Nigeria was exposed to 1,716 strikes, a significant drop from the 2,721 incidents seen in the first half of 2024.

In contrast, Mali experienced a more than ten-fold increase in 2H 2024 – up from just 115 seen previously between January and June 2024 to 1,637 in the second half of the year.

“Web search portals and all other information services bore the brunt of attacks in Mali, with an astounding average duration of 1,197 minutes per incident,” says Bryan Hamman, regional director for Africa at NETSCOUT. “This was followed by wired telecommunications carriers, which was also the most targeted industry at a global level during the same period, with more than 2,1 million incidents.

“In Nigeria, the most frequently targeted sectors included telecommunications resellers and computing infrastructure providers. Beauty salons also featured on the country’s top ten list, alongside wired telecommunications carriers, then commercial banking, used merchandise retailers, tyre dealers, and household electronics wholesalers. This shows once again how threat actors adapt their strategies accordingly within different countries to target those industries that are strong in individual sovereign territories.”

Once again, Nigeria experienced some of the region’s most complex DDoS campaigns, peaking at 22 distinct vendors used in a single attack, primarily TCP, Domain Name System (DNS) amplification and Internet Control Message Protocol (ICMP) flood DDoS attacks, also known as Ping flood attacks.

Liberia emerged as the next most affected country, recording 1,189 DDoS attacks, down slightly from 1,515 incidents in the first half of the year.

Here, computer systems design services businesses were heavily targeted, suffering 360 attacks over the six-month period. The most frequently used attack vector was DNS amplification, with STUN amplification not far behind.

“In Ghana, DDoS activity dropped significantly in the second half of the year, falling to only 917 attacks versus 4,753 earlier in the year. Three of the top four types of businesses under fire this time were ICT-related, namely web search portals and information services (317), wired telecommunications carriers (43) and computing infrastructure providers (4). Interestingly, footwear manufacturers ranked third, with 14 attacks over the second half of 2024.”

The Democratic Republic of the Congo made its debut in NETSCOUT’s regional rankings, landing in fifth place with 879 reported attacks, comments Hamman. 

“While the most significant attack peaked at a modest 0.74 Gbps, the complexity was notable – with up to 15 vectors used in a single attack. Computing infrastructure providers were primarily affected, but a single incident aimed at a satellite telecommunications organisation lasted for a gruelling 689 minutes.

“By the same token, Cameroon may not have been the most targeted country, with 811 incidents, nor experienced the most sophisticated attacks, but statistics gathered show that the maximum bandwidth of its largest DDoS attack measured 200.43 Gbps – surpassing even Nigeria’s 148.77 Gbps.”

Meanwhile, Côte d’Ivoire, Guinea and the Republic of the Congo all experienced lower attack frequencies, at 495, 341 and 329 incidents respectively. Of these three countries, Côte d’Ivoire faced the largest attack, at a bandwidth of 8.66 Gbps, with the primary target being – once again – wired telecommunications carriers.

Following the ICT trend, Guinea’s wireless telecommunications carriers faced the most pressure, while in the Republic of the Congo, telecommunications resellers were hardest hit.

“This latest data from NETSCOUT reinforces a critical truth for West Africa: DDoS attacks aren’t just increasing in frequency, but also in intensity and sophistication,” adds Hamman. “While nations like Nigeria and Mali face a high volume of incidents, others are experiencing powerful, high-bandwidth attacks that can cripple essential services.

“As noted previously, the ICT sector remains firmly in the crosshairs across the continent in its entirety, making it vital for organisations across the region to prioritise proactive defence strategies, invest in continuous risk assessments and engage in broader cybersecurity collaboration to stay ahead of evolving threats,” he concludes.

Bryan Hamman, regional director for Africa at NETSCOUT, explains:

“We’re witnessing AI not just as a defence mechanism but also as a potential threat amplifier. The adoption of machine learning allows adversaries to automate reconnaissance and tailor attacks at extraordinary scale.”

In many African countries, digital adoption is outpacing cybersecurity measures, placing businesses, governments and individuals in a precarious position.

According to Hamman, without the right proactive measures in place, local organisations risk falling victim to AI-powered threat scenarios, where malware can evade traditional defences, phishing attacks become hyper-personalised and response times shrink dangerously.

“AI can be a double-edged sword, and African businesses must ensure they leverage its benefits for better protection, while steering clear of the darker side of AI by staying a step ahead of attackers,” he advises.

Generative AI (GenAI) can take many facets of cyberthreats to new levels. These could include:

• Enhancements to social engineering, such as:
  • Crafting more convincing and unique phishing emails.
  • Mimicking voices in audio messages.

• Image or video generation:
  • Deepfake images have been shown to trick biometric facial recognition if executed correctly.

• Attack scale:
  • Scaling an attack to be bigger and better is easier than ever due to the automation AI can empower.
  • Automating rudimentary processes, such as sending phishing emails, can allow cyber criminals target more individuals within an organisation to increase their chances of gaining access.

Furthermore, the integration of AI into denial-of-service (DDoS) attacks is becoming a reality, allowing threat actors to optimise botnet behaviour and target selection, making these disruptions more destructive and difficult to mitigate.

NETSCOUT urges organisations to stay vigilant by investing in AI-driven security solutions and fostering a culture of cybersecurity awareness through consistent training. “The key lies in not just reacting to threats, but pre-empting them,” Hamman concludes. “As African markets grow, robust, AI-driven cybersecurity strategies will become increasingly crucial to ensuring that digital innovation is secure and sustainable.”

NETSCOUT’s Arbor DDoS protection assures the world’s largest networks and service providers against DDoS attacks of all shapes and sizes.

Robust cybersecurity measures are therefore essential in mitigating these risks, including against Distributed Denial of Service (DDoS) attacks, which are designed to force a server, website or online service offline.

As outlined by NETSCOUT, which provides visibility, security and performance solutions for organisations across the globe, cyberthreats are all around us, lurking in unexpected areas of the internet, networks and even individual devices.

Uncovering the identification, prevention and evolution of the most common cyberthreats is a significant step in an organisation’s cyber defences.

Unpacking Common Types of Cyberattacks

NETSCOUT confirms that some of the most common types of cyberattacks include the following:

1. Distributed denial-of-service (DDoS) attacks: These cyberattacks flood servers, applications or other network areas to render them unavailable and disrupt the availability of services, leading to potential revenue loss and reputational damage.
2. Malware: This malicious software that is installed on targeted devices or networks has a variety of negative effects, including deleting or encrypting files, hindering performance, and gaining access to accounts. Malware is spread by downloading infected files, clicking on malicious links, or visiting hacked web pages.
3. Social engineering (including phishing): This threat targets individuals, trying to trick them into taking actions that allow threat actors to gain covert access or spread malicious software.
4. Man-in-the-middle (MITM) attacks: Here, an adversary intercepts or eavesdrops on communication between two parties. The goal is to steal login credentials, encryption keys and other private information.
5. SQL injection: In this code-injection technique, malicious prompts are inserted into SQL databases. Threat actors enter prompts such as ‘Dump the entire database to X location’ to export the contents of a database for their own purposes.
6. Zero-day exploits: Adversaries make use of unknown or unaddressed security flaws to place malware in a system. Threat actors can already use these weaknesses to access systems, so vendors have zero days to remedy the issues.
7. Advanced persistent threats (APTs): These threat actors pursue their victims repeatedly over an extended period of time and adapt to defensive measures.
8. Ransomware: This is malware that encrypts files and blocks access. Threat actors then demand payment to unlock the files and restore access.
9. Credential reuse: This type of attack – also known as ‘credential stuffing’ – uses lists of compromised user credentials to log into a system and gain network access.

Know Your Enemy: Taking Action Against DDoS Attacks

The impacts of data breaches and outages can include operational disruptions, which cause delays in critical business processes and negatively affect the supply chain; financial loss due to the costs of remedying an attack, such as removing malware and paying regulatory penalties; and damage to the brand’s reputation, further eroding customer trust and resulting in a loss of future revenue.

DDoS attacks are arguably one of the most devastating types of cyberattack an organisation can experience, and NETSCOUT excels in monitoring, understanding and protecting against such attacks, for customers worldwide, against a DDoS landscape that is constantly changing.

As part of its offering to global organisations, NETSCOUT releases a bi-annual report outlining the latest information on DDoS activities around the globe, as well as presenting regular information updates across various platforms. Remarking on the 13th and most recent issue of its global DDoS Threat Intelligence Report, the 1H2024 edition, the company stated that:

“In the first half of 2024, large surges in attack frequency were noted, notably in geopolitical conflicts, driving never-before-seen stresses on networks worldwide and leading to more sophisticated attacks than ever before.

DDoS-capable botnets are evolving and growing, with a notable increase in bot-infected devices. Critical infrastructure, such as banking, financial services, and public utilities, are prime targets, seeing a massive wave of attacks targeting them.

“We first determined the global aggregated DDoS attack impact via large-scale analysis of concurrent DDoS attacks,” the report says. “During the first half of 2024, this averaged out to 1,900 attacks, with a total volume of approximately 3.2Tbps and 595.6Mpps, at any given point in time.”

Local investigations of the aggregated attack impact per network type revealed that networks with typically lower traffic loads (such as government or nonprofit organisations) report peak attack volumes on the same scale as those experienced by high-traffic networks (such as content and service providers).

This indicates that the relative surge in traffic during attacks is significantly higher for lower-traffic networks (≥4 orders of magnitude) compared with high-traffic networks (3 orders of magnitude).

“These attack dynamics clearly demonstrate that all network types require substantial mitigation capacities to ensure robust protection,” says Hamman.

“Protection against DDoS – and other – cyberattacks is therefore of critical importance in safeguarding the excellent progress that has been made to date, and to allow it to continue into the future,” he concludes.

The full DDoS Threat Intelligence Report is here: NETSCOUT Cyber Threat Horizon.

The bill proposed by the Kenyan Government in the 2024/25 tax year is planned to raise $2.7 billion in additional taxes to reduce the budget deficit and state borrowing. This has met with nationwide citizen protests.

The threat is a stark reminder of the massive Distributed Denial of Service (DDoS) attack on Kenya’s government websites launched in August 2023.

These attacks, attributed to Anonymous Sudan, were executed under the pretext of defending citizens’ rights.

Last year’s attack targeted the country’s eCitizen portal, which provides access to over 5,000 government services, and disrupted critical online services, highlighting vulnerabilities in the nation’s cybersecurity infrastructure.

“Anonymous Sudan has a history of targeting government websites and technology firms in various countries, including Sweden, Israel, and now Kenya. The group’s latest threats to the Kenyan government underscore the urgent need for enhanced cybersecurity measures across the region,” says John Paul Onyango, Country Manager: East Africa of Check Point® Software Technologies Ltd., a leading AI-powered, cloud-delivered cyber security platform provider protecting over 100,000 organisations worldwide.

While the 2023 attacks have galvanised Kenyan businesses and Government institutions to revisit their cybersecurity defences and implement broad citizen awareness programmes of cyber-attacks and how to mitigate them, Onyango argues that closer attention needs to be paid to end-to-end cybersecurity practices.

According to recent threat intelligence reports from Check Point, organisations in Kenya are attacked on average 3,517 times per week, significantly higher than the African average of 2,462 attacks per organisation.

Kenya was ranked in the top 20 most attacked countries globally during May 2024 in Check Point’s Top Malware threat report.

The leading malware threats in Kenya in the last month include FakeUpdates, Botnets, and various backdoors like Expiro and Floxif. Notably, 97% of malicious files in Kenya were delivered via email in the last 30 days. The most common vulnerability exploit type in Kenya is Information Disclosure, impacting 81% of organisations.

According to a recent article in Innovation Village, in light of cyber attacks in the last year, Kenya is poised to receive assistance in bolstering its cybersecurity defenses, thanks to pledges from major technology corporations.

In May 2024, industry leaders such as Google and Microsoft announced their intentions to make significant digital investments in Kenya.

These investments are not limited to financial contributions but also include collaborative efforts to enhance the country’s cybersecurity infrastructure.

The commitments from these tech giants are expected to provide a substantial boost to Kenya’s capabilities in defending against cyber threats.

The support will likely encompass a range of cybersecurity measures, from advanced threat detection to improved security protocols, and may also involve training for Kenyan personnel to better manage and respond to cyber incidents.

Fintech vulnerabilities

While Kenya’s fintech sector is a driving force in the country’s economic transformation it faces growing challenges in securing its data centres and trading platforms, as well as migrating securely to the cloud. Solutions to address these problems should include ultra-scalable protection and compliance.

The prevalent mobile-first culture in Kenya has also led to the rapid development of income-generating applications. However, this focus on speed-to-market often comes at the expense of robust cybersecurity measures

“As banking applications and APIs continue to grow and evolve, so does the attack surface for cybercriminals. The automated detecting and preventing attacks on web applications and APIs is critical for protection,” Onyango says

With the rise of remote work, securing all devices and connections is more crucial than ever. The protection of SD-WAN connectivity for branches is essential in mitigating risks associated with

connecting directly to the cloud. IoT devices are a growing target for cyberattacks, and banks must be equipped to protect their networks too.

Proactive Measures and Strategies:

1. Enhanced Email Security: Given that 97% of malicious files are delivered via email, robust email security solutions are critical.
2. Advanced Threat Detection: Implementing AI-driven threat detection systems to identify and mitigate potential threats proactively.
3. Security Awareness Programs: Regular training for employees to recognise and respond to cyber threats effectively.
4. Collaboration and Cyber Academies: Partnerships with universities and the launch of cyber academies, such as the Check Point SecureAcademy, are essential in creating a pipeline of skilled cybersecurity professionals.

Onyango concludes,

“As Kenya and the broader African region continue to develop their digital infrastructure, the cybersecurity challenges posed by groups like Anonymous Sudan cannot be ignored.

“By investing in advanced security technologies, fostering a culture of security awareness, and adhering to regulatory compliance, organisations can better safeguard their data and maintain operational resilience amidst the evolving threat landscape,” he concludes.

These span from ISO certifications to conducting Payment Card Industry Data Security Standards (PCI-DSS) for both Nigerian and international companies.

Digital Encode, which prides itself as the number one information technology assurance company in Africa, specializes in the design, management security of business-critical networks, telecommunications environments and other information technology infrastructures.

Speaking during a Fireside chat with Joan Aimuengheuwa, a senior Content writer with Techeconomy, at the Africa Tech Alliance (AfriTECH 3.0) Forum held at The Providence Hotel, Ikeja GRA Olaifa Opeyemi, a Cybersecurity Consultant at Digital Encode Limited said the company known for solving multifaceted, complex enterprise network security and audit problems, will keep on working tirelessly to remain ready in the ever-evolving digital space.

Responding to a question on cybersecurity threats in Africa, Opeyemi highlighted a noticeable surge due to ongoing advancements in the digital landscape, emerging technologies, and the proliferation of smart devices.

There was a time of web applications; now, it’s all about mobile applications. The more technology we introduce, the greater the threats. There’s a corresponding increase in malicious attempts to exploit these technologies,” Opeyemi explained. “We’ve witnessed a rise in cybersecurity threats, from ransomware and malware to business logic attacks. Social engineering, especially phishing, has become rampant. Additionally, there’s a surge in cryptocurrency attacks, notably cryptojacking.”

Explaining Cryptojacking as a technique where attackers infiltrate a user’s device with malware, covertly using its computational power and resources to mine cryptocurrencies for the attackers’ benefit without the user’s knowledge or consent

Discussing positive developments, Opeyemi noted increased data protection efforts in Nigeria post the enforcement of the data protection bill by President Bola Tinubu.

She highlighted similar efforts in South Africa and Egypt through the implementation of POPIA (Protection of Personal Information Act), emphasizing the continent’s push towards data protection.

Opeyemi stressed that cybersecurity extends beyond technology to encompass organizational staff. “Even with top-tier technology and security-conscious staff, having processes like password policies is vital,” she emphasized.

Cybersecurity aims at ensuring information confidentiality, integrity, and availability,” Opeyemi explained. “Confidentiality prevents unauthorized access, integrity safeguards against unauthorized modifications, and availability ensures uninterrupted access.”

Regarding safeguarding data against DDoS attacks, Opeyemi recommended employing traffic analysis solutions capable of filtering suspicious traffic to prevent service unavailability.

Lastly, she urged the government to intensify cybersecurity awareness efforts, advocating for its inclusion in educational curricula to foster a cybercrime-free nation from an early age.

Due to cyberattacks, businesses may lose confidential information, finances, valuable market share – and there are plenty of ways criminals are trying to reach their goals. Small enterprises consider a cybersecurity incident as one of the most challenging types of crises.

Kaspersky experts analysed vulnerable points SMB might have and outlined some major cyberthreats for entrepreneurs that they must be aware of in 2023.

1. Data leaks caused by employees

There are different ways a company’s data may be leaked – and, in certain cases, it might happen involuntarily. During the pandemic, many remote workers used corporate computers for entertainment purposes, such as playing online games, watching movies, or use e-learning platforms – something that continues to pose financial threats to organisations.

This trend is here to stay, and while during 2020, 46% of employees had never worked remotely before, now two-thirds of them state they wouldn’t go back to the office, with the rest claiming to have a shorter office work week.

The level of cybersecurity after the pandemic and initial adoption of remote work by organisations en masse has improved. Nevertheless, corporate computers used for entertainment purposes remain one of the most important ways to get initial access to a company’s network.

Looking for alternative sources to download an episode of a show or a newly released film, users encounter various types of malware, including Trojans, spyware and backdoors, as well as adware. According to Kaspersky statistics, 35% of users who faced threats under the guise of streaming platforms were affected by Trojans.

If such malware ends up on a corporate computer, attackers could even penetrate the corporate network and search for and steal sensitive information, including both business development secrets and employees’ personal data.

Also, there’s a tendency to blame ex-workers of possible data leaks. However, only half of recently surveyed organisations’ leaders are confident that ex-employees don’t have access to company data stored in cloud services or can’t use corporate accounts. An ex-colleague may not even remember they had access to such-and-such resource.

But a routine check by those same regulators might reveal that unauthorised persons do in fact have access to confidential information, which would still result in a fine.

2. DDoS attacks

Distributed Network Attacks are often referred to as Distributed Denial of Service (DDoS) attacks. This type of attack takes advantage of the specific capacity limits that apply to any network resources – such as the infrastructure that enables a company’s website.

The DDoS attack will send multiple requests to the attacked web resource – with the aim of exceeding the website’s capacity to handle multiple requests and prevent the website from functioning correctly.

Attackers resort to different sources to perform acts on organisations such as banks, media assets, or retailers – all frequently affected by DDoS attacks.

Recently, cybercriminals targeted the German food delivery service, Takeaway.com (Lieferando.de), demanding two bitcoins (approximately $11,000) to stop the flood of traffic. Moreover, DDoS attacks on online retailers tend to spike during holiday seasons, when their customers are most active.

There’s also a growing trend towards gaming companies gaining scale. The North American data centers of Final Fantasy 14 were attacked in early August. Players experienced connection, login, and data-sharing issues. Blizzard’s multiplayer games — Call of Duty, World of Warcraft, Overwatch, Hearthstone, and Diablo: Immortal — were also DDoSed yet again.

Many DDoS attacks go unreported, because the payout amounts are often not terribly big.

3. Supply chain

Being attacked through a supply chain typically means a service or program that an organisation has been using for some time has become malicious. These are attacks delivered through the company’s vendors or suppliers – the examples can include financial institutions, logistics partners, or even a food delivery service. And such actions may vary in its complexity or destructiveness.

For example, attackers used ExPetr (aka NotPetya) to compromise the automatic update system of accounting software called M.E.Doc, forcing it to deliver the ransomware to all customers. As a result, ExPetr caused millions in losses, infecting both large companies and small businesses.

Another example is CCleaner, one of the most famous programs for system registry cleaning. It is widely used by both home users and system administrators.

At some point, attackers compromised the program developer’s compilation environment, equipping several versions with a backdoor. For a month these compromised versions were distributed from the company’s official websites, and downloaded 2.27 million times, and at least 1.65 million copies of the malware attempted to communicate with the criminals’ servers.

The recent examples that drew our attention are DiceyF incidents, that were performed in South East Asia. The prime targets were an online casino developer and operator and a customer support platform, that were attacked in The Ocean 11 style.

4. Malware

If one downloads illegitimate files, they have to make sure these files do no harm. The most emerging threats are the encryptors that chase a company’s data, money, or even personal information of its owners. To support this, it’s worth to mention that more than a quarter of small and medium-sized businesses opt for pirated, or unlicensed software to cut costs. Such software may include some malicious or unwanted files that may exploit corporate computers and networks.

Additionally, business owners must be aware of access brokers as such layers of groups will cause SMBs harm in a variety of ways in 2023.

Their illegal-access customers include cryptojacking clients, banking password stealers, ransomware, cookie stealers, and other problematic malware. One of the examples is Emotet, malware that steals banking credentials and targets organisations around the world. Another group that targets small and medium-size businesses is DeathStalker, best known for its attacks on legal, financial and travel entities. The group’s main goals rely on looting confidential information regarding legal disputes involving VIPs and large financial assets, competitive business intelligence as well as insights into mergers and acquisitions.

5. Social engineering

Since the onset of the COVID-19 pandemic, many companies have moved much of their workflows online and learned to use new collaboration tools. In particular, Microsoft’s Office 365 suite has seen a lot more use — and, to no one’s surprise, phishing now increasingly targets those user accounts.

Scammers have been resorting to all sorts of tricks to get business users to enter their passwords on a website made to look like Microsoft’s sign-in page.

Kaspersky has uncovered many new ways how phishing scammers are trying to fool business owners, which sometimes turn out to be quite elaborative. Some are mimicking loan or delivery services – by sharing false websites or sending emails with fake accounting documents.

Some attackers masquerade as legitimate online platforms to get profit out of their victims: it may be even quite popular money transfer services, such as Wise Transfer.

Another red flag discovered by Kaspersky experts is a link to a page translated using Google Translate. Attackers use Google Translate to bypass cybersecurity mechanisms.

The senders of the email allege that the attachment is some kind of payment document available exclusively to the recipient, which must be studied for a “contract meeting presentation and subsequent payments”. The Open button link points to a site translated by Google Translate. However, the link leads to a fake site launched by attackers in order to steal money from their victims.

Cybercriminals will try to reach out to their victims using every way possible – through unlicensed software, phishing websites or emails, breaches in the business’s security network or even via massive DDoS attacks. However, a recent survey by Kaspersky showed that 41% of SMBs have a crisis prevention plan – thus, do care about cybersecurity and understand how challenging IT security incident remediation can be and is a good tendency that hopefully will result in reliable protective measures implemented within these organisations.

The share of smart attacks almost broke the four-year record, accounting for nearly 50% of the total.

Experts also expect an increase in overall DDoS activity, especially with the recent collapse of cryptocurrency. These and other findings are part of a quarterly DDoS report issued by Kaspersky.

A Distributed Denial of Service (DDoS) attack is designed to hinder the normal functioning of a website or crash it completely.

During an attack (which usually targets government institutions, retail or financial companies, media or other organisations) the victim loses customers due to the unavailability of their website and their reputation suffers.

From quantity to quality

Compared to figures from Q2 2021, Kaspersky’s solutions defended its users against approximately 2.5 times more DDoS attacks. At the same time, in contrast to the beginning of the year with its dramatic surge in attacks due to hacktivist activity, absolute numbers decreased in Q2 2022. However, this does not mean that the DDoS market has cooled down, instead attacks have changed in quality, becoming longer and more complicated.

Average DDoS session lasted 100 times longer

The average duration of an attack in Q2 2022 was 3,000 minutes, or two days. It’s 100 times longer than in Q2 2021, when an attack lasted just for 30 minutes on average. Compared to Q1 2022, which was marked with unprecedented durations for DDoS sessions as the result of hacktivist activity, the Q2 figure also shows an increase – by three times.

Some of the attacks in the past quarter lasted for days or even weeks. A record was set by an attack with a duration of 41,441 minutes, which is just a little less than 29 days.

“It is extremely expensive to continue an attack for such a long time, especially if it is ineffective due to being filtered by protection solutions. When bots are constantly active, the risk of botnet wear-off, node failure or control center detection increases. The extreme duration of these attacks and the growth in the number of smart and targeted DDoS attacks makes us wonder about the capabilities, professional affiliation and funding sources of the organisers,” comments Alexander Gutnikov, a security expert at Kaspersky.

Smart attacks strive for records

Every second attack in Q2 2022 detected by Kaspersky’s products was smart, meaning its organisers conducted rather sophisticated preparation. The share of smart attacks reached almost 50% in this quarter, which was nearly a new record. The all-time highest share was set four years ago when the DDoS market was in a slump, and it’s unexpected to observe figures that high during a “heated” year in terms of DDoS activity.

What does the DDoS market have to do with cryptocurrency?

In terms of the number of DDoS attacks, the second quarter was quieter than the first. This is a common phenomenon: the experts usually see a decline in DDoS activity as the European Summer nears. According to the Kaspersky DDoS Intelligence system, this year the dynamics of the number of DDoS attacks within the quarter didn’t match this typical pattern. After a slowdown at the end of Q1, botnet activity steadily grew throughout Q2, resulting in more activity in June than in April. This is consistent with the decline of cryptocurrency, which usually stimulates the heating of the DDoS market.

“The collapse of cryptocurrencies began with the plummet of the Terra (Luna) and has only been gaining momentum since. Various factors indicate that the tendency may continue, for example, cryptominers are selling off farms at low prices to gamers. This can lead to a surge in global DDoS activity,” Gutnikov explains.

Additionally, while the average attack size fell by 50% over 2021, the maximum attack size nearly tripled, growing 297% over the same period.

The top three DDoS attack vectors in 2021 were UDP (user datagram protocol) attacks, DNS (domain name system) amplification attacks, and TCP (transmission control protocol) acknowledgment attacks. 

UDP attacks were still the most common form of DDoS attack, even though they accounted for a smaller percentage of attacks this year, falling from 59.9% in 2020 to 39.1% in 2021.

UDP attacks can quickly overwhelm the defenses of unsuspecting targets, and they frequently serve as a smokescreen to mask other malicious activities such as efforts to compromise personal identifiable information (PII) or the execution of malware or remote codes. 

DNS amplification attacks were the second most common, even though they, too, account for a smaller percentage of total attacks than they did 12 months ago, declining from 14.2% in 2020 to 10.4% in 2021.

A DNS amplification attack occurs when UDP packets with spoofed target IP addresses are sent to a publicly accessible DNS server.

Each UDP packet makes a request to a DNS resolver, often sending an “ANY” request in order to receive a large number of responses.

Attempting to respond, DNS resolvers send a large response to the target’s spoofed IP address.

The target thus receives an enormous amount of responses from the surrounding network infrastructure, resulting in a DDoS attack. 

TCP acknowledgment (ACK) attacks, on the other hand, accounted for a larger share of total attacks, rising to become the third most common form in 2022. In 2021, TCP ACK attacks accounted for 3.7%, which rose to 9.7%.

In these kinds of attacks, a large quantity of ACK packets with spoofed IP addresses are sent to the victim server, forcing it to process each ACK packet it receives, rendering the server unreachable by legitimate requests.

“While the number and average size of DDoS attacks fell in 2021 over 2020, the threat level is still very high when compared to pre-pandemic levels,” said Juniman Kasman, chief technology officer of Nexusguard. “Attack vectors are also in flux, because while UDP attacks are still the most common, TCP ACK, which can exponentially amplify the effect of a DDoS event with a small amount of traffic, rose significantly. Organizations need to be prepared to deal with a wide array of vectors — DDoS remains a persistent, elevated threat.”

Read Nexusguard ’s DDoS Statistical Report for 2021 for more information on attack vectors, stats and trends based on data gathered from CSPs, honeypots, botnet scanning and research on traffic moving between attackers and their targets.