{"id":137,"date":"2021-08-12T00:00:00","date_gmt":"2021-08-12T07:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/azure-ddos-protection-2021-q1-and-q2-ddos-attack-trends"},"modified":"2025-06-25T03:49:32","modified_gmt":"2025-06-25T10:49:32","slug":"azure-ddos-protection-2021-q1-and-q2-ddos-attack-trends","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-ddos-protection-2021-q1-and-q2-ddos-attack-trends\/","title":{"rendered":"Azure DDoS Protection\u20142021 Q1 and Q2 DDoS attack trends"},"content":{"rendered":"\n

This blog post was co-authored by Amir Dahan, Senior Program Manager, Anupam Vij, Principal Program Manager, Skye Zhu, Data and Applied Scientist 2, and Syed Pasha, Principal Network Engineer, Azure Networking. <\/em><\/p>\n\n\n\n

In our 2020 retrospective<\/a>, we highlighted shifts in the active cyberthreat landscape. With the huge surge in internet activity, particularly with the onset of the COVID-19 pandemic, Distributed Denial-of-Service (DDoS) attacks have ramped up significantly in both volume and complexity.<\/p>\n\n\n\n

We continue to see such trends in the first half of the calendar year 2021. With the increased usage and supply of IoT devices as well as cryptocurrency like Bitcoin (which is hard to trace), we see a rise in ransomware and ransom DDoS attacks1<\/sup>, whose victims included Mexico\u2019s national lottery sites2<\/sup> as well as Bitcoin.org3<\/sup>, among others. The online gaming vertical continues to be a very attractive target of DDoS attacks, as experienced by Respawn Entertainment throughout the past few months who suffered significant disruptions to Titanfall\u2019s gameplay4<\/sup>. More industries are being targeted, particularly higher education5<\/sup>, healthcare6<\/sup>, telecoms7<\/sup>, and public sectors. In May, a DDoS attack on Belnet, the internet service provider (ISP) for Belgium\u2019s public sector, took down the websites of more than 200 organizations8<\/sup> that included the Belgian government, parliament, universities, and research institutes.<\/p>\n\n\n\n

At Microsoft, the Azure DDoS Protection<\/a> team protects every property in Microsoft and the entire Azure infrastructure. In this review, we share trends and insights into DDoS attacks we observed and mitigated throughout the first half of 2021.<\/p>\n\n\n\n

Number of attacks<\/h2>\n\n\n\n

During the first half of 2021, we witnessed a sharp increase in DDoS attacks per day. Compared to Q4 of 2020, the average daily number of attack mitigations in the first half of 2021 increased by 25 percent. We mitigated an average of 1,392 attacks per day, the maximum reaching 2,043 attacks on May 24, 2021. In total, we mitigated upwards of 251,944 unique attacks against our global infrastructure during the first half of 2021.<\/p>\n\n\n\n

\"Number<\/figure>\n\n\n\n

Attack bandwidth<\/h2>\n\n\n\n

In the first half of 2021, the largest attack bandwidth reported on Azure resources was 625 Gbps, down from 1 Tbps in Q3 of 2020. However, the average attack size increased by 30 percent, from 250 Gbps to 325 Gbps.<\/p>\n\n\n\n

Attack duration<\/h2>\n\n\n\n

As with 2020, we continue to see that most attacks are short-lived, with 74 percent being 30 minutes or less and 87 percent being one hour or less.<\/p>\n\n\n\n

\"Attack<\/figure>\n\n\n\n

The proportion of short-lived attacks remained largely consistent across the first half of 2021. Seventy-six percent of attacks in Q1 of 2021 were 30 minutes or less duration, compared to 73 percent of attacks in Q2.<\/p>\n\n\n\n

\"attack-duration-by-quarter\"<\/figure>\n\n\n\n

This year, we see more advanced techniques being employed by attackers, such as recycling IPs to launch short-burst attacks.<\/p>\n\n\n\n

Top attack vectors<\/h2>\n\n\n\n

Compared to 2020, we see a rise in volumetric transmission control protocol (TCP) flood attacks. The first half of 2021 was characterized by a shift towards attacks against web applications, whereby TCP attacks are at 54 percent of all attack vectors (mainly TCP, SYN, SYN-ACK, and ACK floods).<\/p>\n\n\n\n

User datagram protocol (UDP) attacks were the top vector in 2020 comprising more than 65 percent of all attacks. In the first half of 2021, they decreased to 39 percent of overall attack vectors, with amplification attacks accounting for 11 percent of total attacks.<\/p>\n\n\n\n

\"Attack<\/figure>\n\n\n\n

While UDP attacks comprised the majority of attack vectors in Q1 of 2021, TCP overtook UDP as the top vector in Q2. From Q1 to Q2, the proportion of UDP dropped from 44 percent to 33 percent, while the proportion of TCP increased from 48 percent to 60 percent.<\/p>\n\n\n\n

\"attack-vectors-by-quarter\"<\/figure>\n\n\n\n

Top attacked regions<\/h2>\n\n\n\n

Similar to 2020, the United States (59 percent), Europe (19 percent), and East Asia (6 percent) were the most attacked regions due to the concentration of financial services and gaming industries in these regions. As financial institutions tend to rely on TCP workloads, it makes sense that these regions have been harder hit in the first half of 2021, given the rise in TCP flood attacks.<\/p>\n\n\n\n

\"Attack<\/figure>\n\n\n\n

The United Arab Emirates has been increasingly hit by DDoS attacks on government, private, oil and gas, telecommunications, and healthcare sectors. The region was particularly hit hard in January, with 70 percent of its total attacks concentrated in that month.<\/p>\n\n\n\n

As with 2020, East Asia (Hong Kong) remains a popular target of DDoS attacks, with 41 percent of its total attacks occurring in May and June. In June, we saw a huge uptick in SYN, SYN-ACK, and ACK flood attacks in the region and we mitigated multiple VIPs totaling up to 225M PPS of traffic.<\/p>\n\n\n\n

\"Top<\/figure>\n\n\n\n

Top attack sources<\/h2>\n\n\n\n

The top source countries to generate DDoS attacks were the United States (29 percent), China (28 percent), Russia (3 percent), and followed by South Korea (3 percent). Unknown sources (7 percent) indicate that the autonomous system numbers (ASNs) were either garbage, spoofed, or private ASNs that we could not translate.<\/p>\n\n\n\n

\"sources-final\"<\/figure>\n\n\n\n

New attack types observed<\/h2>\n\n\n\n

New zero-day attack vectors that we observed and defended against:<\/p>\n\n\n\n

Microsoft Windows RDP abuse on UDP 3389<\/strong><\/p>\n\n\n\n

In January, Microsoft Windows servers with Remote Desktop Protocol (RDP) enabled on UDP\/3389 were being abused to launch UDP amplification attacks. These attacks had an amplification ratio of 85.9:1 and a peak at ~750 Gbps.<\/p>\n\n\n\n

Reflection and amplification DDoS attack mitigation<\/a>.<\/p>\n\n\n\n

D\/TLS exploit reflection attack<\/strong><\/p>\n\n\n\n

In February, we saw instances of the Datagram Transport Layer Security (D\/TLS) attack vector. Video streaming and gaming customers were getting hit by D\/TLS refection attacks which exploited UDP source port 443.<\/p>\n\n\n\n

~4,300 publicly reachable servers are posing a new DDoS hazard to the Internet\u2014Ars Technica<\/a>.<\/p>\n\n\n\n

Plex Media server abuse<\/strong><\/p>\n\n\n\n

In June, we saw an emerging reflection attack iteration for the Simple Service Delivery Protocol (SSDP). This protocol normally uses source port 1900, and the new mutation was either on source port 32414 or 32410, also known as Plex Media Simple Service Delivery Protocol (PMSSDP).<\/p>\n\n\n\n

Plex Media servers are being abused for DDoS attacks\u2014ZDNet<\/a>.<\/p>\n\n\n\n

Protect your workloads with Azure DDoS Protection Standard<\/h2>\n\n\n\n

The world continues to be heavily dependent on digital services. We see a growing reliance on cloud-computing services, across sectors from financial services to healthcare. Cyberthreats are pervasive and ever-evolving, and it is always crucial for businesses to develop a robust DDoS response strategy<\/a> and be proactive in protecting their public workloads.<\/p>\n\n\n\n

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to protect all public IP addresses in virtual networks. Protection is simple to enable<\/a> on any new or existing virtual network and does not require any application or resource changes. Our recently released Azure built-in policies<\/a> allow for better management of network security compliance by providing great ease of onboarding across all your virtual network resources and configuration of logs.<\/p>\n\n\n\n

With the recent rise of web application DDoS attacks, it is best to use DDoS Protection Standard alongside Application Gateway web application firewall (WAF), or a third-party web application firewall deployed in a virtual network with a public IP, for comprehensive protection. This also works if you are using Azure Front Door alongside Application Gateway, or if your backend resources are in your on-premises environment<\/a>. Additionally, when Application Gateway with WAF is deployed in a DDoS protected virtual network, there are no additional charges for WAF\u2014you pay for the Application Gateway at the lower non-WAF rate<\/a>.<\/p>\n\n\n\n

\"ddos-on-prem\"<\/figure>\n\n\n\n

If you have a web application that receives traffic from the Internet and is deployed regionally, you can host your application behind Application Gateway, then protect it with a WAF against Layer 7 web attacks and enable DDoS Protection Standard on the virtual network which contains the Application Gateway and WAF. The backend origins of your application will be in your on-premises environment, which is connected over the virtual private network (VPN). DDoS Protection Standard will defend your application by mitigating bad traffic and routing the supposed clean traffic to your application.<\/p>\n\n\n\n

Azure DDoS Protection Standard offers the following key benefits:<\/p>\n\n\n\n