Home   >   Blog

DDoS Attacks: Trends and Mitigations

August 30, 2022

Home   >   Blog

What Is a DDoS Attack?

In a DDoS attack, a service is rendered unavailable due to an influx of traffic targeted at a web resource, impairing that resource’s ability to handle normal Internet traffic. As shown in the diagram below, an adversary initiating a DDoS attack sends excessive amounts of traffic to the targeted resource, often by using a botnet composed of infected computers to assist in the attack. Due to reasons such as the resource’s capacity or memory becoming overloaded, the resource is unable to handle requests from legitimate users, or the resource may handle requests at a substantially slower rate.

DDoS attacks can be hard to quell. Since large networks of infected computers are used to carry out DDoS attacks, these attacks generally can’t be stopped by blocking Internet traffic from a single source. Therefore, distinguishing legitimate traffic from malicious traffic can be challenging.

SecureList by Kaspersky’s 2021 Q1, Q2, Q3, and Q4 DDoS reports contain useful data showing trends in DDoS attacks over the course of 2021. Some key findings from these reports with respect to trends in the types and duration of DDoS attacks in 2021 are listed below:

  • UDP, TCP, and SYN flood attacks were the most common DDoS attacks in 2021.
  • In Q2, Q3, and Q4 of 2021, over half of all DDoS attacks were UDP flood attacks. 
  • The majority of DDoS attacks lasted 4 hours or less.

Types of DDoS Attacks

The most common type of DDoS attacks in 2021 was UDP (User Datagram Protocol) flood attacks. UDP is typically used in applications such as videoconferencing and voice calling. In Q2, Q3, and Q4, UDP flood attacks accounted for over half of all DDoS attacks. In a UDP flood attack, attackers send an influx of UDP packets to a server. When the server is overwhelmed with an unusually high number of UDP packets, it cannot route all of them to their destination ports since the server’s resources have been utilized to their maximum capacity. Since the server is overwhelmed with malicious traffic, it is unable to adequately handle legitimate traffic.

The second and third most common types of DDoS attacks in 2021 were TCP (Transmission Control Protocol) and SYN flood attacks. In these types of attack, adversaries use infected computers to send a flood of SYN packets to initiate a large number of TCP connections with the targeted server through the three-way handshake procedure. TCP connections are necessary to send and receive information over the Internet for purposes such as accessing a website’s content. However, the handshake is never completed, resulting in a multitude of connections that have not been successfully formed, and exhausting the server’s resources.

GRE and HTTP flood attacks were fourth and fifth most common DDoS attacks in 2021, accounting for slightly over 1% of DDoS attacks each quarter. HTTP flood attacks involve overwhelming a server with HTTP requests, which are typically used for purposes such as submitting forms and loading web page content. In a GRE (Generic Routing Encapsulation) DDoS attack, a resource is overwhelmed with an excessively large number of GRE packets, which are typically used to send information using the encapsulation of one type of packet inside another.

Duration of DDoS Attacks

The majority of DDoS attacks in Q1, Q2, Q3, and Q4 lasted 4 hours or less. However, some particularly destructive DDoS attacks lasted for several days. In general, the longer a DDoS attack lasts, the more of a destructive impact it has. When an organization is targeted by a DDoS attack that impedes typical operations, the organization is unable to provide its usual products and services, which may include critical infrastructure such as energy and healthcare, until remediation measures are implemented or the attackers end the DDoS attack.

Mitigating DDoS Attacks

There are several actions that can be taken to help mitigate DDoS attacks. Threat intelligence can be used to detect unusual Internet traffic exhibiting signs of a DDoS attack so that the attack can be addressed in a timely manner. Firewalls and ACLs (Access Control Lists) can be used to control the flow of Internet traffic in a network. Rate limiting can also be used to help restrict traffic from bots and from other sources that send unusually large amounts of traffic in short amounts of time. With these tools and strategies, network resources become less susceptible to DDoS attacks and can therefore be accessed more reliably.

Therese Schachner

Cybersecurity Specialist


Therese is leading the cybersecurity projects at VPNBrains. If you are a journalist and could benefit from data-driven infographics or would like to ask her for a pitch or interview for your articles, she can be reached at [email protected] or Twitter.

Leave a Reply

Your email address will not be published.