DDoS attack statistics and facts

Of the many types of criminal activity that occur on the web, few are more puzzling and difficult to prevent than distributed denial-of-service (DDoS) attacks. These attacks can bring down even the largest websites by overloading servers with more requests than they can handle. Unable to meet the load of junk requests, servers crash and often require hours to restore.

Norton, in fact, calls DDoS attacks “one of the most powerful weapons on the internet”, and with good reason. Denial-of-service attacks can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses.DDoS attacks were once a thing of mischief, but data shows they’re increasingly becoming a tool to earn income for cybercriminals or cause disruption for political purposes.

DDoS attacks may have become less common in Q4 2020, according to Kaspersky Lab, but this is likely due to an abnormally high number of attacks earlier in the year, as more of us began working from home, combined with a pivot to cryptomining.

Below, we’ve laid out some major stats and facts that highlight how DDoS attacks are transforming and impacting the web.

See also: How to stop a DDoS attack

2018-2021 DDoS stats and facts

Here’s a round-up of some of the most telling DDoS attack statistics:

1. DDoS attacks are still on the rise

DDoS attacks have been steadily increasing in frequency over the past few years, and Q4 of 2020 saw a roughly 10% increase over 2019. At first glance, this may appear to be a success, given the reduction from the previous quarter. However, when the coronavirus pandemic forced us all online in Q2 of 2020, we witnessed a huge and long-lasting spike in the number of attacks, so really, we’re still seeing a net increase.

2. Various DDoS attack types on the rise

According to F5’s 2020 DDoS Attack Trends report, infrastructure layer attacks accounted for 73% of all incidents, with 53% relying on a reflection-based attack. Meanwhile, protocol attacks and application-layer attacks accounted for 23% and 16%, respectively.

Note that these numbers add up to more than 100%; this is because most modern attacks use multiple vectors, as we’ll see later.

3. Other data shows mixed declines and regionally-specific increases

Securelist corroborates the news of a 10% increase in Q4 of 2020 vs 2019. This is notable because we were already on an upward trend, with almost twice as much DDoS activity in 2019 versus 2018.

Europeans continued to struggle with higher attack volumes too, with attacks of 50 Gbps becoming far more common. This has been a problem for many years; the average DDoS attack volume increased 192 percent in 2018 compared to 2017.

4. 2020 was another break-out year for DDoS

The amount of DDoS activity in 2020 is currently trending higher than in previous years. However, we’ve seen an influx of ultra-short attacks, and in fact, the average DDoS lasts under four hours. That said, there have been multiple reported attacks lasting ten days or more, and longer attacks look to be becoming the norm.

The number of DDoS attacks over 100 GB/s in volume increased 776 percent in Q1 2020.

On the plus side, more people are becoming aware of the threats these attacks pose. Although searches for “ddos” and “denial-of-service attack” remained relatively stable, they spiked in June 2020. The reason for this is simple: that’s when Amazon announced that it had shrugged off the largest DDoS attack ever reported.

ddos attack Google trends

5. DDoS-for-hire sites shut down in 2018, which may have resulted in a decrease in DDoS activity that year

In late 2018, the FBI took down a dozen DDoS-for-hire marketplaces, and in April 2018, Europol shut down Webstresser, the world’s largest marketplace for buying DDoS attacks. At the time it was shut down, Webstresser had over 130,000 registered users.

This activity may have been part of the decline in DDoS attacks witnessed in 2018. However, current data shows that the number of DDoS-for-hire websites bounced back in 2019, which might also play a role in the large increase in DDoS activity in 2019.

6. The longest DDoS attack in history occurred in 2019

Back in 2018, a DDoS attack shattered existing records by flooding their target’s systems with data for 329 hours, or nearly 2 weeks. In Q2 of 2019, though, Kaspersky analyzed commands sent to DDoS networks and discovered an even longer attack, one that had lasted 509 hours.

7. Current data shows most DDoS attacks are increasing in power

Research shows that the average DDoS attack in 2020 uses more than 1 Gbps of data, which is more than enough to scuttle most small-to-medium-sized websites. Further, we’ve seen a significant increase in the average length, with most attacks now lasting 30 minutes to an hour, instead of ten minutes or less as in previous years.

8. Data also shows DDoS attackers shifting to repeated, short-lived attacks

Even so, DDoS attacks are becoming less about prolonged attacks and more about attack size and frequency. Over 90 percent of DDoS attacks in Q1 2021 lasted less than four hours. However, Cloudflare warns that these short burst attacks are often used to test the victim’s defenses.

9. Attacks serving over 100 GB/s of data increased 967 percent between 2019 and 2020

Amazon revealed that in Q1 of 2020, it was forced to counter a 2.3 Tbps DDoS attack. This is important for several reasons; first, it’s the largest recorded attack in history, almost four times the throughput of the previous record-holder (587 GB/s).

Also noteworthy is the fact that attacks above 100 GB/s continue to rise, even after a stunning 967 percent growth in 2019 versus 2018. The same year, attacks between 50 GB/s and 100 GB/s also increased 567 percent.

DDoS attacks facts and stats 2019
Source: Neustar

10. DDoS attackers are now using multi-vector attacks more frequently

The methods used to create DDoS attacks are also changing. More than 20% of attackers are using multi-vector DDoS attacks, combining different DDoS attack methods into one, short attack, and then repeating again soon after. In fact, according to Link11, in 2020, one attack used 14 different vectors!

This was an outlier, but we’ve seen this shift play out for years now. Around 52 percent of all attacks in Q1 2019 used 2 or more vectors, with 47% of these using 3 vectors. For contrast, around 11 percent of attacks in 2018 used multi-vector methods, and just 8.9 percent in 2017.

11. SYN attacks are now the most common form of DDoS attack

SYN attacks most common form of DDoS

UDP attacks were no longer the most common individual form of attack in 2020, having been nearly forgotten in favor of SYN attacks. Mixed-method attacks were the largest type of DDoS attack overall, however, and typically involved HTTPS floods and mixed attacks with HTTP elements.

12. Few attacks completely saturate a network’s uplinks

Additionally, a majority of DDoS attacks do not completely saturate uplinks. Corero found that only 0.6 percent of DDoS attacks reached “full pipe” uplink saturation, which is defined as more than 95 percent of usage in the uplink. Of those that reached saturation levels, most (around 95 percent) lasted less than 10 minutes.

13. Credential stuffing attacks are now on cybersecurity radars

Finally, not all DDoS attacks are designed to crash servers. A new type of attack, credential stuffing, is currently targeting many different sites, especially video game services. In this attack, hackers test a load of credentials against their database to verify stolen account information. Although not a DDoS attack strictly by definition, credential stuffing can increase traffic volume on a site and have a similar impact to a DDoS attack. (Source: Neustar)

See also: DoS vs DDoS attacks

14. Despite their distributed nature, DDoS attacks are geographically concentrated

DDoS attacks quite often utilize botnets to send massive amounts of traffic to a single server to overload it with requests. Over 12 million “DDoS weapons”, or infected IP addresses across the world, are currently being used as part of DDoS attacks. The Mirai malware and its many variants are currently the most popular malware used to create botnets for DDoS attacks, although others do exist as well.

15. China and the US are botnet hubs

According to Spamhaus, the country with the most botnets is China, with over 820,000 bots. India is the second-worst, with a little over 800,000 bots, followed by Iran, which has around 400,000.

Some autonomous system number (ASN) operators—mostly ISPs—also have larger numbers of infected IP addresses due to extensive botnet malware. However, which ASN operators are most impacted is more difficult to determine. Spamhaus identifies the top 5 impacted ASN operators as:

  • China Telecom / ChinaNet (China)
  • Bharti Airtel Ltd. AS for GPRS Service (India)
  • China Unicorn (China)
  • Iran Telecommunication Company PJS (Iran)
  • Telecom Algeria (Algeria)

Meanwhile, A10 Networks writes that the top 5 ASNs with infected IP addresses are:

  • China Telecom
  • Charter Communications (US)
  • Korea Telecom
  • China Unicorn CN
  • Chungwha Telecom  (China)

DDoS attacks can be launched from anywhere, however, regardless of where the infected computers exist. As one might expect, most DDoS attacks also tend to originate primarily from a select few countries.

16. Hackers in China launch the most DDoS attacks, followed by those in the US and Russia

The majority of DDoS attacks are launched from:

  • China
  • The US
  • Korea
  • Russia
  • India
DDoS weapons by region
Source: A10 Networks DDoS Threat Intelligence Map

17. DDoS records were broken multiple times in the last three years

The security news world went into a frenzy in 2018 after the largest DDoS attack record was broken not just once, but twice in less than one week. The second-largest DDoS attack on record occurred in March 2018 against Github, with a registered 1.3 Terabytes per second (TB/s) of data sent toward GitHub’s servers. The site effectively mitigated the attack.

Amazon also reported suffering the largest DDoS attack on record. The company successfully managed to mitigate more than 2 Tbps of data, a feat that would be all but impossible for almost any smaller business.

18. DDoS attacks are getting more expensive for victims

The costs associated with these attacks are mounting, as well. A Corero survey found DDoS attacks can cost enterprise organizations $50,000 in lost revenue from downtime and mitigation costs. Nearly 70 percent of surveyed organizations experience 20-50 DDoS attacks per month. Although most DDoS attacks don’t succeed, even a few successful attacks can result in hundreds of thousands of dollars in lost revenue per month.

Over 75 percent of businesses surveyed by Corero believe a loss of customer confidence is the worst result from DDoS attacks. That confidence loss can lead customers to flee to competitors, making the overall financial impact completely difficult to determine.

Notable 2018-2021 DDoS attack examples and news

The number of websites impacted by DDoS attacks is on the rise. As “DDoS-for-hire” marketplaces proliferate, it’s now easier than ever for just about anyone to pay cybercriminals to disrupt a website’s operations.

May 2021

  • More than 200 Belgian organizations, including colleges, research centers, and the country’s parliament, are targeted by a massive DDoS attack. Allegedly, this was the largest-scale attack the country has seen, completely saturating the government-funded Belnet ISP’s network.

June 2020

  • It is revealed that Amazon has successfully mitigated the largest DDoS attack ever recorded, with an incredible 2.3 Tbps throughput.

July 2019

  • After launching his first major DDoS attack against video game servers back in 2013, 23-year-old Austin Thompson, also known as “DerpTrolling”, was sentenced to 27 months in prison. Thompson was initially arrested in 2014 after he was doxed. He later pleaded guilty to the Christmas-time DDoS attacks in 2018. (Source: US Department of Justice)
  • Security company Imperva announced the largest Layer 7 DDoS the company had ever witnessed come against one of its customers in the video streaming industry. The attack, which was launched primarily from Brazil, utilized a botnet comprised of 400,000 IoT device IPs in the attack which lasted for nearly two weeks. (Source: Imperva)

June 2019

  • Telegram was hit by a large DDoS attack which the service’s founder, Pavel Durov, suggests was designed to target Telegram during massive protests in Hong Kong. Telegram did not say how large the attack was, but Durov described it as a “state-actor sized” attack, which he stated served 200-400 Gigabytes per second (Gb/s) or junk data. (Source: Security Boulevard)

January 2019

  • In January 2019, a Connecticut man was given a 10-year prison sentence for several DDoS attacks carried out against hospitals in 2014. He was also ordered to pay over $440,000 in restitution. (Source: Boston Globe)
  • Two men allegedly part of the hacker collective Apophis Squad were charged with instituting multiple DDoS attacks, including a weeklong attack on encrypted email service, ProtonMail. (Source: Court House News)
  • A British hacker was jailed for three years in January 2019 after being charged with launching a DDoS attack against Liberian telecom Lonestar in 2015 and 2016. The hacker was hired by an employee from one of Lonestar’s competitors, Cellcom. The attacks were powerful enough to knock out internet access across the entire country and resulted in a loss of millions of dollars for Lonestar. (Source: CNN)

October 2018

  • In October 2018, the then 22-year-old co-author of the Mirai botnet malware was sentenced to six months home confined, 2,500 hours of community service, and ordered to pay $8.6 million in restitution after repeatedly targeting Rutgers University with DDoS attacks. (Source: Krebs on Security)
  • In October 2018, Ubisoft’s Uplay service experienced a DDoS attack that disrupted operations for several hours. (Source: Newsweek)

August 2018

  • The Bank of Spain was hit with a DDoS attack in August 2018 that took it offline for several hours. (Source: Bank Info Security)

May 2018

  • In May 2018, the cryptocurrency Verge experienced a DDoS attack that allowed the hacker to acquire $35 million XVG (a cryptocurrency), or $1.75 million based on exchange rates at that time. (Source: Bitcoin Magazine)

January 2018

  • The National Tax Office in the Netherlands was sent offline for 5-10 minutes in January 2018 after a DDoS attack of unspecified size. (Source: Reuters)

DDoS terminology

Digging through DDoS facts might require brushing up on a few key terms. Distributed denial-of-service attacks are highly technical, and you may encounter some unfamiliar terminology while reviewing the latest stats.

  • Denial-of-service attack: An attack on a website that sends an overload of traffic (requests) to a web server. A distributed denial of service attack (DDoS) uses multiple compromised computer systems to increase the number of requests that can be made to a server at one time, making server overloads easier to accomplish and more difficult to prevent.
  • Amplification: A term used to describe a DDoS attack where the number of requests made to a target’s server is multiplied beyond the original request. There are several ways attackers can do this, including DNS amplification, UDP amplification, and ICMP amplification (Smurf Attack).
  • Botnet: A network of computers, typically infected with and controlled maliciously through a virus or malware program, that is used to make the requests to servers in a DDoS attack.
  • Memcached: A distributed memory caching system popularly used in DDoS attacks.
  • Mirai: Malware created to target Linux-based IoT devices, including home security cameras and routers. Mirai and its many variants are currently among the most-used malware to create DDoS botnets.
  • Gigabytes-per-second and Terabytes-per-second: A measurement of how much data is sent to servers in a DDoS attack, typically denotated as GB/s or TB/s.
  • Saturation: A term used for the amount of volume sent to a server during a DDoS attack. Supersaturation occurs when all of a system’s resources are filled with requests from the DDoS attack, completely shutting down the system, while sub-saturation refers to small DDoS attacks that can negatively impact system performance and resources but are not nearly large enough to shut down a server completely. Sub-saturating attacks are increasingly common, often go undetected, and are commonly used as a “smokescreen” for larger attacks.