DDoS Attacks report for Q1 2021

16 June 2021

StormWall analyzed the statistics of DDoS attacks conducted against its customers in Q1 2021.

StormWall, an international provider of solutions for protection against DDoS attacks, presents an analysis of the statistics of attacks recorded in Q1 2021. The statistics reflect the established attempts of DDoS attacks against StormWall customers from different countries of the world, representing various industries and sectors of the economy.

General situation

As our analysis showed, the intensity of DDoS attacks, in general, continues to grow. So, in Q1 2021, we recorded 25.4% more attacks on our customers than in the fourth quarter of 2020. The leaders in the number of attacks were e-commerce, construction, entertainment, telecommunications, as well as the financial sector.

We explain the increase in the number of attacks primarily by reducing the cost of conducting attacks and steadily reducing the cost of creating botnets, which in general leads to the increasing popularity of DDoS attacks among all kinds of attackers and unscrupulous competitors.

For comparison, the number of attacks in Q1 2021 increased by almost 40.9% compared to Q1 2020.

Statistics and dynamics of DDoS attacks by industry


Figure 1. DDoS attack statistics by industry in Q1 2021.
Source: StormWall

Q1 2021, the largest share of attacks (42.7%) occurred in the entertainment sector. Compared to Q4 2020, the number of attacks increased by 28%, while their share increased by 2%. At the same time, the growth of the share of such attacks for the same periods of 2019-2020 was 7%. The decline in dynamics can be explained by mitigation of quarantine measures in several countries and regions – this led to the fact that the main users of entertainment resources began to spend less time on them, switching to business and entertainment in an offline format. Nevertheless, the sector remains the most attacked since hackers can cause large losses in a very short time and quickly get money through blackmail.

The second-largest share was made by attacks on telecom: the number of attacks on this sector increased by 51.2% compared to Q4 2020 – their share increased to 35.3%. (It should be noted that more than 40% of the clients we consider to be in the telecom sector are hosting service providers and cloud services.) This strong growth is due to the sharp increase in the importance of telecommunications for business, government, and society: in the era of the pandemic, data networks have become the main channel of interaction – communication, training, shopping, commercial transactions, etc. The attackers could not help but notice this and therefore intensified DDoS attacks on the telecom sector with the aim of extortion and blackmail. In addition, the increase in demand for high-quality telecommunications caused an increase in competition, one of the tools in the hands of unscrupulous market players became DDoS attacks.

The third place was taken by the e-commerce sector – it recorded 9% of the total number of all DDoS attacks in Q1 2021. The number of attacks here increased by 19.1% compared to the previous quarter. The continued increase in the number of attacks is obviously due to the transfer of consumer purchases online – in online stores and on online platforms, which was the result of the ongoing mass quarantine measures in several countries and regions, as well as consumer habits that have changed during the quarantine. The attackers could not help but react to the growing popularity of e-commerce companies. Interestingly, online stores of finishing materials and furniture were most often attacked, which can be explained, on the one hand, by an increase in demand for these goods during a period of limited opportunities for vacation trips and, as a result, by the attackers ' interest in online furniture and DIY stores, and by the revenge of dissatisfied buyers.

In the construction sector (its share was 4.5%), the number of DDoS attacks increased by 18.2% compared to the previous quarter.

A small (up to 3.7%) increase in the share of DDoS attacks was observed in financial organizations. It is noteworthy that in Q1 2020, attacks were carried out mainly on banks, then a year later – on crypto services.

In the education sector (its share – 2.6%), the share of attacks decreased by 16.2% compared to Q4 2020. We attribute this dynamic primarily to a decrease in the share of distance learning. Nevertheless, their share is still several times higher compared to Q1 2020.

Statistics and dynamics of DDoS attacks by protocols


Figure 2. Dynamics of protocol attacks in Q1 2021.
Source: StormWall

The most frequent attacks were of the packet flood type (on the network and transport layer of the OSI model) — the share of such attacks was 83.5%. The second-largest share — 16.5% — came from attacks on sites at the application layer (HTTP/HTTPS).

This is explained, on the one hand, by the fact that a significant part of DDoS attacks occurred on online games and telecom: in the first case, the flood at the TCP/UDP level is aimed directly at disabling the service, and in the second, attackers use the flood with a large number of small or large packets to overload the processor on routers or overflow communication channels. On the other hand, batch flooding was often more effective and cheaper than HTTP flooding, even if the target of the attack was a website: at the beginning of the year, new botnets appeared in the Darknet that was quite affordable (from $250 per week), allowing you to organize attacks with a capacity of several hundred gigabits at the batch level.

It is noteworthy that just a year ago, the shares of batch flooding and application-layer attacks were almost equal — among StormWall clients, they accounted for 48% and 52% of cases, respectively. As we can see, the preferences of the organizers of a DDoS attack depend primarily on the combination of price/efficiency, and batch flooding often turned out to be more effective and cheaper, even if the target of the attack was a website or other service.

General trends and recommendations

The number of DDoS attacks, in general, continues to grow, and we have no reason to expect them to decrease. Of concern is the sharp increase in the number of attacks with a capacity of more than 100 Gbit/s. Attacks with a maximum capacity of about 1 Tbit/s are no longer uncommon. We explain this dynamic primarily by the reduction in the cost of powerful botnets: increasing their affordability makes them a popular tool for conducting attacks.

According to our forecasts, the power of DDoS attacks will also increase due to the development of 5G networks, which will make DDoS attacks with a capacity of more than 1 Gb/s quite accessible-it will be almost impossible to repel them without specialized means of protection.

In addition, we expect the emergence of new types of DDoS attacks, which are presumably aimed at the UDP protocol, since applications based on it (primarily online games) are significantly more vulnerable to DDoS attacks than those using the TCP protocol.

Given the serious financial and reputational damage caused by DDoS attacks, organizations should take care of long-term protection against them and purchase a reliable solution that can protect against DDoS attacks of various types, including so-called smart attacks.