PART I: Retrospective 2020: DDoS Was Back — Bigger and Badder Than Ever Before

Never before has the risk of a distributed denial-of-service (DDoS) attack been higher. In 2020, we saw record-breaking attacks, a DDoS extortion campaign impacting thousands of organizations globally, more emergency customer turnups, and more Akamai customers attacked than any year on record — and we’ve been successfully fighting DDoS attacks since 2003! We also saw a big increase in attacks targeting verticals that haven’t seen as much activity of late, with 7 of 11 of the industries we track seeing peak attack counts in 2020.

What was driving this second renaissance of DDoS activity? Our opinion is that DDoS risk profiles changed rapidly with the onset of COVID-19, making DDoS more attractive to would-be attackers. This change in risk profiles, combined with toolset improvements that lowered the bar to entry for high-volume and complex DDoS attacks, created a perfect storm for the biggest year in DDoS since 2016. Politically driven DDoS attacks haven’t gone away, but they have been eclipsed by other motivations.


We entered the new year with sizable DDoS attack activity — a steady number of large attacks but nothing earth-shattering or highly unusual. Then, very large attack sizes (think over 100 Gbps) started to dramatically increase, with the timing of the surge (not surprisingly) mapping to the beginning of the COVID-19 epidemic in Europe and the United States, when the reliance on online activity and connectivity became more pressing. Customers and prospects shifted to focus on protecting VPNs and communications endpoints more than “generic” data centers, as their risk profile and postures rapidly evolved. Looking back, as businesses across all industries needed to adapt to remote work and the increasing reliance on internet connectivity, it’s clear that more and more types of organizations would be attractive and lucrative targets for DDoS threat vectors.

DDoS Records Blog1_27Jan.pngDDoS attacks from 01/2020 to 06/2020. Bubble size Mpps.

Then only a few months later, Akamai saw threat actors launch record-breaking 1.44 Tbps and 809 Mpps attacks against a large European bank and an internet hosting customer, which are considered higher risk targets for DDoS activity because of their respective verticals. The massive Tbps attack was also highly complex, featuring nine different attack vectors and multiple botnet attack tools requiring a mix of automatic and human mitigation techniques to successfully block the attack vectors. 


DDoS attacks from 01/2020 to 07/2020. Bubble size Mpps.

In fact, looking back on 2020, 65% of the DDoS attacks we mitigated featured multi-vector assaults; as many as 14 different DDoS vectors were noted in a single attack.


DDoS attacks 2020, attack counts by vector size.


In mid-August, things really started to heat up when Akamai began to observe extortion-related DDoS campaigns that quickly exploded to become the largest of their kind. Unlike previous extortion events from years past, where there was a lot of talk and not a lot of action, this campaign featured show-of-force attacks upward of 500 Gbps — a sign the criminals were very determined and highly capable of causing business-impacting disruption. A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters. The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met.


DDoS attacks from 2020. Bubble size Mpps. Record and likely extortion attacks noted.

The 2020 campaign also signaled a significant shift in the types of industries targeted — a foreshadowing of future DDoS activity — with the threat actors pivoting from one vertical to the next, depending on the week, and in some cases circling back to organizations that had been previously victimized. As is the case with extortion, criminal rings won’t stop until arrests are made, and the fact that the extortion campaigns are ongoing indicates that businesses are caving to their demands, which further incentivises the activity. (Check out our DDoS Extortion Battle Plan for proactive tips on how to improve your defensive posture.) As a spoiler alert, we continue to see extortion-related attacks, resulting in record emergency onboarding of new customers, a signal that the problem seems likely to persist well into 2021.


As the extortion campaign set the DDoS world on fire and put a vast variety of industries on high alert, we then continued to track and observe another uptick in large attacks (> 50 Gbps) that had started to surge with COVID-19-related activity.  


DDoS attack counts have been rising since early 2019; attacks counts > 50 Gbps are on a tear.

Somewhat hidden in the broader trend, we also noted a big jump in the number of customers seeing large DDoS attacks. This was a cross-industry phenomenon and consistent with the depth and breadth of verticals impacted by the extortion campaign. 

Clearly, the aforementioned increase in risk driven by the pandemic made DDoS an attractive vector for bad actors to continue to leverage during the back half of 2020. Adding to this threat pressure, the steady improvement and accessibility of DDoS attacker tools combined with increasing internet speeds allowed seasoned and less sophisticated actors alike to launch large, complex, and disruptive assaults. We surmise that this contributed to the trending increase in attacks over the 50 Gbps threshold, as well as to the increase in overall attack volume.

DDoS6.pngDDoS attack counts > 50 Gbps by industry, trending much higher in 2020.

In fact, across all attacks, 7 of the 11 industries we track saw more attacks in 2020 than in any year to date. Think about that. This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Technology (196%).

DDoS7.pngDDoS industry attack breakdown since 2017, industry realignment in progress.


The flurry of DDoS activity and increasing threat pressure led us to perhaps the most interesting records of 2020. We had more customers attacked in November 2020 than in any prior month and more customers affected by DDoS attacks sized over 50 Gbps in August. Both of these records go back to the heyday of DDoS in 2016. Neither trend shows any signs of abating.

The increase in the number of customers attacked continued even after we started seeing fewer extortion attacks against existing customers on our DDoS mitigation platforms. We were made aware of extortion-related activity through emergency onboarded customers that  had been attacked, or were under the threat of an impending attack, and needed protection as soon as possible.


Customers attacked and customers attacked > 50 Gbps at all time highs.

Therefore, it didn’t shock us when threat actors showed up in full force during Cyberweek 2020, the primetime shopping season of the year. This particular week was overloaded with pent-up online shopping demand waiting to be unleashed as consumers faced global lockdowns and other restrictions. And the criminal actors took notice, intent on causing disruption by stepping up attack activity.

During Cyberweek 2020 alone we saw:

  • 65% more attacks launched against our customers than during Cyberweek 2019
  • The number of customers targeted was up 57% year over year
  • Attacks were launched across an expanded industry base

These stats are similar to what was witnessed with the latest DDoS extortion campaign and reflective of broader trends for the year — more customers in more industries seeing attacks.

The DDoS landscape rapidly shifted and evolved throughout 2020, and many organizations now realize that procuring DDoS defenses is the cost of doing business today. While we can’t make any definitive predictions on record attacks or DDoS campaigns, history has shown that ultra-large DDoS attacks often raise the bar, attacker motivations shift, and extortion campaigns are generally cyclical in nature. Leaning in, we can expect to see more attack activity throughout 2021 as the nature of DDoS continues to advance and evolve.

Stay tuned for PART II — Forward Guidance: What Does This Mean for 2021 Defenses? for expert recommendations and insights to help improve your DDoS defensive posture. 

If you are currently under DDoS attack or threat of extortion, reach out to the Akamai DDoS hotline, 1-877-425-2624, for immediate assistance or click here to register for a custom threat briefing.


For more technical details and additional DDoS-related resources, please see the following blog posts and materials:  

DDoS Extortion Examination

Unprecedented Levels of Ransom DDoS Extortion Attacks

Ransom Demands Return: New DDoS Extortion Threats from Old Actors Targeting Finance and Retail

2020 Extortion Campaign: A Sequel More Thrilling Than the Original

Don’t Let DDoS Extortionists Deliver a KO Punch

DDoS Defense in a Hybrid Cloud World

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Tom Emmons. Read the original post at: