H1 2023 in Review: DDoS Attacks Report by StormWall
This report by StormWall, a worldwide DDoS protection service, presents a summary of DDoS attacks on its clients during the first half of 2023.
DDoS landscape in the first half of 2023: an overview
StormWall operates an extensive network of scrubbing centers situated strategically in all major regions of the world.
This broad coverage offers exposure to countless DDoS attacks against companies of various sizes. Using this anonymized data, StormWall is able to deliver insights into the landscape of DDoS attacks.
A Distributed Denial of Service (DDoS) attack functions by overwhelming a server with an excess of traffic until it can no longer cope. The ramifications can be severe, leading to long-lasting outages, financial losses, and damage to the company's reputation. Unfortunately, the frequency, sophistication, and destructive capabilities of these attacks are escalating continually.
DDoS attacks are up 38% YoY
The first half of 2023 was characterized by an increase of DDoS activity across the board — attacks have grown by 38% compared to the previous year.
Multivector attacks are on the rise
During the first half of 2023, there was a sharp 117% YoY increase in multi-vector attacks. These highly sophisticated attacks simultaneously target multiple layers and elements within an organization's infrastructure, making them particularly challenging to defend against.
For example, an attacker might simultaneously target the network layer to exhaust the bandwidth, the application layer to consume server resources, and the data layer to undermine database services.
Botnet usage hits all-time high
Almost all of the attacks recorded by StormWall utilized botnets. Historically, the penetration of botnets has never been this high. Botnets are networks of interconnected devices hijacked and operated by a single attacker. They can be very powerful, often destructive enough to overwhelm weakly protected infrastructures.
The emergence of botnets using Virtual Machines (VMs) and Virtual Private Servers (VPS) in the first half of 2023 marks a significant shift in the cyber threat landscape. Unlike traditional botnets that leverage compromised Internet of Things (IoT) devices, these VM and VPS-based botnets can draw upon the substantial processing power and resources of their host servers.
This increased capacity allows them to generate and direct a massive volume of traffic, enabling more powerful volumetric attacks that can overwhelm even well-protected systems. Furthermore, being hosted on VMs or VPS, these botnets can often evade detection and mitigation measures that are effective against traditional botnets.
Adversaries are incorporating DDoS attacks into wider malicious campaigns.
StormWall reports a higher than usual percentage of attacks that used DDoS as a destruction to cover data exfiltration attempts.
Use of one malicious technique to divert attention from another is called smokescreening — and such attacks rose by 26% YoY.
Finance, telecom and entertainment sectors were targeted the most
The main industries targeted by threat actors during this period were finance, telecom, and entertainment, with 23%, 19%, and 15% of the attacks, respectively. Also, the first half of 2023 saw a noticeable shift towards targeting essential services and infrastructures like logistics services, payment processing centers, banking systems, government organizations, healthcare systems, and transportation services.
Attack targets shifted as H1 wrapped up
Early 2023 saw DDoS attacks mainly targeted business, like fintech SaaS services or entertainment apps. As the year unfolded, however, there was a significant shift, with more and more attacks focusing more on sectors such as finance, entertainment, and telecom, as well as government, healthcare, and transportation systems.
Government sector attacks surged by 132%, while transportation and healthcare attacks went up by 118% and 107%, respectively. The sharp rise in government sector attacks can be attributed to hacktivism sparked by the Ukraine conflict, with prominent hacking groups such as REvil and Killa actively targeting western governments.
Recapping the DDoS trends in the first half of 2023
Here are the trends in DDoS usage that marked the first half of 2023:
- Botnet use increased: Threat actors relied more on botnets in H1 2023. New botnets, made up of Virtual Private Servers (VPS) instead of IoT devices, can launch high-volume attacks.
- Multi-vector attacks grew: The use of DDoS attacks as distractions for multi-vector attacks increased by 28% YoY. Multi-vector attacks increased by 117%.
- Changing targets: Infrastructure components like payment processors and logistic control centers were the main targets at the start of the year. However, attackers then shifted their focus to sectors like finance, entertainment, and telecom, as well as government, healthcare, and transportation systems.
- L7 layer attacks on the rise: 86% of attacks we recorded in H1 were carried out using the HTTP/HTTPS protocols. This trend goes hand in hand with increased adoption of botnets among cybercriminals.
First Half 2023 Industry Breakdown
The first half of 2023 saw a significant increase in DDoS attacks across various industries. The table below provides a year-over-year breakdown of the attack distribution and growth rates.
Attack share breakdown by industry
Figure 1. DDoS attack statistics by industry in H1 2023. Source: StormWall
- The Finance sector had the highest share of attacks at 23%. It is followed by telecom at 19% and entertainment at 15%.
- New sectors were targeted heavily towards the end of H1 2023. Verticals such as government services, manufacturing and transportation are newcomers in the chart of top attacked industries. This indicates that adversaries are shifting targets.
Year-over-Year growth breakdown by industry
Figure 2. Year-over-year grouth breackdown by industry in H1 2023. Source: StormWall
- Attacks on government services experienced the highest growth spur. Attacks on government institutions by hacking groups like REvil, Killa and IT Army of Ukraine intensified, contributing to the 132% YoY attack increase experienced by this sector.
- Attacks on transportation and healthcare infrastructure have intensified. Politically motivated attackers concentrated on critical infrastructure as they attempted to hit hard and maximize economic impact.
Breaking down top 5 most-attacked industries in H1 2023
During the first half of 2023, the finance sector continued to be a target for DDoS attacks, making up 23% of all reported incidents, which were mostly driven by criminals seeking to disrupt services and extract data for profit.
The industry saw a notable rise in attacks motivated by political reasons, such as the one on the European Investment Bank. Growing political conflicts seem to be triggering more hacktivism, indicating a possible shift in the type of threats being faced.
Throughout the first half of 2023, the telecommunications industry consistently attracted attention from cybercriminals, becoming a target of 19% of attacks and seeing a 62% increase from the same period in the previous year. This made it the third most attacked industry.
In the first half of 2023, the entertainment industry, especially video streaming and online gaming services, faced constant cyberattacks, becoming the third most attacked sector with 15% attach share.
The increased activity was likely motivated by extortion and the potential for financial gain, with significant incidents impacting major releases like Diablo 4 and popular games such as Call of Duty and Overwatch.
4. Government services
Government services were among the top five most attacked sectors in the first half of 2023. This sector was the target of 11% of attacks and saw a massive 132% increase from the same period last year, indicating a significant rise in cyber threats aimed at government institutions.
These attacks, mainly planned by politically motivated and state-sponsored threat actors, reached levels not seen in several months.
Government agencies in various countries, including Russia, Poland, Switzerland, Germany, and the US, became key targets.
In the first half of 2023, the transportation industry, encompassing traffic control centers, airports, and transport companies, experienced a notable increase in DDoS attacks, even though its total number of attacks was relatively lower. This sector was the target of 9% of attacks in the first half of the year, showing a significant 118% increase from the same period last year.
DDoS Attacks in H1 2023 by country
In the first half of 2023, DDoS attacks were widespread around the globe. The United States, India, and China were the most frequently targeted countries in both quarters, although there were small changes in the percentage of attacks for each.
Figure 3. DDoS-attack statistics by country in H1 2023. Source: StormWall
The top 3 most attacked countries haven’t changed in the first half of the year:
- USA: 16.8% of DDoS attacks. The United States topped the list, enduring the highest proportion of attacks in the first half of the year.
- India: 13.6% of DDoS attacks. India was the second most targeted country, which is typical for this region.
- China: 11.2% of DDoS attacks. Holding the third spot, China remained the third-most attacked country. .
Attack breakdown by protocol
Figure 4. DDoS-attack statistics by protocol in H1 2023. Source: StormWall
Out of all attacks 86% targeted the HTTP layer of the OSI model, 11% — the TCP/UDP layer and 2% the DNS.
We observed an alarming growth of sophisticated HTTP attacks, specifically designed to sidestep mitigation systems.
These attacks attempt to emulate browser behavior to trick installed DDoS protections systems and employ techniques like user-agent randomization. All of it makes them a lot more difficult to defend against, than threats we absorbed just a year prior.
At the same time, there’s been an increased usage of botnets consisting of Virtual Machines (VM’s) and Virtual Private Servers (VPS) — capable of volumetric attacks, both of these threats are more destructive than IoT botnets.
Protecting infrastructure against these types of threats requires a robust anti-DDoS solution that uses automation, machine learning and threat intelligence.
In the first half of 2023, the landscape of DDoS attacks has seen significant changes:
- There was a notable increase in DDoS attacks, with a 38% YoY increase in the first quarter and a continued upward trend in the second quarter.
- The use of botnets and multi-vector attacks has grown, indicating a shift towards more complex attack methods.
- The targets of these attacks have expanded to include not only traditional sectors like finance, telecom, and entertainment but also essential services and infrastructures.
- The average attack duration and capacity have increased, showing the growing sophistication of DDoS attacks.
In conclusion, the first half of 2023 has seen an escalation in both the frequency and complexity of DDoS attacks. The evolving nature of these threats, coupled with the growing reliance on digital infrastructure across all sectors, underscores the need for robust and adaptable cybersecurity measures.