Microsoft says that it witnessed distributed denial-of-service attacks turn shorter in duration in 2022 while also becoming more effective and capable of greater impact.
As per Microsoft's DDoS trends report for 2022, the United States, India, and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice for launching these attacks.
DDoS attacks in 2022 lasted less than an hour on average, and attacks lasting 1 or 2 minutes accounted for one-fourth of total attacks last year.
According to the tech giant, the attacks were shorter because bad actors required fewer resources to carry them out, and security teams are finding it difficult to defend against them using legacy DDoS controls. "Attackers frequently use multiple short attacks over the course of several hours to make the most impact while using the fewest resources," Microsoft says.
The daily average was 1,435 DDoS attacks, with the highest number being 2,215 on September 22. During the holiday season, the volume of DDoS attacks increased significantly until the last week of December.
In Azure Aloud, Microsoft documented a 3.25 terabyte-per-second attack as the "largest attack" in 2022. This is less than the previous largest known DDoS attack, which had an intensity of 3.47 TB per second at its peak.
TCP reflected amplification attacks are becoming more common and powerful, according to Microsoft, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." Attackers impersonate the target's IP address to send a request to a reflector, such as an open server or middlebox, which response to the target, such as a virtual machine.
TCP reflected amplification attacks can now reach "infinite amplification" in some cases. A reflected amplified SYN+ACK attack on an Azure resource in Asia in April 2022 reached 30 million packets per second and lasted 15 seconds.
The attack throughput was not particularly high, but there were 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure," according to the report.
Preferred Mode of Attack for IoT Devices
According to Microsoft, adversaries preferred IoT devices to launch DDoS attacks, a trend that has been growing in recent years. During the Russia-Ukraine war in 2022, the use of IoT devices increased.
Botnets used by nation-state actors and criminal enterprises, such as Mirai, have been adapted to infect a wide range of IoT devices and support new attack vectors. "While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.
TCP attacks were the most common type of DDoS attack in 2022, accounting for 63% of all DDoS attacks recorded, followed by UDP attacks at 22%.
Politically motivated DDoS attacks have risen to prominence, particularly in the year since Russia's invasion of Ukraine. KillNet, a Russian hacktivist group loyal to Moscow, actively recruited volunteers to launch DDoS attacks against Western nations.
KillNet has launched 86 attacks against pro-Ukraine countries since the war began in February, according to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war.