DDoS attack statistics and facts

Of the many types of criminal activity that occur on the web, few are more puzzling and difficult to prevent than distributed denial-of-service (DDoS) attacks. These attacks can bring down even the largest websites by overloading servers with more requests than they can handle. Unable to meet the demand of junk requests, servers crash and often require hours to restore.

Norton, in fact, calls DDoS attacks “one of the most powerful weapons on the internet”, and with good reason. Denial-of-service attacks can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses. DDoS attacks were once a thing of mischief, but data shows they’re increasingly becoming a tool to earn income for cybercriminals or cause disruption for political purposes.

Cloudflare noted a staggering increase in DDoS attacks in Q4 2021, which is a change from Q4 2020, when, according to Kaspersky Lab, these cyber attacks became less common. The drop in DDoS attacks observed in Q4 2020 was likely due to an abnormally high number of attacks earlier in the year, as more of us began working from home, combined with a pivot to cryptomining.

Below, we’ve laid out some major stats and facts that highlight how DDoS attacks are transforming and impacting the web.

See also: How to stop a DDoS attack

2018-2022 DDoS stats and facts

Here’s a round-up of some of the most telling DDoS attack statistics:

1. DDoS attacks are still on the rise

DDoS attacks have been steadily increasing in frequency over the past few years. According to a report from Cloudflare, ransom DDoS attacks increased by almost a third between 2020 and 2021 and jumped by 75% in Q4 2021 compared to the previous three months.

When the coronavirus pandemic forced us all online in Q2 of 2020, we witnessed a huge and long-lasting spike in the number of attacks. With large numbers of us still working at home and remotely, it’s no surprise that we’re still seeing a net increase.

2. Various DDoS attack types on the rise

According to Cloudflare, in Q4:

  • Ransom DDoS attacks increased by 29% year-on-year and 175% quarter-on-quarter.
  • The manufacturing industry received the most application-layer DDoS attacks, recording a 641% increase quarter-on-quarter in the number of attacks.
  • In December 2021 alone, there were more network-layer DDoS attacks than all the attacks seen in Q1 and Q2 of 2021 separately. Attacks coming from Moldova quadrupled quarter-on-quarter, making it the country with the highest percentage of network-layer DDoS activity.

3. Other data shows regionally-specific increases

Data from Yandex and Qrator Labs corroborates research from Cloudflare showing regionally-specific spikes in DDoS attacks:

  • In Q3 2021, a wave of large-scale DDoS attacks swept across New Zealand.
  • Ransom DDoS attacks on VoIP providers in Q3 affected companies in Britain, Canada, and the US.
  • In early and mid-July, threat actors flooded the resources of the security agencies of Russia and Ukraine with junk traffic.
  • In mid-August, attackers tried to stop users from accessing the web resources of the Philippine human rights organization Karapatan.
  • At the end of August, the website of Germany’s Federal Returning Officer was briefly targeted in connection with the September 26 elections to the Bundestag.

4. 2021 was another break-out year for DDoS

The amount of DDoS activity in 2021 was higher than in previous years. However, we’ve seen an influx of ultra-short attacks, and in fact, the average DDoS lasts under four hours, according to Securelist. These findings are corroborated by Cloudflare, which found that most attacks remain under one hour in duration. This reiterates the need for automated always-on DDoS mitigation strategies. That said, there have been multiple reported attacks lasting ten days or more, and longer attacks look to be becoming the norm.

On the plus side, more people are becoming aware of the threats these attacks pose. Although searches for “ddos” and “denial-of-service attack” remained relatively stable, they spiked in June 2020. The reason for this is simple: that’s when Amazon announced that it had shrugged off the largest DDoS attack ever reported.

ddos attack Google trends

5. DDoS-for-hire sites shut down in 2018, which may have resulted in a decrease in DDoS activity that year

In late 2018, the FBI took down a dozen DDoS-for-hire marketplaces, and in April 2018, Europol shut down Webstresser, the world’s largest marketplace for buying DDoS attacks. At the time it was shut down, Webstresser had over 130,000 registered users.

This activity may have been part of the decline in DDoS attacks witnessed in 2018. However, current data shows that the number of DDoS-for-hire websites bounced back in 2019, which might also play a role in the large increase in DDoS activity in 2019.

6. The longest DDoS attack in history occurred in 2019

Back in 2018, a DDoS attack shattered existing records by flooding their target’s systems with data for 329 hours, or nearly 2 weeks. In Q2 of 2019, though, Kaspersky analyzed commands sent to DDoS networks and discovered an even longer attack, one that had lasted 509 hours.

7. Current data shows most DDoS attacks are decreasing in power

Research shows that the average DDoS attack in Q3 2021 used 4.31 Gbps of data, which is more than enough to scuttle most small-to-medium-sized websites. This number is very close to the average attack bandwidth for Q4 of 2020, which was 4.47 Gbps, but is significantly lower than the Q1 2021 metric of 9.15 Gbps.

8. Data also shows DDoS attackers shifting to repeated, short-lived attacks

Even so, DDoS attacks are becoming less about prolonged attacks and more about attack size and frequency. Nearly 98% of network-layer DDoS attacks in Q4 2021 lasted under an hour. However, Cloudflare warns that these short burst attacks are often used to test the victim’s defenses.

9. Attacks serving over 100 GB/s of data increased 967 percent between 2019 and 2020

Amazon revealed that in Q1 of 2020, it was forced to counter a 2.3 Tbps DDoS attack. This is important for several reasons; first, it’s the largest recorded attack in history, almost four times the throughput of the previous record-holder (587 GB/s).

Also noteworthy is the fact that attacks above 100 GB/s continue to rise, even after a stunning 967 percent growth in 2019 versus 2018. The same year, attacks between 50 GB/s and 100 GB/s also increased 567 percent.

DDoS attacks facts and stats 2019
Source: Neustar

10. DDoS attackers are now using multi-vector attacks more frequently

The methods used to create DDoS attacks are also changing. More than 20% of attackers are using multi-vector DDoS attacks, combining different DDoS attack methods into one, short attack, and then repeating again soon after. In fact, according to Link11, in 2020, one attack used 14 different vectors!

This was an outlier, but we’ve seen this shift play out for years now. Around 52 percent of all attacks in Q1 2019 used 2 or more vectors, with 47% of these using 3 vectors. For contrast, around 11 percent of attacks in 2018 used multi-vector methods, and just 8.9 percent in 2017.

This tactic continues to increase in frequency. In Q3 2021, 78% of DDoS attacks were multi-vector attacks combining several techniques. This is an increase from 62% in Q2 2021.

11. SYN attacks are now the most common form of DDoS attack

SYN attacks most common form of DDoS

UDP attacks were no longer the most common individual form of attack in 2020, having been nearly forgotten in favor of SYN attacks. Mixed-method attacks were the largest type of DDoS attack overall, however, and typically involved HTTPS floods and mixed attacks with HTTP elements. In Q3 2021, most DDoS attacks continue to take the form of SYN flooding.

12. Few attacks completely saturate a network’s uplinks

Additionally, a majority of DDoS attacks do not completely saturate uplinks. Corero found that only 0.6 percent of DDoS attacks reached “full pipe” uplink saturation, which is defined as more than 95 percent of usage in the uplink. Of those that reached saturation levels, most (around 95 percent) lasted less than 10 minutes.

13. Credential stuffing attacks are now on cybersecurity radars

Finally, not all DDoS attacks are designed to crash servers. A new type of attack, credential stuffing, is currently targeting many different sites, especially video game services. In this attack, hackers test a load of credentials against their database to verify stolen account information. Although not a DDoS attack strictly by definition, credential stuffing can increase traffic volume on a site and have a similar impact to a DDoS attack. (Source: Neustar)

See also: DoS vs DDoS attacks

14. Despite their distributed nature, DDoS attacks are geographically concentrated

DDoS attacks quite often utilize botnets to send massive amounts of traffic to a single server to overload it with requests. Over 12 million “DDoS weapons”, or infected IP addresses across the world, are currently being used as part of DDoS attacks. The Mirai malware and its many variants are currently the most popular malware used to create botnets for DDoS attacks, although others do exist as well.

15. China is a botnet hub

According to Spamhaus, the country with the most botnets is China, with over 820,000 bots. India is the second-worst, with a little over 800,000 bots, followed by Iran, which has around 400,000.

Some autonomous system number (ASN) operators—mostly ISPs—also have larger numbers of infected IP addresses due to extensive botnet malware. However, which ASN operators are most impacted is more difficult to determine. Spamhaus identifies the top 5 impacted ASN operators as:

  • China Telecom / ChinaNet (China)
  • Bharti Airtel Ltd. AS for GPRS Service (India)
  • China Unicorn (China)
  • Iran Telecommunication Company PJS (Iran)
  • Telecom Algeria (Algeria)

Meanwhile, A10 Networks writes that the top 5 ASNs with infected IP addresses are:

  • China Telecom
  • Charter Communications (US)
  • Korea Telecom
  • China Unicorn CN
  • Chungwha Telecom  (China)

DDoS attacks can be launched from anywhere, however, regardless of where the infected computers exist. As one might expect, most DDoS attacks also tend to originate primarily from a select few countries.

16. Hackers in China launch the most DDoS attacks, followed by those in the US and Russia

The majority of DDoS attacks are launched from:

  • China
  • The US
  • Korea
  • Russia
  • India
DDoS weapons by region
Source: A10 Networks DDoS Threat Intelligence Map

17. DDoS records were broken multiple times in the last four years

The security news world went into a frenzy in 2018 after the largest DDoS attack record was broken not just once, but twice in less than one week. The second-largest DDoS attack on record occurred in March 2018 against Github, with a registered 1.3 Terabytes per second (TB/s) of data sent toward GitHub’s servers. The site effectively mitigated the attack.

Amazon also reported suffering the largest DDoS attack on record in Q1 2020. The company successfully managed to mitigate more than 2 Tbps of data, a feat that would be all but impossible for almost any smaller business.

These large-scale attacks have continued since 2018. In 2021, Cloudflare said it blocked a DDoS attack that peaked at just under 2 Tbps, making it one of the largest ever recorded. Also occurring last year, in October, Microsoft successfully defended European Azure cloud users against a 2.4 Tbps DDoS attack, and then in November, it mitigated an attack with a throughput of 3.47 Tbps. The latter is believed to be the largest attack ever reported in history.

18. DDoS attacks are getting more expensive for victims

The costs associated with these attacks are mounting, as well. A Corero survey found DDoS attacks can cost enterprise organizations $50,000 in lost revenue from downtime and mitigation costs. Nearly 70 percent of surveyed organizations experience 20-50 DDoS attacks per month. Although most DDoS attacks don’t succeed, even a few successful attacks can result in hundreds of thousands of dollars in lost revenue per month.

Over 75 percent of businesses surveyed by Corero believe a loss of customer confidence is the worst result from DDoS attacks. That confidence loss can lead customers to flee to competitors, making the overall financial impact completely difficult to determine.

19. Resources in the United States were the most frequent target for DDoS attacks in Q1 2022

Kaspersky’s Securelist blog reports that the US suffered 44.34% of all reported DDoS attacks in Q1 2022. It was closely followed by China and Germany, which were hit by 9.96% and 4.85% of reported attacks in the same period.

Kaspersky geographic DDos stats Q1 2022
Source: Kaspersky

20. Kaspersky detected 91,052 DDoS attacks in Q1 2022

Kaspersky continued, stating its intelligence system picked up an average of 1,406 daily attacks in January and February 2022. The worst day of attacks was January 19th, 2022, when it identified 2,250 attacks.

Kaspersky Q1 2022 DDoS attack dynamics
Source: Kaspersky

21. The average attack duration in Q1 2022 is similar to Q4 2021

At just under two hours, the duration and type of attack remain unchanged in Q1 2022 versus Q4 2021, Kaspersky reports. However, it saw an increase in very short attacks (94.95%) and long attacks (those lasting over 140 hours) at 0.03%.

Kaspersky Q1 2022 DDoS attack duration
Source: Kaspersky

22. Ransom DDoS attacks decreased by 28% in Q1 2022

As explained earlier in this article, Cloudflare reported a 75% increase in ransom DDoS attacks in Q4 2021. That figure has now dropped from reports of one in five respondents receiving a ransom letter to one in ten. January 2022 has the most significant number of customers who received a ransom letter (17%).

Clouflare DDoS attack trends Q1 2022 ransom DDoS
Source: Cloudflare

23. Consumer electronics was the hardest-hit industry in Q1 2022

Cloudflare’s report continued, stating the consumer electronics industry suffered the highest number of application-level DDoS attacks with a 5,086% QoQ increase. The online media industry came second with a 2,131% QoQ increase in attacks.

Clouflare DDoS attack trends Q1 2022 by industry
Source: Cloudflare

Notable 2018-2022 DDoS attack examples and news

The number of websites impacted by DDoS attacks is on the rise. As “DDoS-for-hire” marketplaces proliferate, it’s now easier than ever for just about anyone to pay cybercriminals to disrupt a website’s operations.

January 2022

  • North Korea’s internet was downed by DDoS attacks, with the incident lasting for about six hours. At the height of the attack, all traffic to and from North Korea was taken down.

December 2021

November 2021

  • Microsoft mitigates a DDoS attack peaking at 3.47 Tbps, with a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. This is believed to be the largest such attack ever reported.

May 2021

  • More than 200 Belgian organizations, including colleges, research centers, and the country’s parliament, are targeted by a massive DDoS attack. Allegedly, this was the largest-scale attack the country has seen, completely saturating the government-funded Belnet ISP’s network.

June 2020

  • It is revealed that Amazon has successfully mitigated the largest DDoS attack ever recorded, with an incredible 2.3 Tbps throughput.

July 2019

  • After launching his first major DDoS attack against video game servers back in 2013, 23-year-old Austin Thompson, also known as “DerpTrolling”, was sentenced to 27 months in prison. Thompson was initially arrested in 2014 after he was doxed. He later pleaded guilty to the Christmas-time DDoS attacks in 2018. (Source: US Department of Justice)
  • Security company Imperva announced the largest Layer 7 DDoS the company had ever witnessed come against one of its customers in the video streaming industry. The attack, which was launched primarily from Brazil, utilized a botnet comprised of 400,000 IoT device IPs in the attack, which lasted for nearly two weeks. (Source: Imperva)

June 2019

  • Telegram was hit by a large DDoS attack which the service’s founder, Pavel Durov, suggests was designed to target Telegram during massive protests in Hong Kong. Telegram did not say how large the attack was, but Durov described it as a “state-actor sized” attack, which he stated served 200-400 Gigabytes per second (Gb/s) of junk data. (Source: Security Boulevard)

January 2019

  • In January 2019, a Connecticut man was given a 10-year prison sentence for several DDoS attacks carried out against hospitals in 2014. He was also ordered to pay over $440,000 in restitution. (Source: Boston Globe)
  • Two men allegedly part of the hacker collective Apophis Squad were charged with instituting multiple DDoS attacks, including a weeklong attack on encrypted email service ProtonMail. (Source: Court House News)
  • A British hacker was jailed for three years in January 2019 after being charged with launching a DDoS attack against Liberian telecom Lonestar in 2015 and 2016. The hacker was hired by an employee from one of Lonestar’s competitors, Cellcom. The attacks were powerful enough to knock out internet access across the entire country and resulted in a loss of millions of dollars for Lonestar. (Source: CNN)

October 2018

  • In October 2018, the then 22-year-old co-author of the Mirai botnet malware was sentenced to six months home confined, 2,500 hours of community service, and ordered to pay $8.6 million in restitution after repeatedly targeting Rutgers University with DDoS attacks. (Source: Krebs on Security)
  • In October 2018, Ubisoft’s Uplay service experienced a DDoS attack that disrupted operations for several hours. (Source: Newsweek)

August 2018

  • The Bank of Spain was hit with a DDoS attack in August 2018 that took it offline for several hours. (Source: Bank Info Security)

May 2018

  • In May 2018, the cryptocurrency Verge experienced a DDoS attack that allowed the hacker to acquire $35 million XVG (a cryptocurrency), or $1.75 million based on exchange rates at that time. (Source: Bitcoin Magazine)

January 2018

  • The National Tax Office in the Netherlands was sent offline for 5-10 minutes in January 2018 after a DDoS attack of unspecified size. (Source: Reuters)

DDoS terminology

Digging through DDoS facts might require brushing up on a few key terms. Distributed denial-of-service attacks are highly technical, and you may encounter some unfamiliar terminology while reviewing the latest stats.

  • Denial-of-service attack: An attack on a website that sends an overload of traffic (requests) to a web server. A distributed denial of service attack (DDoS) uses multiple compromised computer systems to increase the number of requests that can be made to a server at one time, making server overloads easier to accomplish and more difficult to prevent.
  • Amplification: A term used to describe a DDoS attack where the number of requests made to a target’s server is multiplied beyond the original request. There are several ways attackers can do this, including DNS amplification, UDP amplification, and ICMP amplification (Smurf Attack).
  • Botnet: A network of computers infected and remotely controlled through a virus or malware program, that is used to make the requests to servers in a DDoS attack.
  • Memcached: A distributed memory caching system popularly used in DDoS attacks.
  • Mirai: Malware created to target Linux-based IoT devices, including home security cameras and routers. Mirai and its many variants are currently among the most-used malware to create DDoS botnets.
  • Gigabytes-per-second and Terabytes-per-second: A measurement of how much data is sent to servers in a DDoS attack, typically denotated as GB/s or TB/s.
  • Saturation: A term used for the amount of volume sent to a server during a DDoS attack. Supersaturation occurs when all of a system’s resources are filled with requests from the DDoS attack, completely shutting down the system, while sub-saturation refers to small DDoS attacks that can negatively impact system performance and resources but are not nearly large enough to shut down a server completely. Sub-saturating attacks are increasingly common, often go undetected, and are commonly used as a “smokescreen” for larger attacks.