Q3 2023 in Review: DDoS Attacks Report by StormWall

Welcome to the StormWall’s DDoS report that summarizes DDoS attacks against our clients for Q3 2023.

We handle various DDoS attacks on our network. With scrubbing centers deployed across all content, we filter up to 3500 Gbit/s at peak loads. This massive data volume, combined with our emphasis on threat intelligence, offers us a unique understanding of developing DDoS trends. 

DDoS attacks: overview of the global trends

We’ve observed that attacks have grown by 43% compared to Q3 2022. Over the past quarter, and according to the analysis conducted by our experts, there have been three main trends affecting the surge in DDoS attacks: 

5 main reasons contributing to the growing attack volumes and complexity:

  1. DDoS attack tactics evolved notably last quarter. A rising trend involves mixed botnets comprising various malware families. This blend complicates threat detection and mitigation for security tools. Meanwhile, DNS attacks spiked near the beginning of Q3 2023 — they now account for 3% of all DDoS incidents. These attacks specifically target DNS servers, making websites inaccessible without hitting the web servers directly.
  2. Decrease in some types of volumetric attacks. The drop is largely thanks to collective efforts to patch open amplifiers like NTP. Meanwhile, attackers are beginning to shift focus to application-level (L7) attacks, often leveraging socks proxies on rented VPS to spread the attack. This trend is one to watch out for in the upcoming quarter.
  3. The widening geographic reach of cyberattacks has resulted in a spike in incidents in the Middle East and Asia. Economic sanctions are pushing Russian companies out of EU and US markets and into these new regions. This move attracts two types of threat actors: those with political agendas and those focused on profit. These adversaries either engage in hacktivism against Russian companies or exploit underdeveloped digital infrastructure for financial gain.
  4. DDoS attacks by religious hacktivists intensified, which is particularly felt in India and Israel. These attacks primarily originate from countries like Pakistan, Bangladesh, and Palestine. The attackers believe their religious sentiments have been offended by the targeted nations.
  5. Key sectors such as airports, border control, and government agencies are being targeted. And they are ill-equipped to counter new attack methods that exploit their weaknesses. The trend of targeting critical infrastructure emerged earlier in 2023, as state sponsored threat actors intensified activity following the Russia-Ukraine conflict.

If you want to learn about the state of DDoS attacks during the whole 2023, read our 2023 Year in Review report.

In-depth explanation of current DDoS trends

The 43% spike in DDoS attacks since Q3 2022 is a significant uptick. Here are the main factors that contributed to this growth: 

The number of multi-vector attacks has increased

There’s been a significant spike in attacks that target multiple protocols or system components. Specifically, multi-vector attacks jumped by 83% in Q3 2023 compared to the same quarter in 2022.

There’s also been a significant uptick in DDoS attacks aimed at web applications. Global attacks on these applications saw a 48% increase in Q3 2023 compared to the same timeframe last year.

Additionally, we’ve noticed a rise in the deployment of mixed DDoS botnets, which utilize various types of malware in a single attack campaign. Each type of malware brings its own capabilities and attack vectors to the table, making the botnet both versatile and resilient.

There was an uptick of DNS attacks 

Over 3% of all DDoS attacks we recorded targeted the DNS. DNS, or Domain Name System, is the internet’s phone book that translates human-readable domain names into IP addresses, enabling devices to access websites.

A DNS DDoS attack floods these servers with so much traffic that they become unavailable, disrupting the target’s ability to resolve domain names to IP addresses. This effectively cuts off access to websites and online services for legitimate users. 

In DNS attacks, distinguishing between legitimate and illegitimate traffic poses a challenge because DNS queries are generally designed to appear as valid traffic. This complicates the task of filtering out malicious activity. Some variants of these attacks, like DNS amplification attacks, exploit the DNS system to turn a small query into a disproportionately large response, making mitigation even more challenging.

To defend against DNS DDoS attacks effectively, a comprehensive strategy is often necessary. This includes rate limiting to control incoming query volume, anomaly detection to identify abnormal traffic patterns, and upstream filtering to block malicious IP addresses. For small and medium-sized organizations lacking specialized DDoS protection solutions, executing such a multi-layered defense strategy can be prohibitively difficult.

Attack geography and targets become more diversified 

The shift in DDoS activity towards the Middle East and Asia is also noteworthy. Russian companies expanding into countries like the UAE, China, and India isn’t just an economic move — it changes the DDoS landscape. The developing infrastructure of these companies in new regions attracts DDoS actors for a variety of reasons — and they don’t just grab the attention of hacktivists. First, these newly relocated companies might not yet have robust cybersecurity defenses in place, making them easy targets. Second, by attacking companies that have recently moved, cybercriminals may be testing the waters to gauge the cybersecurity posture of a new region.

Critical sectors such as airports, border control, and government agencies face new threats due to the evolving strategies of DDoS attackers. The complexity and scale of DDoS attacks are increasing, rendering traditional mitigation methods less effective. Attackers now frequently switch vectors mid-attack or use a combination of different techniques. Government institutions spend relatively little on DDoS protectability. Given the critical nature of their operations, this makes them attractive targets for extortion.

Q3 2023 Industry Breakdown

Let’s break down what caused the attack surges in each of the sectors.

Government sector

In Q3 2023, the government sector made up 26% of all attacks we recorded. This marks a sharp 136% increase in attacks compared to the same period last year. To put it in context, just six months ago, the government sector rarely even made it into our top 10 most attacked industries.

Why are these attacks happening?

This growth is the result of Russia-Ukraine conflict, which has given rise to hacktivism from individuals or groups on both sides. The conflict provides a motive for heightened cyber activities, aimed often at making political or social statements or disrupting government infrastructure, rather than for financial gain.

These adversaries are highly coordinated, fueling what resembles a DDoS arms race. Attacks on government institutions have evolved to become multi-vector, combining techniques like DNS amplification, TCP direct-path, and application layer attacks.

Attacks on the government sector were not only advanced but also had some of the longest average durations across all industries, clocking in at around 4 hours. Recent targets include Canadian government servers, Swedish web portals, and Norwegian ministries.

In some instances, DDoS attacks serve as a smokescreen to distract security teams. While they’re busy mitigating the DDoS attack, other malicious activities like ransomware or spyware installation can occur.

Finance

The financial sector was hit by 21% of DDoS attacks and saw a 38% increase in incidents. While this rate might seem moderate, it’s crucial to understand that new sectors like government and transportation are now in the mix. Historically, the financial industry has always been a prime target.

The financial sector is increasingly vulnerable to attacks from hacktivists.

Killnet, REvil, and other hacking groups have announced that they joined forces to launch DDoS attacks against key financial institutions like European and U.S. banks, the U.S. Federal Reserve, and SWIFT. Successful DDoS attacks could take these financial services offline, preventing transactions and data exchange. While funds might not be directly stolen, the downtime alone could cost these institutions millions, erode customer trust, and trigger regulatory scrutiny.

The impact goes beyond just the targeted organizations. Considering the interconnected nature of today’s financial systems, a DDoS attack on the U.S. Federal Reserve or SWIFT could create a bottleneck effect. Transactions would stall, and other financial systems dependent on these networks could face delays or interruptions.

Entertainment

In Q3 2023, the entertainment industry faced a rapid surge in attacks, showing a 117% increase compared to the same period last year. This sector accounted for 17% of all targeted industries. Unlike other sectors, attacks here are primarily financially motivated.

Within this sector, the gaming industry was the most heavily targeted. One of the threats faced by companies in the gaming industry is a new botnet named Dark Frost. This botnet is a blend of various malware strains like Gafgyt, QBot, and Mirai. The botnet’s attack potential is estimated at 629.28 Gbps through a UDP flood attack.

The titles affected by DDoS attacks included Destiny 2, Diablo 4, Minecraft and numerous other smaller games.

For players, a DDoS attack usually manifests itself  in lag spikes, disconnections, and, in worst-case scenarios, inability to access the game for extended periods. For businesses, DDoS attacks trigger immediate operational costs and can drive long-term revenue loss through player churn.

Telecommunications

The telecommunications sector made up 14% of DDoS attacks and saw a 32% increase in incidents compared to the same period last year.

The telecommunications sector is a frequent target, largely because it’s critical for connectivity. When a telecom provider goes down, it cripples communication channels, disrupting both business operations and daily life. For this reason, the telecommunications sector is often chosen by hacktivists, who aim to maximize damage.

We observed that the attackers are using increasingly sophisticated methods, employing advanced tactics such as carpet-bombing and DNS water-torture attacks.

Transportation

The transportation sector made up 9% of all attacks in Q3 2023 and experienced an 86% increase in incidents.

Q3 2023 experienced significant cyberattacks on Canada and the EU’s transport sectors, including railways, aviation, and maritime. These attacks are linked to both state-sponsored and independent hacktivist groups, originating from the Ukraine-Russia conflict.

What are the repercussions of DDoS attacks on the transport sector?

A successful DDoS attack on a transport company, results in immediate service disruption. For example, online booking systems could go down, making it impossible for customers to purchase tickets or check schedules. 

Beyond customer-facing systems, a DDoS attack could also target internal operations. This might affect cargo tracking or logistical planning, leading to delays, inefficiencies, and increased operational costs. In the worst-case scenario, safety-critical systems like signaling or routing could be impacted, posing direct risks to human life.

Ecommerce

The e-commerce sector represented 6% of all DDoS attacks in Q3 2023, marking a 28% increase compared to the same period in 2022.

What characterizes the attacks that the e-commerce sector is facing?

Criminals and rival businesses are intensifying their attacks on e-commerce platforms. We expect this trend to continue and see a further  spike in attacks during high-traffic events such as Black Friday and the Christmas season.

Attacks on Ecommerce businesses generally have two objectives: either to disable competitors by overwhelming their resources or to extort money. 

The impact of a successful DDoS attack on a retail company is immediate. If websites go down, E-commerce companies will face significant losses, with some reports suggesting that every minute of downtime can cost up to $5,600.

Manufacturing

The manufacturing sector saw a 14% rise in DDoS attacks in Q3 2023 compared to Q3 2022, accounting for 4% of all such attacks.

DDoS attacks often aim for critical points like Industrial Control Systems (ICS) to disrupt manufacturing lines. They also target SCADA systems, which are essential for operational control, and enterprise Resource Planning (ERP) to disrupt internal  processes.

Disruption to these systems can halt production, leading to financial losses and delayed orders, throw off inventory tracking, order management.

Who’s behind attacks on the manufacturing sector? 

Attacks on the manufacturing sector are often tied to hacktivism. The aim is to disrupt the production of parts for various industries, including aerospace, automotive, and pharmaceuticals. 

Education

The education sector saw a 16% increase in attacks in Q3 2023 compared to Q3 2022, making up 2% of all attacks during this period.

Why do threat actors target educational institutions?

Most threat actors targeting educational institutions aren’t motivated by money. Instead, political reasons frequently drive these attacks, particularly to disrupt enrollment processes. Some attacks even originate from students aiming to interfere with exams. With DDoS tooling now easily accessible, even kids can launch these disruptive operations. 

DDoS attacks by country in Q3 2023

DDoS attacks are increasingly going global, breaking away from their historical concentration in China, India, and the US. The new trend shows a shift toward the EU and the Middle East.

What is causing the geographical expansion of DDoS attacks?

The uptick in cyberattacks within the EU is linked with international politics. Germany, France, and Poland are the primary targets. In Germany, financial institutions and regulatory bodies are most affected. Specifically, the German Federal Financial Supervisory Authority (BaFin) experienced an extended website outage.

France is battling DDoS attacks against its financial and transportation industries. Websites for the country’s customs and financial regulators went down temporarily. Meanwhile, Poland faces attacks on its financial organizations, exchanges, and state media outlets.

A state-sponsored hacking group from Russia, Noname057, is behind many of these incidents and has claimed responsibility.

At the same time, Russian companies expanding into the Middle East are attracting a rise in DDoS attacks. Notably, DDoS activity spiked 78% in the UAE in Q3 2023, compared to the same time last year. The surge stems from hacktivists aiming to thwart expansion of Russian businesses into new markets, as well as profit-focused criminals who see the growing business landscape in the region as promising ground for extortion.

Wrapping up

As we wrap up our analysis of DDoS attack trends for this quarter, three pivotal factors stand out:

  • Attack complexity is on the rise:DNS attacks now make up 3% of all incidents we’ve tracked. We’re also seeing a surge in the use of mixed botnets and multi-vector attacks.
  • Geopolitical Influence: The ongoing conflict between Russia and Ukraine continues to have a direct impact on the DDoS landscape, which is particularly felt in the European Union.
  • Vulnerable Critical Sectors: Hactivists heavily target transport systems, regulars, and government agencies.
  • Shift in Geographical Focus: The expansion of Russian companies to the Middle East has widened the scope of DDoS attacks, exposing new regions to cyber threats.
  • Religious hacktivism:Especially in India and Israel, organizations have experienced DDoS attacks from religiously opposed groups based in countries like Pakistan, Bangladesh, and Palestine.

Summing up, the 43% increase in DDoS attacks this quarter reveals two critical vulnerabilities. 

First, new sectors that are now being heavily targeted are among the least prepared to defend against these attacks. Second, the geographical shift in attacks to the Middle East and EU exposes regions that are not accustomed to this level of cyber aggression. 

This makes the immediate adoption of advanced DDoS protection not just advisable, but a necessity.

DDoS Protection for Websites

  • Activate protection in 10 minutes
  • 24/7 technical support