DDoS Protection , Security Operations

DDoS Attacks Becoming More Potent, Shorter in Duration

US, India and East Asia Were Top Targets in 2022, Microsoft Report Says
DDoS Attacks Becoming More Potent, Shorter in Duration
Source: Shutterstock

Tech giant Microsoft says it observed distributed denial-of-services attacks become shorter in duration in 2022 while also becoming more potent and capable of larger impact.

See Also: OnDemand | Hacking Multifactor Authentication: An IT Pro’s Lessons Learned After Testing 150 MFA Products

The U.S., India and East Asia topped the targeted regions for DDoS attacks, among others, and internet of things devices remained the preferred choice to launch these attacks, according to Microsoft's DDoS trends report for 2022.

DDoS attacks in 2022, on average, lasted for less than an hour, and attacks that lasted for 1 or 2 minutes made up for one-fourth of the total attacks last year.

The tech giant says the attacks were shorter because bad actors need fewer resources to carry them out and security teams are finding it harder to defend against them with legacy DDoS controls. "Attackers often use multiple short attacks over a span of multiple hours to make the most impact while using the fewest number of resources," Microsoft says.

An average of 1,435 DDoS attacks were observed daily, and the highest number was 2,215 attacks, recorded on Sept. 22. The volume of DDoS attacks during the holiday season increased considerably until the last week of December.

Source: Microsoft

Short, Powerful Reflected Amplification

Microsoft documented a 3.25 terabyte-per-second attack in Azure Aloud as the "largest attack" in 2022. This is less than the previously known largest DDoS attack, which had an intensity of 3.47 TB per second at its peak.

Microsoft says TCP reflected amplification attacks are becoming more prevalent and powerful, and more diverse types of reflectors and attack vectors are typically exploiting "improper TCK stack implementation in middleboxes, such as firewalls and deep packet inspection devices." In reflection attacks, attackers spoof the IP address of the target to send a request to a reflector, such as an open server or middlebox, which responds to the target, such as a virtual machine.

The latest TCP reflected amplification attacks can reach "infinite amplification" in some cases. In April 2022, a reflected amplified SYN+ACK attack on an Azure resource in Asia reached 30 million packets per second and lasted 15 seconds. "Attack throughput was not very high, however there were 900 reflectors involved, each with retransmissions, resulting in high pps rate that can bring down the host and other network infrastructure," the report says.

IoT Devices: Preferred Mode of Attack

IoT devices were the preferred choice of adversaries to launch DDoS attacks - a trend that has been growing in recent years, Microsoft says. In 2022, the use of IoT devices expanded during the Russia-Ukraine war.

Botnets such as Mirai, used by nation-state actors and criminal enterprises, adapted to infect a wide range of IoT devices and support new attack vectors.

"While Mirai is still a major player in the field of botnets, the threat landscape in the field of IoT malware is evolving, with new botnets emerging such as Zerobot and MCCrash," Microsoft said.

Other Findings

TCP Attacks Top the Chart

Accounting for 63% of all DDoS attacks recorded in 2022, TCP attacks were the most frequent form of DDoS attack, distantly followed by the UDP attack vector at 22%.


Politically motivated DDoS attacks have risen to the forefront, especially in the past year following Russia's invasion of Ukraine.

KillNet, a Russian hacktivist group that pledged its allegiance to Moscow, actively recruited volunteers to conduct DDoS attacks against Western nations (see: Pro-Moscow Nuisance Hackers Claim DDoS Attack on FBI Website).

According to the CyberPeace Institute, which tracks publicly disclosed attacks related to the Russia-Ukraine war, KillNet has launched 86 attacks against pro-Ukrainian countries since the war began in February.

Source: Microsoft

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.