100% increase in daily DDoS traffic in 2020 as potential grows for 10Tbps attack: Nokia

A Nokia Deepfield found that almost all DDoS attacks originate from fewer than 50 hosting companies and regional providers.
Written by Jonathan Greig, Contributor

Nokia Deepfield has discovered a 100% increase in daily DDoS peak traffic between Jan 2020 and May 2021.

Nokia's IP network and data analytics arm were able to conduct a fingerprint and origin analysis of network traffic through their work with global service providers, webscale companies and digital enterprises. 

Craig Labovitz, CTO of Nokia Deepfield, unveiled the global DDoS traffic analysis findings at NANOG82 this week. 

The analysis found that there has been a massive increase in high-bandwidth, volumetric DDoS attacks, the majority of which originate from just a few dozen hosting companies. 

Labovitz told ZDNet that conventional wisdom generally says that DDoS attacks originate from all over the Internet and that DDoS is impossible to block at the source.

"But conventional wisdom is wrong. We can stop the vast majority of DDoS within these 50 companies (e.g. if the hosting companies block bad customers) or by actions taken within the 10-15 internet service providers that connect these hosting companies to the Internet," he said. 

Researchers also discovered evidence of DDoS attacks with a threat potential "over 10 Tbps, up to five times higher than the largest reported current attacks." The largest reported DDoS attack, according to Labovitz, has been about 2 Tbps. Google said in October that in 2017, it dealt with a 2.54 Tbps attack launched by a state-sponsored group from China, the largest reported attack ever. 

The size of attacks was increasing, according to Nokia Deepfield, in part because of a "growing number of open and insecure internet services and IoT devices." For example, just six weeks ago, a DDoS attack took down 200 government and university websites across Belgium. 

Labovitz added that the DDoS growth curve is exponential because of the explosive growth of IoT and Cloud, which are both dramatically increasing the number of servers and devices that can be co-opted into DDoS attacks. 

"The second main point of my presentation today is that the exponential DDoS growth curve represents an existential threat to the Internet. This is due to the expanding number of servers (that can be exploited for launching DDoS) and a large number of IoT devices with sub-standard or default security (therefore, open to hijacking and botnet-control)," Labovitz said. 

"My take is that it is just sheer luck, bugs in the attacks, etc., on why reported DDoS so far falls significantly below the 10+ Tbps (and perhaps much larger) DDoS potential."

The company also found that over the last 15 months, there has been an expansion of DDoS for hire services available to attacks looking to cause extensive damage to the individual and large-scale connectivity and service availability.

Throughout 2020, as communities across the world instituted lockdowns as part of the effort to contain COVID-19, Nokia Deepfield said there was a 50% increase in DDoS traffic.

"The continued increases in intensity, frequency and sophistication of DDoS attacks have resulted in a 100% increase in the 'high watermark level' of DDoS daily peaks -- from 1.5 Tbps (January 2020) to over 3 Tbps (May 2021)" the company said.

It is important for every participant in the network security ecosystem -- end-users, vendors, service providers, cloud builders, regulators and governments -- to understand the dangers DDoS poses to the availability of internet content, applications and critical connectivity services, Labovitz added.

Editorial standards