www.microsoft.com
Open in
urlscan Pro
2a02:26f0:480:b8a::356e
Public Scan
Submitted URL: http://ow.ly/mAM8104vGRM
Effective URL: https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/?WT.mc_id=AZ-MVP-5...
Submission: On January 26 via manual from US — Scanned from DE
Effective URL: https://www.microsoft.com/en-us/security/blog/2023/02/21/2022-in-review-ddos-attack-trends-and-insights/?WT.mc_id=AZ-MVP-5...
Submission: On January 26 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft Security" data-open="false" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
</ul>
</div>
</form>https://www.microsoft.com/en-us/security/blog/
<form role="search" id="searchform-1" action="https://www.microsoft.com/en-us/security/blog/" class="search-form" type="searchForm">
<meta itemprop="target" content="https://www.microsoft.com/en-us/security/blog/?s={s}">
<label for="searchform-1-field" class="sr-only"> Search the Microsoft security blog </label>
<div class="bg-white dark-bg-gray-900 dark-text-white dark-border-gray-700 border border-gray-300 d-flex">
<input itemprop="query-input" class="form-control form-control-sm border-0 flex-grow-1 h-100 py-2" type="search" id="searchform-1-field" name="s" placeholder="Search the blog" value="">
<button class="btn btn-link-secondary m-0 py-1" type="submit">
<span class="sr-only">Submit</span>
<span class="svg" aria-hidden="true">
<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 13" width="13" height="12">
<path d="M4.833.097a4.833 4.833 0 0 1 3.753 7.879l3.268 3.267a.5.5 0 0 1-.651.756l-.057-.049L7.88 8.683A4.833 4.833 0 1 1 4.833.097Zm0 1a3.833 3.833 0 1 0 0 7.666 3.833 3.833 0 0 0 0-7.666Z" fill="#4C4C51"></path>
</svg> </span>
</button>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Unleash AI-powered browsing with Copilot in Microsoft Edge Go beyond what you
thought was possible with your AI-companion for the web
No, thanks Try now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Cloud workload protection
* Data security
* Frontline workers
* Identity & network access
* Identity threat detection & response
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* Small & medium business
* XDR
* XDR + SIEM
* Zero Trust
* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Intune
* Microsoft Priva
* Microsoft Purview
* Microsoft Sentinel
* Security AI Security AI
* Microsoft Security Copilot
* Identity & access Identity & access
* Microsoft Entra ID (Azure Active Directory)
* Microsoft Entra External ID
* Microsoft Entra ID Governance
* Microsoft Entra ID Protection
* Microsoft Entra Internet Access
* Microsoft Entra Private Access
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Microsoft Entra Workload ID
* Microsoft Entra Domain Services
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft Defender XDR
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender Cloud Security Posture Mgmt
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security & management Endpoint security & management
* Microsoft Defender for Endpoint
* Microsoft Defender XDR
* Microsoft Intune core capabilities
* Microsoft Intune Endpoint Privilege Management
* Microsoft Intune Remote Help
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Services
* Microsoft Security Experts
* Microsoft Defender Experts for XDR
* Microsoft Defender Experts for Hunting
* Microsoft Incident Response
* Microsoft Security Enterprise Services
* Partners
* Resources
* Get started Get started
* Cybersecurity awareness
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal
* Microsoft built in security
* Contact Sales
* More
* Start free trial
* All Microsoft
* GLOBAL
* Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
* No results
Cancel
Light Dark
1. Blog home
2. Threat intelligence
Search the Microsoft security blog
Submit
* Research
* Threat intelligence
* Threat actors
6 min read
2022 IN REVIEW: DDOS ATTACK TRENDS AND INSIGHTS
* By Azure Network Security Team
February 21, 2023
*
*
*
* Threat actors
* Azure
As organizations strengthen their defenses and take a more proactive approach to
protection, attackers are adapting their techniques and increasing the
sophistication of their operations. Cybercrime continues to rise with the
industrialization of the cybercrime economy providing cybercriminals with
greater access to tools and infrastructure.
In the first half of 2022, the cyberthreat landscape was focused around the war
in Ukraine and the rise of nation state attacks and hacktivism across the world.
In February, Ukraine was hit with the largest distributed denial of
service (DDoS) attack ever in the country’s history, impacting government
websites and banking web services. As the conflict continued, there was a ripple
effect to western countries, including the UK, US, and Germany. UK financial
services firms experienced a significant increase in DDoS attacks as they were
heavily targeted by nation state attackers and hacktivists looking to disrupt
Ukraine’s allies.
Hacktivism continued to be rampant throughout the year, including Taiwanese
websites experiencing outages in August 2022 due to DDoS attacks ahead of House
Speaker Nancy Pelosi’s arrival in Taiwan. Beyond attacks with political motives,
DDoS attacks also impacted a wide range of industries. In particular, the gaming
industry continued to be highly targeted. In March 2022, a DDoS attack brought
down the game servers of Among Us, preventing players from accessing the popular
multiplayer game for a few days. A new version of RapperBot (heavily inspired by
the Mirai botnet) was used in the second half of 2022 to target game servers
running Grand Theft Auto: San Andreas.
In this blog, we share trends and insights into DDoS attacks we observed and
mitigated throughout 2022.
2022 DDOS ATTACK TRENDS
LARGE VOLUME OF ATTACKS DURING THE HOLIDAY SEASON
In 2022, Microsoft mitigated an average of 1,435 attacks per day. The maximum
number of attacks in a day recorded was 2,215 attacks on September 22, 2022. The
minimum number of attacks in a day was 680 on August 22, 2022. In total, we
mitigated upwards of 520,000 unique attacks against our global infrastructure
during 2022.
Figure 1. Attack volume
This year, we saw a lower volume of attacks in June through August and a high
volume of attacks during the holiday season until the last week of December.
This is in line with attacks trends we have seen in the last few years, except
for 2021 where there were fewer attacks during the holiday season. In May, we
mitigated a 3.25 terabits per second (TBps) attack in Azure, the largest attack
in 2022.
DDoS protection tip: Make sure to avoid having a single virtual machine backend
so it is less likely to get overwhelmed. Azure DDoS Protection covers scaled out
costs incurred for all resources during an attack, so configure autoscaling to
absorb the initial burst of attack traffic while mitigation kicks in.
TCP ATTACKS REMAIN THE MOST COMMON ATTACK VECTOR
TCP attacks were the most frequent form of DDoS attack encountered in 2022,
comprising 63% of all attack traffic, which includes all TCP attack vectors: TCP
SYN, TCP ACK, TCP floods, etc. Since TCP remains the most common networking
protocol, we expect TCP-based attacks to continue to make up most DDoS attacks.
UDP attacks were significant as well with 22% of all attacks (combined for UDP
flood and UDP amplification attacks), while Packet anomaly attacks made up 15%
of attacks.
Figure 2. Attack type
Out of UDP flood attacks, spoofed floods consumed most of the attack volume with
53%. The remaining attack vectors were reflected amplification attacks, with the
main types being CLDAP, NTP, and DNS.
We observed TCP reflected amplification attacks becoming more prevalent, with
attacks on Azure resources using diverse types of reflectors and attack vectors.
This new attack vector is taking advantage of improper TCP stack implementation
in middleboxes, such as firewalls and deep packet inspection devices, to elicit
amplified responses that can reach infinite amplification in some cases. As an
example, in April 2022, we monitored a reflected amplified SYN+ACK attack on an
Azure resource in Asia. The attack reached 30 million packets per second (pps)
and lasted 15 seconds. Attack throughput was not very high, however there were
900 reflectors involved, each with retransmissions, resulting in high pps rate
that can bring down the host and other network infrastructure.
DDoS protection tip: To protect against UDP and TCP attacks, we recommend using
Azure DDoS Protection. For gaming customers, consider using A10 virtual
appliances and Azure Gateway Load Balancers to help with volume-based attacks.
SHORTER ATTACKS CONTINUE TO BE POPULAR
Figure 3. Attack duration
Shorter duration attacks were more commonly observed this past year, with 89% of
attacks lasting less than one hour. Attacks spanning one to two minutes made up
26% of the attacks seen this year. This is not a new trend as attacks that are
shorter require less resources and are more challenging to mitigate for legacy
DDoS defenses. Attackers often use multiple short attacks over the span of
multiple hours to make the most impact while using the fewest number of
resources.
Short attacks take advantage of the time it takes systems to detect the attack
and for mitigation to kick in. While time to mitigation may only take one or two
minutes, the information from those short attacks can make it into the backend
of services, impacting legitimate usage. If a short attack can cause a reboot of
the systems, this can then trigger multiple internal attacks as every legitimate
user tries to reconnect at the same time.
DDoS protection tip: Use Azure Web Application Firewall to protect web
applications.
US, INDIA, AND EAST ASIA TOP REGIONS TARGETED BY ATTACKS
Figure 4. Attack destinations
As with previous years, most attacks were launched against US-based resources,
with India, East Asia, and Europe making up a large portion of remaining
attacks. The rising adoption of smartphones and popularity of online gaming in
Asia will likely contribute to increased exposure to DDoS attacks. This also
applies to countries accelerating digital transformation and cloud adoption.
DDoS Protection Tip: Frequent and regular DDoS simulation testing done by any of
our testing partners helps ensure consistent protection for services.
HACKTIVISM IS BACK
We saw politically motivated DDoS attacks ramping up on a large scale in 2022.
Notably, a hacking group named Killnet targeted western government, healthcare,
education, and financial firms. Killnet has been a vocal supporter of Russia’s
war in Ukraine, using DDoS attacks as its primary weapon to create chaos in
western countries. The Cybersecurity & Infrastructure Security Agency (CISA),
Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and
Analysis (MS-ISAC) published a guide to help governments and organizations
respond effectively against DDoS attacks, especially those launched by hacker
groups like Killnet.
IOT DEVICES INCREASINGLY USED TO LAUNCH DDOS ATTACKS
In 2022, Internet of Things (IoT) devices were consistently used in DDoS
attacks, which expanded into use in cyber warfare, such as in Ukraine. A growing
number of attacks repurposed existing malware or leveraged the modular nature of
botnets to carry out these attacks. Threat actors have also turned to a growing
criminal black market to purchase malware and solutions to grow their malicious
toolkit.
Well-known botnets, such as Mirai, have also been observed in use by
nation-state threat actors and growing criminal enterprises. The persistence of
malware like Mirai from year to year has highlighted its adaptability and its
potential to infect a wide range of IoT devices and compromise new attack
vectors. While Mirai is still a major player in the field of botnets, the threat
landscape in the field of IoT malware is evolving, with new botnets emerging
such as Zerobot and MCCrash.
WHAT’S AHEAD FOR 2023?
In 2023, cybercrime will likely continue to rise as new threats and attack
techniques emerge. We increasingly see DDoS attacks becoming used as
distractions to hide more sophisticated attacks happening at the same time, such
as extortion and data theft. New IoT DDoS botnets will emerge and attacks from
them will continue to be prevalent and cause significant disruption. We are also
observing a rise in DDoS attacks from account takeovers where malicious actors
gain unauthorized access to resources to launch DDoS attacks. As geopolitical
tensions continue to emerge globally, we will likely continue to see DDoS being
used as a primary tool for cyberattacks by hacktivists.
With DDoS attacks becoming more frequent, sophisticated, and inexpensive to
launch, it’s important for organizations of all sizes to be proactive, stay
protected all year round, and develop a DDoS response strategy.
CLOUD-NATIVE DDOS PROTECTION AT ANY SCALE
Azure provides comprehensive solutions to protect your valuable data and
resources from the most sophisticated DDoS attacks at any scale. Azure DDoS
Protection provides always-on traffic monitoring to automatically mitigate an
attack when detected, adaptive real time tuning that compares your actual
traffic against predefined thresholds, and full visibility on DDoS attacks with
real-time telemetry, monitoring, and alerts. Customers using Azure DDoS
Protection have access to the DDoS Rapid Response support (DRR) team to engage
experts for help during an active attack. Protection is simple to enable and
designed to meet the needs of all organizations, including a cost-effective SKU
for small and medium businesses (SMBs).
For more insights on the latest threat intelligence, visit Security Insider.
REFERENCES
* https://venturebeat.com/security/ddos-attack-was-largest-ever-in-ukraine-russia-suspected/
* https://www.finextra.com/newsarticle/40955/uk-finance-suffers-surge-in-ddos-attacks
* https://www.nbcnews.com/tech/security/taiwanese-websites-hit-ddos-attacks-pelosi-begins-visit-rcna41144
* https://www.pcmag.com/news/ddos-attack-takes-among-us-servers-offline-for-entire-weekend
* https://thehackernews.com/2022/11/warning-new-rapperbot-campaign-aims-to.html
RELATED POSTS
* * News
* Cloud security
* Microsoft Purview
Published Jun 14
5 min read
EXPANDING HORIZONS—MICROSOFT SECURITY’S CONTINUED COMMITMENT TO MULTICLOUD
Learn how to manage multicloud security risk with Microsoft's native
multicloud protection for three of the industry’s main cloud platforms.
* * News
* Cloud security
* Microsoft Defender
Published Jun 23
6 min read
DETECTING MALICIOUS KEY EXTRACTIONS BY COMPROMISED IDENTITIES FOR AZURE
COSMOS DB
Azure Cosmos DB is a fully managed NoSQL cloud database service for modern
app development. It offers a variety of advanced built-in features, such as
automatic worldwide data replication, lightning-fast response types, and a
variety of APIs. In this blog post, we describe security practices for
securing access to Azure Cosmos DB and show how monitoring relevant control
plane operations can help in the detection of potentially compromised
authorization.
* * Best practices
* Device management
* Microsoft Defender
Published Jun 20
3 min read
SECURING YOUR IOT WITH EDGE SECURED-CORE DEVICES
To simplify your IoT security journey, today, we’re announcing the
availability of Windows IoT Edge Secured-core devices available in the Azure
Certified Device catalog from Lenovo, ASUS and AAEON, additionally we’re also
announcing the availability of devices that meet the Microsoft sponsored Edge
Compute Node protection profile which is governed with industry oversight,
from Scalys and Eurotech. And learn more on Microsoft’s investments in MCU
security.
* * Research
* Threat intelligence
* Attacker techniques, tools, and infrastructure
Published May 23
8 min read
ANATOMY OF A DDOS AMPLIFICATION ATTACK
Amplification attacks are one of the most common distributed denial of
service (DDoS) attack vectors. These attacks are typically categorized as
flooding or volumetric attacks, where the attacker succeeds in generating
more traffic than the target can process, resulting in exhausting its
resources due to the amount of traffic it receives.
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more
CONNECT WITH US ON SOCIAL
*
*
*
What's new
* Surface Laptop Studio 2
* Surface Laptop Go 3
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Copilot in Windows
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Certified Refurbished
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* How to buy for your school
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy
Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* Recycling
* About our ads
* © Microsoft 2024
Notifications