DDoS has evolved in 2023: longer, more frequent, and more sophisticated


Cybercriminals have brought a twist to the DDoS attack narrative. Novel approaches allow them to bypass geoblocking defenses, flooding servers more frequently and for longer.

The third quarter of 2023 saw a persistent rise in UDP flood attacks, which have become the favored method for cybercriminals.

UDP flood is a type of DDoS (distributed denial of service) attack when hackers overwhelm a server or network by sending an enormous quantity of useless data packets via a protocol, which is usually used for streaming. Those packets travel one way and do not require connection to the server, making the attack hard to stop. Even firewalls supposed to filter out bad traffic can become exhausted.

The share of UDP attacks increased to 67% in the last quarter. Compared to the year earlier, the number of UDP attacks increased by 15%, a report by Qrator Labs, an expert in continuous network availability and DDoS attack mitigation, revealed. SYN flood DDoS attacks were the second largest category, with a 9% share.

A single UDP flood attack lasts, on average, for 71.58 hours, the longest among other types of DDoS attacks.

“Cyber adversaries are now outmaneuvering geo IP blockades by cleverly sourcing traffic within the same country as their target,” the report reads.

This tactic brings cybercrooks virtually closer to the target region. It has led to an alarming spike in blocked IP addresses – a 116.42% increase since the second quarter, growing the total to 40.15 million blocked IP addresses.

“Instead of brute force, attackers are now focusing on efficiency. The sophistication of attacks is expected to grow, with yesterday's mitigation methods likely to fail tomorrow,” warns Victor Zyamzin, global head of business development at Qrator Labs.

The financial sector was the main target for DDoS attackers, with a disproportionally high number of incidents, reaching a 42.06% share. E-commerce (29.80%) and IT and telecom (6.05%) were also significantly affected. In the first nine months of 2023, banks, electronic bulletin boards, and online education platforms were among the most targeted, according to the report.

Autumn saw a 13.46% seasonal drop in the total number of DDoS attacks. Researchers noted that in the third quarter, the largest identified botnet shrank by nearly half from the previous quarter, with 85,298 devices across 20 countries, down from 136,590.

Cyber attackers are increasingly exploiting HTTP/2 protocol to launch stealthier assaults, often against companies renting servers in the cloud. These attacks force the victim's resources to scale horizontally, thereby significantly increasing the bill for cloud resources.

“Now, we expect a new stage in the competition between the armor and the projectile. Instead of mass, the attackers are tasked with achieving efficiency. The sophistication of attacks will grow, and methods of neutralizing them, which were effective yesterday, will most likely not work tomorrow. In 2023, we expect Application Layer attacks, with their traffic mimicking the behavior of ordinary users, to become more widespread. Such attacks are challenging to detect and neutralize,” Zyamzin concluded.