Expert Eye: COVID-19 and the tempting threat landscape

COVID-19 and the Tempting Threat Landscape

Maria Sirbu, VP of Business Development at Voxility, provides insight into cyberattack activity during the coronavirus pandemic to date

Written by: Maria Sirbu, VP of Business Development, Voxility


The rise in network activity caused by the advent of COVID-19 may be the most tempting and enduring period of vulnerability that DDoS attackers around the world have ever seen. Notwithstanding that their own activities have been curtailed by the crisis, they have not hesitated to exploit it.

Unfortunately, contrasting reports about post-outbreak DDoS activity from the major industry players could mean that it will be some time before we can put the attacks of 2020 into an informative context that fits consistently with the statistical trends of recent years.

From a network operator perspective, at Voxility, we have observed a near-doubling in the total number of network-centered DDoS attacks during a typical day at 43,940 daily incidents globally — a staggering increase, even considering the year-on-year rise in incidents.

Reports vary across other, more consumer-facing providers. Web security companies contend that a small raft of ambitious, high-volume attacks in Q1 and Q2 are set against a background of more frequent, but lower-intensity attacks, compared to previous years. 

Some of the largest attacks registered during the first six months of 2020 were a 550 Gbps (gigabits per second) assault reported by Cloudflare2, and a sustained 734.9 Gbps incursion mitigated by Voxility in May, almost equaling our 2019 record incident – a 20-day siege that peaked at 770 Gbps.

Kaspersky, meanwhile, similarly observes that DDoS attacks doubled in the first three months of 2020 compared to the previous quarter, and were 80 percent higher than the same period in the preceding year. 

Attack duration on the rise?
Voxility activity shows that the average attack duration has dropped slightly under COVID-19, to about 16 minutes.

CloudFlare also maintains that this year's average duration is 30-60 minutes, down notably from the three to four hours of 2019. Alternately, Kaspersky maintains that the duration of a typical DDoS attack has risen by 25 percent in 2020, compared to the previous year.

Other industry intelligence, while fragmented, can help us build up a more comprehensive picture. Between February and early April 2020, Nokia observed a 40 percent rise in larger-scale DDoS traffic, while Link11 mitigated 2,860 hours of attack, a 30 percent increase on the same period in 2019. 

The what and where of cyberattacks in 2020
At Voxility we have noticed a notable shift in the types of institutions and systems coming under DDoS attack during pandemic. In 2019 the locus of attention was on telcos and ISPs, whereas current attention has moved to cloud applications and online services.

Though fewer in number than in 2019, several sustained attacks seem to have occurred against the backdrop of COVID-19. Gaming services Eve Online endured a nine-day attack, while the Wargaming server was bombarded for over a week, an assault that some think related to the political ambitions of company founder Vyacheslav Makarov. 

However, the gaming industry was also the sector most affected by DDoS incursions in 2019, and the motivations behind these attacks are generally more juvenile than political.

This is not the case for many of the notable attacks in 2020 so far, which are characterised by assaults against government departments; online educational facilities; hospitals already overwhelmed under COVID-19; food delivery services; informational health services; and general aggression against network infrastructures whose importance has been elevated in the context of the health crisis.

Regarding the provenance and destination of DDoS activity in 2020, Voxility observes that the US is the greatest source of attacks, followed respectively by China and the UK. The US was also in first place in 2019, but with Hong Kong and Canada trailing.

In terms of damage inflicted, we observe that the countries most affected by DDoS attacks have shifted in 2020. The UK now occupies the top spot in that category – moving from second place in 2019 – while the Netherlands drops from first to third position, and France enters in second place.

According to Kaspersky, Brazil achieved the highest bot-driven DDoS origin footprint in the first quarter of 2020, with 12.25 percent of unique IP addresses, while 39.93 percent of Command and Control servers remained registered in the US, in line with previous years. China is reportedly close behind as an aggressor at 11.51 percent, with Egypt a relatively distant third, at 7.87 percent. 

These figures indicate that this is a radical shift from the preceding quarter, where China held an overwhelming 53.07 percent lead in DDoS instigation, followed by the US (22.01 percent) and Japan (6.14 percent). 

In terms of attack destinations, Voxility observes that the United States has surpassed China in 2020 as the primary target for DDoS attacks. China has moved to second place, trailed respectively by the UK, Germany and Russia.

Again, claims on this vary among providers. However, since March seems to have been a defining time for DDoS activity in 2020, a report on that month from Network Box Corporation may give some other useful indications for the year: the United States was the most attacked country in the world as the pandemic emerged, with 175,000 DDoS attacks, leaving South Korea a distant second at 74,000 attacks, and Brazil third at 51,000. 

Time will tell
Besides a general increase in the net volume of attacks since COVID-19 struck, Voxility has also observed that volumetric DDoS incursions have increased from 15 percent to 41 percent of all attacks in Q1 of 2019 and 2020, respectively.

Consequently, HTTP Flood has fallen from 40 percent of all attack types to 28 percent under COVID-19, while UDP Flood incidents have doubled from 15 percent to 30 percent of attacks over the same period.

The incidence of DNS Amplification attacks, meanwhile, has increased very little for our customers. 

COVID-19 has elevated our dependence on network infrastructure to a critical level, with DDoS mitigation now an essential national and global line of defence for our most important services and institutions. 

Unfortunately, contrasting intelligence about post-outbreak DDoS activity from the major industry players could mean that it will be some time before we can put the attacks of 2020 into an informative context that fits consistently with the statistical trends of recent years.

About the Expert
Maria Sirbu is the VP of Business Development at Voxility. In her role, Sirbu is responsible for establishing and developing strategic partnerships to improve the company’s overall profitability. She also handles all matters related to company’s corporate communications, media relations and press inquiries, serving as Voxility’s spokesperson.