blog.malwarebytes.com Open in urlscan Pro
130.211.198.3  Public Scan

Form analysis
3 forms found in the DOM

<form><span class="fieldset">
    <p><input type="checkbox" value="check" id="chkMain" checked="checked" class="legacy-group-status optanon-status-checkbox"><label for="chkMain">Active</label></p>
  </span></form>

GET

<form id="search-form" onsubmit="submitSearchrightrail(event)" method="get">
  <div class="searchbar-wrap-rightrail">
    <label for="cta-labs-rightrail-search-submit-en" aria-label="cta-labs-rightrail-search-submit-en" aria-labelledby="cta-labs-rightrail-search-submit-en">
      <input type="text" id="st-search-input-rightrail" class="st-search-input-rightrail" placeholder="Search Labs">
    </label>
    <button type="submit" id="cta-labs-rightrail-search-submit-en" aria-label="Submit your search query"><span class=""><img src="https://blog.malwarebytes.com/wp-content/themes/mb-labs-theme/images/search.svg" alt="Magnifying glass"></span>
    </button>
  </div>
</form>

//www.malwarebytes.com/newsletter/

<form class="newsletter-form form-inline" action="//www.malwarebytes.com/newsletter/" _lpchecked="1">
  <div class="email-input">
    <label for="cta-footer-newsletter-input-email-en" aria-label="cta-footer-newsletter-input-email-en" aria-labelledby="cta-footer-newsletter-input-email-en">
      <input type="text" class="email-input-field" id="cta-footer-newsletter-input-email-en" name="email" placeholder="Email address">
    </label>
    <input name="source" type="hidden" value="">
    <input type="submit" class="submit-bttn" id="cta-footer-newsletter-subscribe-email-en" value="">
  </div>
</form>

Text Content

Who doesn't like cookies?

We use cookies to help us enhance your online experience. If that sounds good,
click “Accept All Cookies” or review our Privacy and Cookie Policy.


Close
Accept All Cookies


 * Your Privacy

 * Strictly Necessary Cookies

 * Performance Cookies

 * Functional Cookies

 * Targeting Cookies

 * More Information

Privacy Preference Center

Active

Always Active



Save Settings

Allow All

The official Malwarebytes logo The official Malwarebytes logo in a blue font B

We research. You level up.

       
Personal
Personal
 * Security & Antivirus
 * Malwarebytes for Windows
 * Malwarebytes for Mac
 * Malwarebytes for Chromebook
 * Malwarebytes Browser Guard
 * Overview

 * Security & Antivirus for Mobile
 * Malwarebytes for Android
 * Malwarebytes for iOS
 * Online Privacy
 * Malwarebytes Privacy VPN

 * Get Started
 * Explore all Personal Products
 * Explore Pricing

 * FREE TRIAL OF MALWAREBYTES PREMIUM
   
   Protect your devices, your data, and your privacy—at home or on the go.
   
   Get free trial

Business
Business
 * Security & Antivirus
 * Malwarebytes Nebula - Cloud Hosted Security Platform
 * Malwarebytes Endpoint Protection
 * Malwarebytes Endpoint Detection & Response
 * Malwarebytes Incident Response
 * Malwarebytes Remediation for CrowdStrike
 * Malwarebytes for Teams
 * Services
 * Malwarebytes Malware Removal

 * Server Protection
 * Malwarebytes Endpoint Protection for Servers
 * Malwarebytes Endpoint Detection and Response for Servers
 * Solutions
 * BUSINESS SOLUTIONS
 * Small Business Antivirus
 * Secure Remote Workers
 * Enterprise Antivirus and Cybersecurity
 * INDUSTRY SOLUTIONS
 * Education
 * Finance
 * Healthcare

 * Get Started
 * Explore all Business Products
 * Explore Pricing

 * GET A FREE TRIAL
   
   Secure your endpoints and servers with industry-leading protection,
   detection, and response solutions.
   
   Get Started

Pricing
Partners
Partners
 * Explore Partnerships

 * Partner Solutions
 * Resellers
 * Managed Service Providers
 * Computer Repair
 * Technology Partners

 * Partner Success Story
 * Marek Drummond
   Managing Director at Optimus Systems
   
   "Thanks to the Malwarebytes MSP program, we have this high-quality product in
   our stack. It’s a great addition, and I have confidence that customers’
   systems are protected."

 * See full story

Resources
Resources
 * Learn About Cybersecurity
 * Antivirus
 * Malware
 * Ransomware
 * See all
 * Malwarebytes Labs
 * Explore

 * Business Resources
 * Reviews
 * Analyst Reports
 * Case Studies
 * See all
 * Press & News
 * Learn more

 * Events
 * 
   
   
   
   Featured Event: RSA 2021

 * See Event

Support
Support
 * Technical Support
 * Support
 * Premium Services
 * Forums
 * Vulnerability Disclosure

 * Training for Personal Products
 * Training for Business Products

 * Featured Content
 * 
   
   
   
   Activate Malwarebytes Privacy on Windows device.

 * See Content

FREE DOWNLOAD
CONTACT US
COMPANY
Company
 * About Malwarebytes
 * Careers
 * News & Press

SIGN IN
Sign In
 * My Account
 * Cloud Console
 * Partner Portal

SUBSCRIBE


Reports


“HUGE UPSURGE” IN DDOS ATTACKS DURING PANDEMIC

Posted: April 15, 2021 by Pieter Arntz

A new report by Netscout sets yet out another way in which why 2020 was a
record-breaking year for for all the wrong reasons.

Researchers at Netscout have released a report analyzing the malicious internet
traffic of 2020 and comparing it to the years before. Some of the results were
as expected: Brute-forcing credentials and more targeting towards
internet-connected devices were foreseeable and have been discussed at length.
And even a record-breaking year in Distributed Denial of Service (DDoS) attacks
might have been expected as it follows the upward trend over the years. But the
sheer number of attacks, their size, and a new big player in the field of DDoS
extortion may raise some surprised eyebrows.


THE RECORDS

The report identifies a “huge upsurge” in DDoS traffic during 2020, with a
number of records broken:

 * The most DDoS attacks launched in a single month (929,000).
 * The most DDoS attacks in a single year (more than 10 million).
 * Monthly DDoS attack numbers that regularly exceed the 2019 averages by
   100,000-150,000 attacks.

As you can see the records are found in the number of attacks. The attack
frequency spiked by 20 percent year over year and 22 percent in the last six
months of 2020.


NEW METHODS

A DDoS attack stops people from using a computer system by keeping it so busy
with traffic from multiple locations that it is overloaded and either crashes or
is permanently busy. Because they work by delivering more traffic than the
system or network under attack can handle, they hinge on an attackers’ ability
to deliver significant volumes of traffic.

To increase the amount of data they can deliver, attackers look for methods that
amplify the amount of traffic they can create. Typically an attacker will look
for a service that will return a lot of data in response to a simple request
(often hundreds of times more data). They will then make as many requests to
that service as possible, but spoof their address so that it looks like the
requests are coming from the victim. Because of the spoofed address the
responses are reflected: sent to the victim instead of back to the attacker.

According to Netscout, threat actors exploited and weaponized at least four new
reflection/amplification DDoS attack vectors in 2020. The report specifically
mentions that abusable applications and services based on the UDP protocol
remained a valuable asset for attackers. These applications and services were
analysed and abused to provide new reflection/amplification vectors for DDoS
attacks and helped provide the power required for the new wave of attacks.


OLD METHODS

According to the report, UDP-based reflection/amplification attacks continued to
dominate the list of most popular attack vectors, with TCP ACK flood attacks
coming in a close second. This represents a changing of the guard, given that
TCP SYN floods were dominant in previous years. However, Domain Name System
(DNS) reflection/amplification attack frequency rose steadily over approximately
the past 18 months and became the top vector of choice in 2020.

Recommended background reading: SYN/ACK in the TCP Protocol


LAZARUS BEAR ARMADA

The Netscout report also reveals that in August of 2020 a new threat actor in
the field of DDoS extortion emerged and quickly started to make waves. In a DDoS
extortion attack an attacker demands a ransom in exchange for halting a DDoS
attack that is stopping the victim or its customers from using systems they
need. The new group named themselves Lazarus Bear Armada (LBA). Very likely to
imply that they are affiliated with well-known APT groups like the Lazarus
Group, Fancy Bear, and the Armada Collective. Affiliations that they like to
emphasize when threatening victims.

Their extortion attacks were primarily directed towards companies in the
financial and travel-industry sectors, and sometimes included their upstream
internet transit providers too. ISPs, healthcare providers, insurance providers,
personal care product manufacturers, regional energy providers, and IT-related
vendors were also targeted, according to Netscout.


EXTORTION AND ATTACKS

The LBA attacks are characterized by the attacker initiating a demonstration
DDoS attack against parts of the target’s online infrastructure, followed
shortly after by an email demand for a substantial payment in Bitcoin. The
extortion demands typically stated that the attacker had up to 2 Tbps of DDoS
attack capacity at the ready, which could be directed at the victim’s systems if
the demands were not met. And they did not shy away from actual DDoS attacks
against those unwilling to pay. Not even when it concerned organizations that
played a crucial role in fighting the pandemic.


DDOS ATTACK CAPACITY

Even though there are no, agreed upon, international standards to measure DDoS
attack capacity, the attack volumes observed over the course of the LBA’s
campaign maxed out at 300 Gbps, which is significant.


DEFENDING AGAINST A DDOS ATTACK

As in most areas of security, searching for a solution at the moment you find
out that you are the target of a DDoS attack is not the best strategy,
especially if your organization depends on Internet-facing servers. DDoS
mitigation is a complex subject, but we suggest that your chosen solution should
offer you one or more of these options:

 * Allow users to use your systems normally as much as possible, even during an
   attack.
 * Protect your network from breaches during an attack.
 * Establish an alternative system to work with.

Broadly speaking organizations either need to be able operate in spite of
systems being unavailable, with ways to keep the work going and the revenue
flowing, or they need a way to absorb, re-route or drop DDoS traffic so they can
continue to operate as close to normally as possible. Defending against
massive-scale DDoS attacks requires access to enormous network resources, which
may only be accessible via a third-party offering DDoS mitigation services.
Whatever form your protection takes, make sure you have a plan or protocols in
place before an attack occurs.

You can read more on the subject in our article DDoS attacks are growing: What
can businesses do?

SHARE THIS ARTICLE

--------------------------------------------------------------------------------

COMMENTS



--------------------------------------------------------------------------------

RELATED ARTICLES

Reports


LABS CYBERCRIME TACTICS AND TECHNIQUES REPORT FINDS BUSINESSES HIT WITH 235
PERCENT MORE THREATS IN Q1

April 25, 2019 - The Labs team discovered that businesses are being targeted
with 235 percent more threats than the previous year. Download the report and
find out which threats are revving up, and which are dying out.

CONTINUE READING1 Comment

Reports


LABS QUARTERLY REPORT FINDS RANSOMWARE’S GONE RAMPANT AGAINST BUSINESSES

August 8, 2019 - This quarter, we noticed one threat dominating the landscape so
much it deserved its own hard look. Ransomware is back in a big way, targeting
businesses with brute force.

CONTINUE READING1 Comment

Reports


CAPITAL ONE BREACH EXPOSES OVER 100 MILLION CREDIT CARD APPLICATIONS

August 2, 2019 - The Capital One data breach is an exceptional example, if only
because of how much we already know. Not only that, but the breach happened to
one of the technical front-runners in banking.

CONTINUE READING0 Comments

Reports


LABS REPORT FINDS CYBERTHREATS AGAINST HEALTHCARE INCREASING WHILE SECURITY
CIRCLES THE DRAIN

November 13, 2019 - In this special edition of our quarterly CTNT report, we
focus on the top attack methods and threats plaguing the healthcare industry
over the last year, plus highlight recurring security challenges and reasons why
cybercriminals target patient data.

CONTINUE READING0 Comments

Reports


MALWAREBYTES LABS RELEASES 2020 STATE OF MALWARE REPORT

February 11, 2020 - The 2020 State of Malware Report reveals how cybercriminals
upped the ante on businesses, Mac threats outpaced PCs, and ransomware continued
its targeted, deadly assault with new families in 2019. Learn all this and more
in the full report, linked in our blog.

CONTINUE READING3 Comments

--------------------------------------------------------------------------------

ABOUT THE AUTHOR

Pieter Arntz
Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four
languages. Smells of rich mahogany and leather-bound books.


Contributors


Threat Center


Glossary


Scams


Write for Labs

CYBERSECURITY INFO YOU CAN'T DO WITHOUT

Want to stay informed on the latest news in cybersecurity? Sign up for our
newsletter and learn how to protect your computer from threats.



Imagine a world without malware. We do.

FOR PERSONAL

FOR BUSINESS

COMPANY

ABOUT US

CAREERS

NEWS AND PRESS

MY ACCOUNT

SIGN IN

CONTACT US

GET SUPPORT

CONTACT SALES

3979 Freedom Circle, 12th Floor
Santa Clara, CA 95054
One Albert Quay, 2nd Floor
Cork T12 X8N6
Ireland

   English
Legal
Privacy
Accessibility
Terms of Service


© 2021 All Rights Reserved

Select your language

 * English
 * Deutsch
 * Español
 * Français
 * Italiano
 * Português (Portugal)
 * Português (Brasil)
 * Nederlands
 * Polski
 * Pусский
 * 日本語
 * Svenska

Cybersecurity basics

Your intro to everything relating to cyberthreats, and how to stop them.

Antivirus

Malware

Ransomware

Adware

Spyware

Hacker

Phishing

Data breach

Android antivirus

Trojan

Mac antivirus

Emotet

Keylogger

Spam

SQL injection

DDoS

Spoofing

Cryptojacking

Scam call

Exploits

Malvertising

Backdoor

Identity theft

Computer virus

GandCrab

VPN

Social engineering

Password manager

What is EDR?

What is endpoint protection?

Pharming

Ryuk ransomware

Trickbot