 p.p. in Q4 2020). Saturday (15.44%) took the lion’s share of DDoS attacks, while Thursday (13.12%), last quarter’s leader, was this time the most inactive day. Overall, the share of days from Friday to Monday increased in the first three months of 2021, while midweek dipped slightly.
Distribution of DDoS attacks by day of the week, Q4 2020 and Q1 2021 (download)
Duration and types of DDoS attacks
The average DDoS attack duration in Q1 more than halved compared to Q4 2020. The proportion of very short attacks lasting less than four hours rose markedly (91.37% against 71.63% in the previous reporting period). In contrast, the share of longer attacks declined. Attacks lasting 5–9 hours lost 7.64 p.p., accounting for 4.14% of all attacks; only 2.07% of incidents lasted 10–19 hours, and 1.63% 20–49 hours. Attacks lasting 50–99 hours in Q1 made up less than 1% of the total. The shares of long (0.07%) and ultra-long (0.13%) attacks also fell slightly.
Distribution of DDoS attacks by duration, Q4 2020 and Q1 2021 (download)
The distribution of attacks by type continued to change. In Q1 2021, the seemingly unassailable leader, SYN flooding (26.36%), lost its grip on the ranking. This DDoS type shed 51.92 p.p. and finished third. Meanwhile, UDP (41.87%) and TCP flooding (29.23%) gained in popularity among attackers. GRE (1.43%) and HTTP flooding (1.10%), which round out the ranking, also posted modest growth.
Distribution of DDoS attacks by type, Q1 2021 (download)
In terms of botnet types, Linux-based bots were again responsible for the vast majority of attacks this quarter. Moreover, their share even rose slightly against the previous reporting period: from 99.80% to 99.90%.
Ratio of Windows/Linux botnet attacks, Q4 2020 and Q1 2021 (download)
Botnet distribution geography
The traditional leader in terms of C&C server hosting is the US (41.31%), and Q1 was no exception. Its share increased by 5.01 p.p. against Q4 2020. Silver and bronze again went to Germany (15.32%) and the Netherlands (14.91%), only this time they changed places: the share of the Netherlands fell, while Germany’s almost doubled.
Romania dropped from fourth to seventh place (2.46%), behind France (3.97%), the UK (3.01%), and Russia (2.60%). Canada held on to eighth position (1.92%), while Singapore and the Seychelles closed out the ranking, both posting 1.37% in Q1.
Distribution of botnet C&C servers by country, Q1 2021 (download)
The first quarter began with a surge in DDoS activity amid falling cryptocurrency prices, but on the whole it was relatively calm. At the same time, we observed several unexpected reshuffles. In particular, the US knocked China out of first place by both number of DDoS attacks and number of targets. SYN flooding, long the most common type of attack, gave way to UDP and TCP this time around.
As for Q2 forecasts, no significant shifts in the DDoS market are in sight at present. As is customary, much will depend on cryptocurrency prices, which are currently rising an all-time high. Besides, the experience of previous years shows that the second quarter is usually rather calmer than the first; so, barring any shocks, we can expect little change, perhaps a slight decline, in the DDoS market. That said, if the cryptocurrency market falls sharply, we forecast a rise in DDoS activity, driven largely by simple, short-lasting attacks.