DDoS statistics and factsOf the many types of criminal activity that occur on the web, few are more puzzling and difficult to prevent than distributed denial-of-service (DDoS) attacks. These attacks can bring down even the largest websites by overloading servers with more requests than they can handle. Unable to meet the load of junk requests, servers crash and often require hours to restore.

Norton, in fact, calls DDoS attacks “one of the most powerful weapons on the internet”, and with good reason. Denial-of-service attacks can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses.DDoS attacks were once a thing of mischief, but data shows they’re increasingly becoming a tool to earn income for cybercriminals or cause disruption for political purposes. DDoS attacks are also on the rise, according to a Q1 2019 report from Kaspersky Lab, and they’re getting more complex.

Below, we’ve laid out some major stats and facts that highlight how DDoS attacks are transforming and impacting the web.

2018-2020 DDoS stats and facts

Here’s a round-up of some of the most telling DDoS attack statistics:

1. DDoS attacks are on the rise

DDoS attacks have been steadily increasing in frequency over the past few years. For example, the number of DDoS attacks in summer 2018 was 16 percent higher than in 2017. However, with the COVID-19 pandemic forcing our school, work, and social lives online, they’ve grown more significantly than normal. In fact, there were almost twice as many DDoS attacks in Q1 2020 as there were in Q1 2019.

2. Various DDoS attack types on the rise

According to Akamai, infrastructure layer attacks increased 16 percent, reflection-based attacks increased 4 percent, and application-layer attacks increased 38 percent.

3. Other data shows mixed declines and regionally-specific increases

There was 13 percent less DDoS activity in 2018 versus 2017. And in Europe, the average DDoS attack volume increased 192 percent in 2018 compared to 2017. Average attack volumes on the continent increased from 1.7 GB/s to 4.9 GB/s, and the proportion of multi-vector attacks in Europe rose from 34 percent to 59 percent in 2018.

4. 2020 is another break-out year for DDoS

The amount of DDoS activity in 2020 is currently trending higher than in previous years. Further, the average attack now lasts 24% longer, and the maximum attack length has jumped by 264%. The number of DDoS attacks over 100 GB/s in volume increased 776 percent in Q1 2020.

On the plus side, more people are becoming aware of the threats these attacks pose. In fact, in the first six months of 2019, the number of searchable web pages covering “denial of service attacks” surpassed the total number of results in all of 2018.

DDoS attack stats and facts
Source: Bing

5. DDoS-for-hire sites shut down in 2018, which may have resulted in a decrease in DDoS activity that year

In late 2018, the FBI took down a dozen DDoS-for-hire marketplaces, and in April 2018, Europol shut down Webstresser, the world’s largest marketplace for buying DDoS attacks. At the time it was shut down, Webstresser had over 130,000 registered users.

This activity may have been part of the decline in DDoS attacks witnessed in 2018. However, current data shows that the number of DDoS-for-hire websites bounced back in 2019, which might also play a role in the large increase in DDoS activity in 2019. See also: How to stop a DDoS attack

6. The longest DDoS attack in history occurred in 2019

Back in 2018, a DDoS attack shattered existing records by flooding their target’s systems with data for 329 hours, or nearly 2 weeks. In Q2 of 2019, though, Kaspersky analyzed commands sent to DDoS networks and discovered an even longer attack, one that had lasted 509 hours.

7. Current data shows most DDoS attacks are increasing in power

Research shows that the average DDoS attack in 2020 uses more than 1 Gbps of data, which is more than enough to scuttle most small-to-medium-sized websites. Further, we’ve seen a significant increase in the average length, with most attacks now lasting 30 minutes to an hour, instead of ten minutes or less as in previous years.

8. Data also shows DDoS attackers shifting to repeated, short-lived attacks

Even so, DDoS attacks are becoming less about prolonged attacks and more about attack size and frequency. Over 80 percent of DDoS attacks in 2018 lasted less than 10 minutes, but 20 percent of DDoS victims are attacked again within 24 hours. As well, the size of DDoS attacks increased 73 percent in Q1 2019 versus Q1 2018.

DDoS attacks facts and stats 2019
Source: Neustar

9. Attacks serving over100 GB/s of data increased 967 percent between 2019 and 2020

Amazon revealed that in Q1 of 2020, it was forced to counter a 2.3 Tbps DDoS attack. This is important for several reasons; first, it’s the largest recorded attack in history, almost four times the throughput of the previous record-holder (587 GB/s).

Also noteworthy is the fact that attacks above 100 GB/s continue to rise, even after a stunning 967 percent growth in 2019 versus 2018. The same year, attacks between 50 GB/s and 100 GB/s also increased 567 percent.

DDoS attacks facts and stats 2019
Source: Neustar

10. DDoS attackers are now using multi-vector attacks more frequently

The methods used to create DDoS attacks are also changing. A growing number of attackers are using multi-vector DDoS attacks, combining different DDoS attack methods into one, short attack, and then repeating again soon after. Around 77 percent of all attacks in Q1 2019 uses 2 or more vectors, with 44 percent using 3 vectors, while around 11 percent of attacks in 2018 used multi-vector methods, versus 8.9 percent in 2017.

11. SYN attacks are now the most common form of DDoS attack

UDP attacks were no longer the most common individual form of attack in 2020, having been nearly forgotten in favor of SYN attacks. Mixed-method attacks were the largest type of DDoS attack overall, however, and typically involved HTTPS floods and mixed attacks with HTTP elements.

12. Few attacks completely saturate a network’s uplinks

Additionally, a majority of DDoS attacks do not completely saturate uplinks. Corero found that only 0.6 percent of DDoS attacks reached “full pipe” uplink saturation, which is defined as more than 95 percent of usage in the uplink. Of those that reached saturation levels, most (around 95 percent) lasted less than 10 minutes.

13. Credential stuffing attacks are now on cybersecurity radars

Finally, not all DDoS attacks are designed to crash servers. A new type of attack, credential stuffing, is currently targeting many different sites, especially video game services. In this attack, hackers test a load of credentials against their database to verify stolen account information. Although not a DDoS attack strictly by definition, credential stuffing can increase traffic volume on a site and have a similar impact to a DDoS attack. (Source: Neustar)

See also: DoS vs DDoS attacks

14. Despite their distributed nature, DDoS attacks are geographically concentrated

DDoS attacks quite often utilize botnets to send massive amounts of traffic to a single server to overload it with requests. Over 20 million “DDoS weapons”, or infected IP addresses across the world, are currently being used as part of DDoS attacks. The Mirai malware and its many variants are currently the most popular malware used to create botnets for DDoS attacks, although others do exist as well.

15. India and China are botnet hubs

According to Spamhaus, the country with the most botnets is India, with over 2,345,000 bots. China is the second-worst with over 1.4 million bots. Some autonomous system number (ASN) operators—mostly ISPs—also have larger numbers of infected IP addresses due to extensive botnet malware. However, which ASN operators are most impacted is more difficult to determine. Spamhaus identifies the top 5 impacted ASN operators as:

  • No.31/Jin-rong Street (China)
  • National Internet Backbone (India)
  • Bharti Airtel Ltd. AS for GPRS Service (India)
  • TE-AS (Egypt)
  • VNPT Corp (Vietnam)

Meanwhile, A10 Networks writes that the top 5 ASNs with infected IP addresses are:

  • China Unicom
  • China Telecom
  • TIM Celular S.A. (Brazil)
  • Rostelecom (Russia)
  • Korea Telecom (South Korea)

DDoS attacks can be launched from anywhere, however, regardless of where the infected computers exist. As one might expect, most DDoS attacks also tend to originate primarily from a select few countries.

16. Hackers in China launch the most DDoS attacks, followed by those in the US and Russia

The majority of DDoS attacks are launched from:

  • China (over 4.5 million in 2018)
  • USA (2.7 million)
  • Russia (1.5 million)
  • Italy (940,000)
  • South Korea (840,000)
  • India (500,000)
  • Germany (370,000)

DDoS attack stats and facts 2019

17. DDoS records were broken multiple times in the last three years

The security news world went into a frenzy in 2018 after the largest DDoS attack record was broken not just once, but twice in less than one week. The second-largest DDoS attack on record occurred in March 2018 against Github, with a registered 1.3 Terabytes per second (TB/s) of data sent toward GitHub’s servers. The site effectively mitigated the attack.

Amazon also reported suffering the largest DDoS attack on record. The company successfully managed to mitigate more than 2 Tbps of data, a feat that would be all but impossible for almost any smaller business.

18. DDoS attacks are getting more expensive for victims

The costs associated with these attacks are mounting, as well. A Corero survey found DDoS attacks can cost enterprise organizations $50,000 in lost revenue from downtime and mitigation costs. Nearly 70 percent of surveyed organizations experience 20-50 DDoS attacks per month. Although most DDoS attacks don’t succeed, even a few successful attacks can result in hundreds of thousands of dollars in lost revenue per month.

Over 75 percent of businesses surveyed by Corero believe a loss of customer confidence is the worst result from DDoS attacks. That confidence loss can lead customers to flee to competitors, making the overall financial impact completely difficult to determine.

Notable 2018-2020 DDoS attacks and news

The number of websites impacted by DDoS attacks is on the rise. As “DDoS-for-hire” marketplaces proliferate, it’s now easier than ever for just about anyone to pay cybercriminals to disrupt a website’s operations.

June 2020

  • It is revealed that Amazon has successfully mitigated the largest DDoS attack ever recorded, with an incredible 2.3 Tbps throughput.

July 2019

  • After launching his first major DDoS attack against video game servers back in 2013, 23-year-old Austin Thompson, also known as “DerpTrolling”, was sentenced to 27 months in prison. Thompson was initially arrested in 2014 after he was doxed. He later pleaded guilty to the Christmas-time DDoS attacks in 2018. (Source: US Department of Justice)
  • Security company Imperva announced the largest Layer 7 DDoS the company had ever witnessed come against one of its customers in the video streaming industry. The attack, which was launched primarily from Brazil, utilized a botnet comprised of 400,000 IoT device IPs in the attack which lasted for nearly two weeks. (Source: Imperva)

June 2019

  • Telegram was hit by a large DDoS attack which the service’s founder, Pavel Durov, suggests was designed to target Telegram during massive protests in Hong Kong. Telegram did not say how large the attack was, but Durov described it as a “state-actor sized” attack, which he stated served 200-400 Gigabytes per second (Gb/s) or junk data. (Source: TheVerge)

January 2019

  • In January 2019, a Connecticut man was given a 10-year prison sentence for several DDoS attacks carried out against hospitals in 2014. He was also ordered to pay over $440,000 in restitution. (Source: Boston Globe)
  • Two men allegedly part of the hacker collective Apophis Squad were charged with instituting multiple DDoS attacks, including a weeklong attack on encrypted email service, ProtonMail. (Source: Court House News)
  • A British hacker was jailed for three years in January 2019 after being charged with launching a DDoS attack against Liberian telecom Lonestar in 2015 and 2016. The hacker was hired by an employee from one of Lonestar’s competitors, Cellcom. The attacks were powerful enough to knock out internet access across the entire country and resulted in a loss of millions of dollars for Lonestar. (Source: CNN)

October 2018

  • In October 2018, the then 22-year-old co-author of the Mirai botnet malware was sentenced to six months home confined, 2,500 hours of community service, and ordered to pay $8.6 million in restitution after repeatedly targeting Rutgers University with DDoS attacks. (Source: Krebs on Security)
  • In October 2018, Ubisoft’s Uplay service experienced a DDoS attack that disrupted operations for several hours. (Source: Newsweek)

August 2018

  • The Bank of Spain was hit with a DDoS attack in August 2018 that took it offline for several hours. (Source: Bank Info Security)

May 2018

  • In May 2018, the cryptocurrency Verge experienced a DDoS attack that allowed the hacker to acquire $35 million XVG (a cryptocurrency), or $1.75 million based on exchange rates at that time. (Source: Bitcoin Magazine)

January 2018

  • The National Tax Office in the Netherlands was sent offline for 5-10 minutes in January 2018 after a DDoS attack of unspecified size. (Source: Reuters)

DDoS terminology

Digging through DDoS facts might require brushing up on a few key terms. Distributed denial-of-service attacks are highly technical, and you may encounter some unfamiliar terminology while reviewing the latest stats.

  • Denial-of-service attack: An attack on a website that sends an overload of traffic (requests) to a web server. A distributed denial of service attack (DDoS) uses multiple compromised computer systems to increase the number of requests that can be made to a server at one time, making server overloads easier to accomplish and more difficult to prevent.
  • Amplification: A term used to describe a DDoS attack where the number of requests made to a target’s server is multiplied beyond the original request. There are several ways attackers can do this, including DNS amplification, UDP amplification, and ICMP amplification (Smurf Attack).
  • Botnet: A network of computers, typically infected with and controlled maliciously through a virus or malware program, that is used to make the requests to servers in a DDoS attack.
  • Memcached: A distributed memory caching system popularly used in DDoS attacks.
  • Mirai: Malware created to target Linux-based IoT devices, including home security cameras and routers. Mirai and its many variants are currently among the most-used malware to create DDoS botnets.
  • Gigabytes-per-second and Terabytes-per-second: A measurement of how much data is sent to servers in a DDoS attack, typically denotated as GB/s or TB/s.
  • Saturation: A term used for the amount of volume sent to a server during a DDoS attack. Supersaturation occurs when all of a system’s resources are filled with requests from the DDoS attack, completely shutting down the system, while sub-saturation refers to small DDoS attacks that can negatively impact system performance and resources but are not nearly large enough to shut down a server completely. Sub-saturating attacks are increasingly common, often go undetected, and are commonly used as a “smokescreen” for larger attacks.