Adversaries pummeled North American industries with an onslaught of DDoS attacks following their declarations of support for other countries engaged in political and military conflict.
For instance, attackers increasingly targeted satellite telecommunications and cloud-hosting providers, likely because of international conflict. Because organizations in these industries provide services to other countries that are engaged in political and military conflict, they inadvertently make themselves a more lucrative target for opportunists, hacktivists, and nation-state sponsored adversaries.
At a high level, North America accounted for about 17 percent of global DDoS attacks in 1H 2022, with an average of 5,755 DDoS attacks per day when compared with the global average of 33,260 attacks per day. Despite this relatively minor increase in attack volume, it nevertheless reveals trends and anomalies that correspond to global events and attacker innovation.
Furthering the divide, adversaries doubled down on direct-patch, TCP-based DDoS attacks as their weapon of choice.
Cloud-related service providers saw a whopping 54 percent increase in DDoS attacks during the first half of the year.
Primary school students have apparently learned to launch DDoS attacks against their schools, in a move reminiscent of a modern-day Ferris Beuller.
NAMER Data was drawn from…
By The Numbers
Although there were some significant attacks and noteworthy events across the region, the daily dispersion of DDoS attacks was fairly consistent throughout the first half of the year, with a slight upward trend toward the end of Q2 (see below):
Beginning in the first half of 2021, NETSCOUT observed adversaries making a tectonic shift in preferred DDoS attack vectors and methods. That shift continued into 2022, with TCP SYN, ACK, and RST floods topping the charts and further reductions in DNS and CLDAP numbers. Security measures such as source-address validation (SAV) should result in additional decreases as attackers turn to direct-path, botnet-sourced TCP-based attacks.
An interesting twist in the trend of increasing global TCP-based attacks is a decrease in these types of attacks that occurred in June for the region. What’s even more intriguing is that as TCP attacks decreased, UDP attacks increased, and vice versa.
One theory (entirely conjecture) is that botnets can be expensive, take longer to establish, and are quicker to disappear as infrastructure is identified and taken offline. Furthermore, this could directly relate to botnets being redirected to attack targets outside North America, perhaps targeted at countries engaged in conflict. In late May, there appeared to be a critical mass in which TCP attacks reached a peak; however, we then witnessed a steady decline toward the end of Q2. It’s important to note that this observation isn’t shared across all regions or even globally.
From a global perspective, TCP-based attacks increased and appeared to plateau (without a decline) toward the end of Q2, while UDP attacks decreased after the start of the year. The following graph aggregates any TCP attack (TCP), ICMP attacks (ICMP), any DNS attacks (DNS), and all additional reflection/amplification attacks (UDP) into single entities to show prevalence. The chart highlights the decline at the tail end of the COVID-19 pandemic for attacks at large, as well as the consistency and increase of TCP-sourced attacks through Q2 2022.
NOTE: It should be noted that many attacks are multi-vector and will include both TCP and UDP or some other combination. The above graphic is intended to show proportionality of distinct vectors used in attacks.
WIRED TELECOMMUNICATIONS CARRIERS
As NETSCOUT revealed in 2H 2021, there was a significant decrease in attacks against wired telecommunications carriers—a trend that continued for the first six months of 2022, during which time an additional 14 percent decrease occurred in this sector. These attacks are targeted almost entirely against gamers in consumer wireline networks.
However, that reduction was largely offset by a 54 percent increase in attacks against data processing, hosting, and related services (think cloud). About half of that increase is attributable to TCP SYN, ACK, and RST floods, with UDP multivector attacks accounting for the remainder.
SATELLITE TELECOMMUNICATIONS CARRIERS
In addition to more attacks against the cloud, there was a notable uptick in attacks against satellite (18 percent increase) and wireless (12 percent increase) telecommunications providers. The increase in attacks against satellite providers likely was caused by politically motivated adversaries turning their attention to U.S.-based vendors that made their services available to areas engaged in international conflict. Also notable is the fact that most of the attacks against this sector were simple UDP floods—which accounted for two-thirds of the attacks—while TCP SYN made up the remainder. Although several hundred multivector attacks occurred, the overwhelming majority were single-vector UDP floods. Wireless providers, on the other hand, continue rolling out 5G networks in the region, and it stands to reason that we’ll continue to see increases in attacks with increased consumer and business adoption of 5G.
Another area of concern is an increase in attacks on elementary and secondary schools, which popped into the top 10 for the first time with a 95 percent increase. We know from past incidents that students will attack school systems, testing platforms, and even administrative systems to avoid going to school. However, that type of behavior generally has occurred at the collegiate or professional-school level.
In our last report, we explained that the barrier of entry into the DDoS attack business is virtually nonexistent: Anyone can purchase a DDoS attack—or in many cases obtain one for free—on the dark web. As such, it’s not surprising that attacks against primary schools largely took the form of UDP floods, DNS, and NTP, highlighting what appears to be a completely unique demographic of adversaries launching these attacks. A common denominator for all these vectors is that for every booter/stressor service NETSCOUT investigated, we likewise found a free attack tier (including these vectors) for anyone with a computer and access to the internet.
Seeing this trend move from professional schools and universities to primary schools is of concern, and schools should take steps to secure themselves against DDoS attacks. A study by the National Crime Agency’s National Cyber Crime Unit (NCCU) shows a 107 percent increase in reports to the police cyber prevention network concerning students as young as 9 years old deploying DDoS attacks from 2019 to 2020.
INTERNET PUBLISHING + BROADCASTING
One spot of good news is that we continued to see decreases in attacks that target industries such as internet publishing and broadcasting, as well as electronic shopping and mail-order houses. These industries were disproportionally targeted during the pandemic, when their use skyrocketed by keeping us sane (entertainment) and provisioned (online shopping).
Note: Industry data and attack counts are based on a sampling of our data and aligned to the North American Industry Code database, which often includes limited labeling in other regions.
Whether it’s changes in attack counts, vectors targeted, or types of attacks being used, defenders must be aware of every variation that takes place in their industry, against their organization, and on the global threat landscape. Doing so enables organizations to predict large-scale shifts in adversary behavior, strengthening the success of proactive adaptive DDoS defense measures and ensuring connectivity remains unaffected.