Large, Complex DDoS Attacks on the Rise in 2020

While we’ve highlighted both record PPS and BPS attacks mitigated on the Akamai Prolexic Platform over the past few weeks, these attacks are part of a broader trend of increasingly large and complex DDoS activity. We have seen clear indications across the industry of high-water mark DDoS attacks being publicized by multiple vendors. 

The sheer number of large attacks has been unprecedented. The attacks are also noteworthy for their increasing complexity, illustrated in the number and combinations of different attack vectors. The tenacity of attackers is also increasing — one Akamai customer experienced 14 separate 100+ Gbps attacks in just the first half of 2020. 

“What’s new is the concept of campaigns. We go back a couple of years, and ‘attack’ was the right word to use. There were many attacks every single day, but they weren’t, in my opinion, campaign-oriented. Some of our more recent ones are campaign-oriented, where the attacker is working in a coordinated way over an extended period of time.” — Roger Barranco, Vice President, Global Security Operations, Akamai

Some likely reasons for the rise in attacks are a combination of:

  • The proliferation of DDoS-for-hire tools
  • Emerging botnets (enterprise DVRs, IoT, etc.) entering the scene
  • Plenty of motivating factors across social, geopolitical, and online unrest
  • Quarantine and boredom — what’s a malicious actor supposed to do?

Whatever the unique reason of each attack, the result is the same: a security and IT team needs an effective defense.  

What Akamai is seeing

As the below chart illustrates, from an Akamai perspective, the number of attacks over 100 Gbps and the variety of attack types mitigated are both trending up in 2020. Both reached 30-month peaks. That trend can be traced back to the beginning of COVID-19 related lockdowns in early 2020.


As we have come to expect, these attacks are not targeting any specific industry, though we have seen an uptick in large attacks against the business services vertical.


Separating out the attack vectors seen in 100+ Gbps attacks, the variety utilized is notable. In June 2020, we saw an increase in TCP stack attacks (SYN/ACK/FIN floods), but we see a wide variation in large-scale DDoS attack vectors by month.


The chart below shows attacks increasing in complexity and variety, in addition to frequency. Each color block is a combination of attack vectors. In June 2020, of 14 100+ Gbps attacks, three shared the attack vectors as another attack, and eight were wholly unique combinations of attack vectors.  


How are we handling them?

Like most of the DDoS attacks we see, these large attacks are proactively mitigated by preexisting postures we’ve developed with our customers. In fact, often customers only learn from our alerting system about massive attacks levied against them. Our customers also benefit from the fact that there are no limits on the number or size of the DDoS attacks that a customer is protected from with the Akamai Prolexic service.


The bottom line is we believe Akamai’s Security Operations Command Center (SOCC) and platform capabilities related to DDoS — across our edge-delivered web application firewall, authoritative DNS service, and dedicated DDoS cloud-scrubbing centers — continue to be the best approach to effectively mitigating DDoS attacks. With a focus on low false positives and negatives, Akamai remains the industry leader for the following reasons:

  1. Capacity — Akamai’s overall CDN capacity is well over 168 Tbps.
  2. Automation and our people — Akamai applies automated mitigation where it makes sense. However, we believe that a mix of automated and human-driven mitigation is the best approach. Think of it as automated mitigation for “easy” stuff like high volume packet floods, combined with the experienced Akamai SOCC for more complicated vectors and ongoing campaign-type attacks.
  3. Real support — The power of the SOCC and its processes support not only mitigation, but also integration into a customer’s incident response with custom runbooks, etc. 

At the end of the day, the combination of a proven platform, seasoned people, and refined processes continues to provide the most value to our customers. As our platform evolves, automation will continue to increase, but not at the expense of effectiveness. 

If you would like to learn more about Akamai’s DDoS attack mitigation or are under attack right now, please visit

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Tom Emmons. Read the original post at: