Whether or not hackers have work deadlines is anyone's guess, but if so, they've certainly been hard at work launching DDoS attacks in Q3, according to a report by service provider Lumen Technologies.

Lumen's Q3 DDoS Report revealed that bad actors are launching distributed denial-of-service (DDoS) attacks with more frequency, at larger volumes and with increased complexity. In Q3, Lumen identified a 46% increase in the largest attack, going from 419 Gbit/s to 612 Gbit/s.

"Some of our largest attacks were using multiple reflection sources, so many types of protocols, not just one," says Mark Dehus, director of threat intelligence for Lumen. "There is a trend toward attacking voice providers and voice-based services which isn't very typical."

Dehus believes the increase in voice-based attacks could be because they are "low-hanging fruit" for bad actors, and a critical service for Lumen's customers.

The number of attacks Lumen mitigated increased by 35% in Q3 compared to Q2, and the largest bandwidth attack Lumen scrubbed in Q3 was 612 Gbit/s, which marks a 49% increase quarter-over-quarter. The largest packet rate-based attack Lumen addressed last quarter was 252 Mbit/s, which is a 91% increase over Q2's largest attack of 132 Mbit/s.

Figure 1: View a larger version of Lumen's Q3 DDoS Report infographic here.
(Source: Lumen Technologies)

While the longest DDoS attack period Lumen mitigated for an individual customer lasted two weeks, 46% of attacks against Lumen's On-Demand DDoS customers lasted less than ten minutes. About 44% of DDoS attacks that Lumen mitigated were multi-vector attacks; 25% were single-vector.

Telecom, software and technology, and retail were the top targeted verticals in Q3 in the 500 largest DDoS attacks.

Radware spots sophisticated, low-volume DDoS attacks

Radware also recently released its Q3 DDoS report, and Shai Haim, security product manager for Radware, says the vendor has noticed more DDoS events that are more sophisticated, but at "low" volume – less than 1 to 5 Gbit/s.

"The low total volume in Q3 compared to the other quarters in 2021 and the change in targeted applications, protocols and attack vectors illustrate a shift in DDoS attacker tactics from saturation-based floods to server resource-consuming, application-level attacks," according to Radware's report.

Low volume, or "phantom flood attacks" are difficult for service providers to see and mitigate on their large-scale networks, says Haim. "Those low-volume attacks can sneak under the radar ... the service provider is unable to see them, so they can't mitigate them. You can feel them, but you can't do anything about it." To better mitigate phantom flood attacks, Radware updated its DefensePro DDoS Protection service last month with a Quantiles DoS Protection capability. Haim says the new feature works similarly to a network slice, automatically dividing incoming traffic into segments or quantiles to improve visibility and mitigation of low-volume DDoS attacks.

Blocked DDoS events were up 75% in the first nine months of 2021 compared to 2020, and there were more DDoS attacks blocked in the first nine months of 2021 than all of 2020, according to Radware's report.

The banking and finance industries were the most targeted by DDoS attacks, followed by government, technology and retail, according to Radware.

Related posts:  

— Kelsey Kusterer Ziser, Senior Editor, Light Reading