Rostelecom experts estimated that during the self-isolation regime (March-May 2020), 5 times more DDoS attacks were recorded than a year earlier.
Researchers say that they were able to trace in detail how attackers increased their activity as quarantine measures were introduced. So, in comparison with January 2020, in March the number of attacks increased by 56%, and in April, which hit the peak of hacker activity, by 88%. At the same time, a year earlier the dynamics were not so pronounced, and the number of attacks from month to month remained approximately the same.
Despite the increase in the number of attacks, their power and complexity decreased markedly. In most cases, the attackers resorted to simple and easily accessible tools, for example, DNS and NTP amplifications. The power of such DDoS attacks does not exceed 3 Gb / s, and for their conduct unprotected servers available on the Internet are used, the operation of which is available to virtually any interested person.
It is noteworthy that at the end of 2019, Rostelecom Solar experts recorded the opposite trend: a sharp increase in attack power and their technological progress. During the pandemic, the number of complex attacks did not decrease, but their share as a whole fell against the backdrop of a sharp increase in simple ones. This may mean that during the reporting period, DDoS often stood more for “amateur hackers, not professionals.”
The largest volume of attacks in March-May occurred in the online trading sector (31%), which is traditionally one of the main targets for DDoS. The second most popular was the public sector (21% of attacks). This is followed by the financial sector (17%), telecom (15%), education (9%) and the gaming segment (7%).
Although online trading has become the most attacked area, education has shown the most pronounced dynamics in terms of the growth in the number of attacks. At the peak period – in April – the interest of hackers in educational resources (including various electronic diaries, sites with test work, sites for online lessons and so on) grew 5.5 times in relation to March and 17 times in relation to by January 2020.
If we recall that the "junk" traffic was sent mainly by amateur hackers, we can assume that in this case, the DDoS were students who wanted to disrupt the learning process, experts say.
There was also a significant increase in the number of attacks on government agencies and the gaming segment – in both cases, an increase of about 3 times in April compared with March. In the case of the public sector, the peak of attacks occurred during the period when platforms for monitoring the movement of citizens, the provision of services for the payment of benefits, and so on began to work.
A sharp increase in interest in gaming by hackers is associated with a significant increase in the audience of online games and e-sports during the period of self-isolation, which intensified competition between sites. Therefore, a tool such as DDoS, which makes it possible to disable a competing online resource, has been very popular.
“DDoS attacks are becoming increasingly popular among cybercriminals, primarily because of the low cost of their organization: it’s enough to find vulnerable amplification servers on the Internet. At the same time, to protect against such attacks, you need to purchase expensive computing and channel power. During the period of self-isolation, an increase in the number of DDoS was expected. In many sectors, forced digitalization of income generation tools has occurred.
Over the five months of 2020, the volume of Internet traffic on the Rostelecom network increased by about 20%, which prompted attackers to take action. The most difficult for the owners of online resources was April, when Russia had a tough regime of self-isolation. In May, the DDoS intensity gradually began to decline. This trend will continue for some time and more, but you should probably not expect a return to “docking” values, since quarantine gave a powerful impetus to transfer business processes to the Internet and a proportional increase in the activity of cybercriminals, ”said Ivan Miroshnichenko, head of the group development of web application protection services of the cybersecurity direction of Rostelecom.