News overview

Q1 2021 visualized the appearing of two new botnets. News broke in January of the FreakOut malware, which attacks Linux machines. Cybercriminals exploited several critical vulnerabilities in programs installed on victim machines, including the newly discovered CVE-2 021 -3 007. Botnet operators use infected machines to carry out DDoS attacks or mine cryptocurrency.

Another active bot focused on Android devices with the ADB( Android Debug Bridge) debug interface. The botnet was dubbed Matryosh( from the Russian word matryoshka — nesting doll) due to the multi-step process for obtaining the C& C address. It is not the first bot to assault mobile machines through a debug interface. This loophole was previously exploited by ADB.Miner, Ares, IPStorm, Fbot, Trinity, and other malware.

Q1 was not without yet another iteration of Mirai. Cybercriminals infected network devices, exploiting relatively recently discovered vulnerabilities, plus several unknown glitches. According to the researchers who identified the two attacks, it might have affected several thousand devices.

In Q1 2021, cybercriminals likewise discovered a host of new tools for amplifying DDoS attacks. One of them was Plex Media Server for setting up a medium server on Windows, macOS, or Linux computers, network-attached storages( NAS ), digital media players, and the like. Around 37,000 devices with Plex Media Server installed, accessible online directly or receiving packets redirected from specific UDP ports, proving to be vulnerable. Junk traffic generated by Plex Media Server is made up of Plex Media Service Discovery Protocol( PMSSDP) requests and amplifies the attack by risk factors of approximately 4.68.

A major amplification vector was the RDP service for remote connection to Windows devices. RDP servers listening on UDP port 3389 were used to amplify DDoS attacks. At the time of publishing the information about the misuse of the remote access service, 33,000 vulnerable devices had been discovered. The amplification factor was significantly higher than in the case of Plex Media Server: 85.9. To avoid assaults via RDP, it is recommended to hide RDP servers behind a VPN or disable UDP port 3389.

That said, a VPN is no panacea if it too is vulnerable to amplification attempts. In Q1 2021, for instance, attackers moved after Powerhouse VPN servers. The perpetrator proving to be the Chameleon protocol, which sentries against VPN blocking and listens on UDP port 20811. The server response to requests on this port was 40 times larger than the original petition. The vendor released a spot when they learned about the problem.

Alas , not all users of vulnerable such programmes and devices install updates promptly. For instance, as of mid-March, there were around 4,300 web-based servers for DDoS amplification through the DTLS protocol — this method was covered in our previous report. Vulnerable devices were either misconfigured or missing the latest firmware version with the required specifies. Cybercriminals have wasted no time in adding this amplification method( as well as most others discovered only this past quarter) to their arsenal of DDoS-for-hire platforms.

Non-standard protocols are of interest to cybercriminals is not merely as a means of amplification, but as a tool for carrying out DDoS attacks. In Q1, a new attack vector appeared in the form of DCCP( Datagram Congestion Control Protocol ), a shipping protocol for regulating the network load when transmitting data in real time, for example, video streaming. The built-in mechanisms to protect against channel congestion did not prevent attackers utilizing this protocol to inundate victims with multiple connection requests. What’s more, on the two sides of the junk packet recipients, there were no online-accessible DCCP applications. Most likely, the attackers were haphazardly looking forward to a behavior to bypass standard DDoS protection.

Another unusual DDoS vector was the subject of an FBI warning about the increase in assaults on emergency dispatch centers. TDoS( telephony denial-of-service) attacks aim to keep the victim’s phone number permanently busy, flooding it with junk calls. There are two main TDoS techniques: via twinkling mobs on social networks or meetings, and automated onslaughts applying VoIP software. Neither is new, but TDoS against critical first-responder facilities poses a very serious threat.” The populace can protect themselves in the event that 911[ the emergency number across North America] is unavailable by identify in advance non-emergency phone numbers and alternate ways to request emergency services in their area ,” the FBI advised.

On the whole, the one-quarter was rich in media-reported DDoS attacks. In particular, DDoS ransomware continued to attack organizations worldwide at the start of the year. In some occurrences, they demonstrated impressive abilities. For example, a European lottery corporation was bombarded with junk traffic, peaking at 800 GB per second. Maltese Internet service provider Melita was also hit by ransomware: a showcase DDoS attack disrupted services. At the same time, ransomware operators, having already started to steal victims’ data before encryption, also turned their eyes on DDoS as an extortion tool. The first attack on the website of a victim unwilling to negotiate passed late last year. In January, Avaddon’s operators jumped on the bandwagon, followed in March by the group behind the Sodinokibi( REvil ) ransomware.

Ransomwarers were likely spurred on by the upward movement of cryptocurrency prices, which continued in Q1 2021. In early February, Tesla announced a massive investment in Bitcoin, which led to even more hype around digital money. Several cryptocurrency exchanges could not cope with the resulting influx of sign-ups and suffered downtime. There was no avoiding DDoS either: British exchange EXMO reported an attack on its systems. Company representatives admitted that not only the website was affected, but the entire network infrastructure.

As many users were still running( and playing) from home in Q1 2021, cybercriminals made sure to target the most in-demand resources. In addition to the aforementioned Melita, Austrian provider A1 Telekom( article in German ), as well as Belgian telecommunications firm Scarlet, suffered DDoS attacks( albeit without the ransomware ingredient ). In both instances, clients faced communication disruptions, and in the case of A1 Telekom, users all across the country experienced problems.

Online entertainment was likewise targeted by cybercriminals throughout the quarter. For instance, Blizzard reported a DDoS attack in early January. The onslaught of junk traffic made players, especially those trying to connect to World of Warcraft servers, to experience delays. There were also cases of players get kicked off the server. Towards the end of the month, cybercriminals assaulted League of Legends. Players attempting to enter tournaments in Clash mode experienced login issues and intermittent connection failures. In February, a DDoS attack temporarily disabled the television service of Icelandic provider Siminn. And in March, LittleBigPlanet servers were unavailable for several days. Musicians blamed a disgruntled fan for the attack.

By early 2021, many schools had switched to on-campus or hybrid mode, but that did not stop the DDoS attacks. Merely now, instead of flooding online platforms with junk traffic, cybercriminals was just trying to deprive educational institutions of internet access. For instance, in February, US schools in Winthrop, Massachusetts, and Manchester Township, New Jersey, were hit by DDoSers. In the second case, the attack forced the relevant institutions to temporarily return to remote schooling. In March, CSG Comenius Marienburg, local schools in Leeuwarden, Netherlands, likewise fell victim to a DDoS attack. The attempt was organized by students themselves. Two of them were quickly recognized, but school officials suspect that there were other accomplices.

The most significant event in Q1 was COVID-1 9 vaccination. As new segments of the population became eligible for vaccination programs, pertained websites suffered interruptions. At the end of January, for example, a inoculation enrollment website in the US state of Minnesota crashed under the load.The incident coincided with the opening of appointments to seniors, teachers and childcare workers.In February, a similar glitch occurred on a vaccine appointment portal in Massachusetts as retirees, people with chronic illnesses and staff of affordable senior housing tried to sign up for a shot. In both cases, it is not known for certain whether it was a DDoS attack or an influx of legitimate traffic; all the same, cybersecurity company Imperva recorded a spike in bot activity on healthcare resources.

Nor was Q1 without political DDoS attacks. In February, cybercriminals inundated the websites of Dutch politician Kati Piri and the Labor Party, of which she is a member, with junk traffic. The Turkish group Anka Nefeler Tim claimed responsibility. In late March, a DDoS hit the website of the Inter-Parliamentary Alliance on China( IPAC ). Representatives of the organization note that this is not the first such strike in living recollection. On top of that, several government agencies in Russia and Ukraine reported DDoS attacks in early 2021. The victims included the websites of the Russian Federal Penitentiary Service and the National Guard, the Kiev City State Administration, the Security Service of Ukraine, the National Security and Defense Council, as well as other Ukrainian security and defense institutions.

Since the beginnings of 2021, a number of media outlets in Russia and abroad have been targeted by DDoS attacks. In January, attackers downed the websites of Kazakh newspaper Vlast and Brazilian nonprofit media organisation Reporter Brasil. In the second case, the attacks continued for six days. The Ulpressa portal, based in the Russian city of Ulyanovsk, came under a much longer attack lasting several weeks. The website was attacked daily during peak hours. The KazanFirst news portal initially managed to repel the stream of junk traffic, but the attackers modified tactics and ultimately took the website offline. A similar scenario played out in the case of Mexican magazine Espejo: the administrators deflected the first to make efforts to down the website, but these were followed by a most powerful DDoS wave.

But it was not only legitimate organizations that suffered from DDoS in Q1 2021. In January, many resources on the anonymous Tor network, which is popular with cybercriminals, were disrupted. The Tor network may have been overloaded due to DDoS attacks against specific sites on the dark web. A February target was the major underground meeting Dread, employed, among other things, to discuss bargains on the black market. The meeting administration was forced to connect additional servers to defend against the attack.

But this one-quarter was not all fate and sadnes: some DDoS organizers did get disclosed. For example, a pair of high-ranked Apex Legend players who DDoSed anyone who beat them finally get banned. A slightly more severe punishment was dished out to a teenager who late last year tried to disrupt Miami-Dade County Public Schools’ online study system. He escaped jail, but was sentenced to 30 hours’ community service and is available on probation.

Quarter trends

In Q1 2021, DDoS market growth against the previous reporting period outperformed our prediction of around 30%, nudging over the 40% celebrate. Exceptionally, and hence interestingly, 43% of strikes occurred in the normally relatively calm month of January.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Comparative number of DDoS attacks, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100%( download)

The unexpected surge in DDoS activity can be attributed to the price of cryptocurrencies in general, and Bitcoin in particular, which began to fall in January 2021. The practice of previous years shows that rapid cryptocurrency growth is followed by a similarly rapid wane. It would seem that the nimblest botnet owneds expected similar behavior this year, and reverted back to DDoS at the first hint of a price drop. However, the Bitcoin price sometimes has a mind of its own: it rose again in February, plateaued in March and remains high at the time of posting. Accordingly, the DDoS market sagged in February and March.

Note that these two months were entirely in line with our forecast: the DDoS market depicted slight growth relative to Q4, but no more than 30%. Another curiosity is that this year’s February and March indicators are very similar( within the next few percent) to those of January 2020, which was a typically calm January. The same illustration( abnormal January followed by standard February and March) was considered to be in 2019.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Comparative number of DDoS attacks, 2019-2021. Data for 2019 is taken as 100%( download)

Q1 2019 was fairly stable, virtually benchmark standard, so it can be used to demonstrate discrepancies. Last year learnt an explosive increase in DDoS activity in February and March, which we attributed, and continue to attribute, to the coronavirus outbreak, the switch to remote working, and the emergence of many new DDoS-vulnerable targets. This year’s January outlier is equally stark when compared with the 2019 data.

Note the significant lag in the Q1 figures overall against the same period of last year. This gap can be explained by the above-mentioned abnormally high numbers in 2020. During the past year, the situation has changed: organisations have strengthened and learned how to protect remote infrastructure, so Q1 this year was simply ordinary, with no twistings. The slump in the numbers was caused specifically by the abnormal previous year , not the decline in the current one. At the same time, the share of smart attempts in Q1 increased relative to both the end of 2020( from 44.29% to 44.60%) and its start. This also indirectly shows the assumption that capacities are being redirected away from DDoS, which comes at the expense of attempts that are easy to organize and defend, since they have become unprofitable for botnet operators.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Share of smart strikes, Q1 2021, Q1 2020, and Q4 2020( download)

In our Q4 2020 report, we noted a downward trend in the duration of short assaults and an upward one in the duration of long assaults. This tendency continued this one-quarter as well, which is clearly seen from the duration data compared to Q4 of the previous year. We cautiously assume that this trend will continue in the future.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

DDoS attack duration, Q1 2021, Q1 2020, and Q4 2020. Data for Q1 2020 is taken as 100%( download)

Statistics Methodology

Kaspersky has a long history of combating cyberthreats, including DDoS attacks of all types and intricacy. Company experts monitor botnets employing the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C& C servers. The system is proactive , not reactive, meaning that it does not wait for a user machine to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q1 2021.

In the context of this report, it is assumed that an incident is a separate( single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but aimed at one resource likewise count as separate attacks.

The geographical locations of DDoS-attack victims and C& C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics applies only to botnets detected and analyzed by Kaspersky. Note that botnets are just one of the tools used for DDoS attacks, and that this section does not embrace every single DDoS attack that occurred during the review period.

Note that, starting Q4 2020, the number of botnets whose activity is included in the DDoS Intelligence statistics has increased. This may be reflected in the data presented in this report.

Quarter summary

In Q1 2021 😛 TAGEND

The US dislocated China from top spot by both number of DDoS attacks and number of unique targets. We ensure a spike in DDoS activity in January, peaking at over 1,800 attempts per period: 1,833 on the 10 th and 1,820 on the 11 th. On several other days in January, the daily number of onslaughts surpassed 1,500. The distribution of attacks by day of the week was fairly even: only 2.32 p.p. separated the most and the least active periods. The number of short( less than 4 hours) DDoS attacks increased significantly. The most widespread this time was UDP flooding( 41.87% ), while SYN flooding dropped to third place( 26.36% ). Linux botnets continued to account for almost all DDoS traffic( 99.90% ).

Attack geography

In Q1 2021, the perennial leaders by number of DDoS attacks swapped places: the US( 37.82%) added 16.84 p.p. to top the leaderboard, nudging aside China( 16.64% ), which lost 42.31 p.p. against the previous reporting period. The Hong kong sar( 2.67% ), which had long occupied third position, this time dropped to ninth, with Canada( 4.94%) moving into the Top 3.

The UK( 4.12%) also lost ground, falling from fourth to sixth place, despite its share increasing by 2.13 p.p ., behind the Netherlands( 4.48%) and France( 4.43% ). South africans, which finished fifth last quarter, dropped out of the Top 10 wholly. Germany( 3.78%) moved up to seventh place, dislocating Australia( 2.31% ), which rounds out the ranking this one-quarter. Eighth place was taken by Brazil( 3.36% ), having rarely clambered higher than eleventh before.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Distribution of DDoS attacks by country, Q4 2020 and Q1 2021( download)

The Top 10 countries by number of DDoS targets traditionally coincides closely to the ranking by number of attacks. The Q1 leader was the US( 41.98% ), whose share increased by 18.41 p.p. By contrast, China’s share fell by more than four times — from 44.49% to 10. 77%, pushing it into second place. However, there are some minor differences in the two rankings. Hong Kong, for instance, fell out of the Top 10 countries by number of targets, and the Netherlands moved up to third place( 4.90% ). The UK( 4.62%) consolidated its position in fourth spot, while Canada( 4.05%) fell from sixth to seventh, only a fraction of a percentage point behind Germany( 4.10%) and France( 4.08% ).

Brazil( 3.31% ), as in the ranking by number of DDoS attacks, moved up to eighth place, while Australia( 2.83%) climbed one-tenth to ninth place, letting Poland( 2.50%) to sneak in at the foot of the table. Like Brazil, Poland is an infrequent guest in the Top 10.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Distribution of unique DDoS-attack targets by country, Q4 2020 and Q1 2021( download)

DDoS attack dynamics

Q1 2021 got off to a dynamic start. DDoS activity peaked on January 10 and 11, when the number of assaults surpassed 1,800 per day. January posted several more periods on which our systems recorded more than 1,500 assaults. As already mentioned, this surge in activity is a strong likelihood due to the brief drop in the Bitcoin price. After a stormy start, there followed a relatively calm February, when for several days in a row — from the 13 th to the 17 th — the daily rate of DDoS attacks remained under 500. The quietest day was February 13, where reference is recorded simply 346 attempts. Early March insured another crest, more modest than the January one: 1,311 strikes on the 3rd and 1,290 on the 4th. Note that, as before, this was preceded by a fall in the Bitcoin price.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Dynamics of the number of DDoS attacks, Q1 2021( download)

In Q1 2021, DDoS attacks by day of the week were far more evenly spread than in the previous reporting period. The difference between the stormiest and the quietest periods was 2.32 p.p.( versus 6.48 p.p. in Q4 2020 ). Saturday( 15.44%) took the lion’s share of DDoS attacks, while Thursday( 13.12% ), last quarter’s president, was this time the most inactive period. Overall, the share of days from Friday to Monday increased in the first three months of 2021, while midweek dipped slightly.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of DDoS attacks by days of the week, Q4 2020 and Q1 2021( download)

Duration and types of DDoS attacks

The average DDoS attack duration in Q1 more than halved compared to Q4 2020. The proportion of very short attempts lasting less than four hours rose markedly( 91.37% against 71.63% in the previous reporting period ). In contrast, the share of longer assaults declined. Assaults lasting 5-9 hours lost 7.64 p.p ., accounting for 4.14% of all attacks; merely 2.07% of incidents lasted 10-19 hours, and 1.63% 20-49 hours. Onslaughts lasting 50-99 hours in Q1 made up less than 1% of the full amounts of the. The shares of long( 0.07%) and ultra-long( 0.13%) onslaughts also fell slightly.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of DDoS attacks by duration, Q4 2020 and Q1 2021( download)

The distribution of attacks by type continued to change. In Q1 2021, the seemingly unassailable leader, SYN flooding( 26.36% ), lost its grip on the ranking. This DDoS type shed 51.92 p.p. and finished third. Meanwhile, UDP( 41.87%) and TCP flooding( 29.23%) gained in popularity among attackers. GRE( 1.43%) and HTTP flooding( 1.10% ), which round out the ranking, likewise posted modest growth.

! role( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( document, 0, “infogram-async” );

Distribution of DDoS attacks by character, Q1 2021( download)

In words of botnet characters, Linux-based bots were again responsible for the vast majority of assaults this quarter. Moreover, their share even rose slightly against the previous reporting period: from 99.80% to 99.90%.

! function( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Ratio of Windows/ Linux botnet assaults, Q4 2020 and Q1 2021( download)

Botnet distribution geography

The traditional leader in terms of C& C server hosting is the US( 41.31% ), and Q1 was no exception. Its share increased by 5.01 p.p. against Q4 2020. Silver and bronze again went to Germany( 15.32%) and the Netherlands( 14.91% ), merely this time they changed places: the share of the Netherlands fell, while Germany’s almost doubled. Romania plummeted from fourth to seventh place( 2.46% ), behind France( 3.97% ), the UK( 3.01% ), and Russia( 2.60% ). Canada held on to eighth position( 1.92% ), while Singapore and the Seychelles closed out the ranking, both post 1.37% in Q1.

! part( e, i, n, s ) var t= “InfogramEmbeds”, d= e.getElementsByTagName( “script” )[ 0 ]; if( window[ t ]&& window[ t ]. initialized) window[ t ]. process && window[ t ]. process (); else if (! e.getElementById( n )) var o= e.createElement( “script” ); o.async= 1, o.id= n, o.src= “https :// e.infogram.com/ js/ dist/ embed-loader-min.js”, d.parentNode.insertBefore( o, d )( record, 0, “infogram-async” );

Distribution of botnet C& C servers by country, Q1 2021( download)

Conclusion

The first one-quarter began with increases in DDoS activity amid falling cryptocurrency costs, but on the whole it was relatively calm. At the same time, we observed several unexpected reshuffles. In particular, the US knocked China out of first place by both number of DDoS attacks and number of targets. SYN flooding, long the most common type of attack, committed style to UDP and TCP this time around.

As for Q2 forecasts , no significant changes in the DDoS market are in sight at present. As is customary, much will depend on cryptocurrency costs, which are currently rising an all-time high. Besides, the experience of previous years shows that the second largest quarter is usually rather calmer than the first; so, barring any shocks, we are looking forward little change, perhaps a slight decline, in the DDoS market. That said, if the cryptocurrency marketplace autumns sharply, we forecast a rise in DDoS activity, driven largely by simple, short-lasting attacks.

Read more: securelist.com