{"id":7817,"date":"2022-01-25T00:00:00","date_gmt":"2022-01-25T08:00:00","guid":{"rendered":"https:\/\/azure.microsoft.com\/blog\/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends"},"modified":"2025-06-18T05:14:33","modified_gmt":"2025-06-18T12:14:33","slug":"azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends","status":"publish","type":"post","link":"https:\/\/azure.microsoft.com\/en-us\/blog\/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends\/","title":{"rendered":"Azure DDoS Protection\u20142021 Q3 and Q4 DDoS attack trends"},"content":{"rendered":"\n

This blog post was co-authored by Anupam Vij, Principal PM Manager, and Syed Pasha, Principal Network Engineer, Azure Networking<\/em><\/p>\n\n\n\n

In the second half of 2021, the world experienced an unprecedented level of Distributed Denial-of-Service (DDoS) activity in both complexity and frequency. The gaming industry was perhaps the hardest hit, with DDoS attacks disrupting gameplay of Blizzard games1<\/sup>, Titanfall2<\/sup>, Escape from Tarkov3<\/sup>, Dead by Daylight4<\/sup>, and Final Fantasy 145<\/sup> among many others. Voice over IP (VoIP) service providers such as Bandwidth.com6<\/sup>, VoIP Unlimited7<\/sup>, and VoIP.ms8<\/sup> suffered outages following ransom DDoS attacks. In India, we saw a 30-fold increase of DDoS attacks during the nation\u2019s festive season in October9<\/sup> with multiple broadband providers targeted, which shows that the holidays are indeed an attractive time for cybercriminals. As we highlighted in the 2021 Microsoft Digital Defense Report<\/a>, the availability of DDoS for-hire services as well as the cheap costs\u2014at only approximately $300 USD per month\u2014make it extremely easy for anyone to conduct targeted DDoS attacks.<\/p>\n\n\n\n

At Microsoft, despite the evolving challenges in the cyber landscape, the Azure DDoS Protection<\/a> team was able to successfully mitigate some of the largest DDoS attacks ever, both in Azure and in the course of history. In this review, we share trends and insights into DDoS attacks we observed and mitigated throughout the second half of 2021.<\/p>\n\n\n\n

August recorded the highest number of attacks<\/h2>\n\n\n\n

Microsoft mitigated an average of 1,955 attacks per day, a 40 percent increase from the first half of 2021<\/a>. The maximum number of attacks in a day recorded was 4,296 attacks on August 10, 2021. In total, we mitigated upwards of 359,713 unique attacks against our global infrastructure during the second half of 2021, a 43 percent increase from the first half of 2021.<\/p>\n\n\n\n

Interestingly, there was not as much of a concentration of attacks during the end-of-year holiday season compared to previous years. We saw more attacks in Q3 than in Q4, with the most occurring in August, which may indicate a shift towards attackers acting all year round\u2014no longer is holiday season the proverbial DDoS season<\/a>! This highlights the importance of DDoS protection all year round, and not just during peak traffic seasons.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n

Microsoft mitigated a 3.47 Tbps attack, and two more attacks above 2.5 Tbps<\/h2>\n\n\n\n

Last October, Microsoft reported on a 2.4 terabit per second (Tbps) DDoS attack<\/a> in Azure that we successfully mitigated. Since then, we have mitigated three larger attacks.<\/p>\n\n\n\n

In November, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. We believe this to be the largest attack ever reported in history.<\/p>\n\n\n\n

This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan. Attack vectors were UDP reflection on port 80 using Simple Service Discovery Protocol (SSDP), Connection-less Lightweight Directory Access Protocol (CLDAP), Domain Name System (DNS), and Network Time Protocol (NTP) comprising one single peak, and the overall attack lasted approximately 15 minutes.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n

In December, we mitigated two more attacks that surpassed 2.5 Tbps, both of which were again in Asia. One was a 3.25 Tbps UDP attack in Asia on ports 80 and 443, spanning more than 15 minutes with four main peaks, the first at 3.25 Tbps, the second at 2.54 Tbps, the third at 0.59 Tbps, and the fourth at 1.25 Tbps. The other attack was a 2.55 Tbps UDP flood on port 443 with one single peak, and the overall attack lasted just a bit over five minutes.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n
\"A<\/figure>\n\n\n\n

In these cases, our customers do not have to worry about how to protect their workloads in Azure, as opposed to running them on-premises. Azure\u2019s DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can scale enormously to absorb the highest volume of DDoS attacks, providing our customers the level of protection they need. The service employs fast detection and mitigation of large attacks by continuously monitoring our infrastructure at many points across the Microsoft global network. Traffic is scrubbed at the Azure network edge before it can impact the availability of services. If we identify that the attack volume is significant, we leverage the global scale of Azure to defend the attack from where it is originating.<\/p>\n\n\n\n

Short burst and multi-vector attacks remain prevalent, although more attacks are lasting longer<\/h2>\n\n\n\n

As with the first half of 2021, most attacks were short-lived, although, in the second half of 2021, the proportion of attacks that were 30 minutes or less dropped from 74 percent to 57 percent. We saw a rise in attacks that lasted longer than an hour, with the composition more than doubling from 13 percent to 27 percent. Multi-vector attacks continue to remain prevalent.<\/p>\n\n\n\n

It\u2019s important to note that for longer attacks, each attack is typically experienced by customers as a sequence of multiple short, repeated burst attacks. One such example would be the 3.25 Tbps attack mitigated, which was the aggregation of four consecutive short-lived bursts that each ramped up in seconds to terabit volumes.<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n

UDP spoof floods dominated, targeting the gaming industry<\/h2>\n\n\n\n

UDP attacks rose to the top vector in the second half of 2021, comprising 55 percent of all attacks, a 16 percent increase from the first half of 2021. Meanwhile, TCP attacks decreased from 54 percent to just 19 percent. UDP spoof floods was the most common attack type (55 percent), followed by TCP ACK floods (14 percent) and DNS amplification (6 percent).<\/p>\n\n\n\n

\"A<\/figure>\n\n\n\n

Gaming continues to be the hardest hit industry. The gaming industry has always been rife with DDoS attacks because players often go to great lengths to win. Nevertheless, we see that a wider range of industries are just as susceptible, as we have observed an increase in attacks in other industries such as financial institutions, media, internet service providers (ISPs), retail, and supply chain. Particularly during the holidays, ISPs provide critical services that power internet phone services, online gaming, and media streaming, which make them an attractive target for attackers.<\/p>\n\n\n\n

UDP is commonly used in gaming and streaming applications. The majority of attacks on the gaming industry have been mutations of the Mirai botnet and low-volume UDP protocol attacks. An overwhelming majority were UDP spoof floods, while a small portion were UDP reflection and amplification attacks, mostly SSDP, Memcached, and NTP.<\/p>\n\n\n\n

Workloads that are highly sensitive to latency, such as multiplayer game servers, cannot tolerate such short burst UDP attacks. Outages of just a couple seconds can impact competitive matches, and outages lasting more than 10 seconds typically will end a match. For this scenario, Azure recently released the preview of inline DDoS protection<\/a>, offered through partner network virtual appliances (NVAs) that are deployed with Azure Gateway Load Balancer. This solution can be tuned to the specific shape of the traffic and can mitigate attacks instantaneously without impacting the availability or performance of highly latency-sensitive applications.<\/p>\n\n\n\n