Neustar Security Services, a provider of cloud-oriented security services that enable global businesses to thrive online, has released its 2021 year-in-review “Cyber Threats & Trends Report: Defending Against A New Cybercrime Economy,” which details the ongoing rise in cyberattacks fielded by the company’s Security Operations Center (SOC) in 2021.
In 2021, the company’s SOC saw an unprecedented number of “carpet bombing” distributed denial of service (DDoS) attacks. Carpet bombing, in which a DDoS attack targets multiple IP addresses of an organisation within a very short time, accounted for 44% of total attacks last year, but the disparity between the first and second half of 2021 was stark. While carpet bombing represented just over a third (34%) of total attacks mitigated by Neustar Security Services’ SOC in both Q1 and Q2, these attacks saw a big jump in the second half – representing 60% of all attacks in Q3, and 56% in Q4.
While the vast majority of attacks fell into the 25 gigabits per second (Gbps) and under size category, and the average attack was just 4.9 Gbps last year, 2021 saw many large-scale attacks as well. The largest measured 1.3 terabits per second (Tbps) and the most intense was 369 million packets per second (Mpps). The longest-lasting attack clocked in at 9 days, 22 hours and 42 minutes although the majority of attacks were over in minutes. Nearly 40% of the unique attacks seen by the SOC in 2021 took place in the first three months of the year. The number dropped significantly in the second and third quarters before rebounding in the fourth quarter.
A mix of new vectors and old favourites
Attacks varied more widely in complexity than what has been observed in the past few years. Single vector attacks represented 54% of attacks in 2021 compared to 5% in 2020, showing an economy of effort from many attackers. At the same time, the number of highly complex attacks using four or more vectors increased, reaching a record 4% of total attacks, so when an attacker gets serious, they can make it much more difficult on defenders.
Botnets continued to play a key role in DDoS attacks in 2021, with security professionals uncovering new botnets and command and control (C2) servers every day. One of the year’s highest-profile new botnets was Meris, which uses HTTP pipelining to overwhelm web applications by bombarding websites and applications with massive numbers of requests per second. The SOC also saw a high level of reflection/amplification DDoS attacks, using both familiar vectors such as DNS and Remote Desktop Protocol (RDP) and a variety of new ones as well.
The report also details how web applications are under assault on a number of different fronts. Attacks against web services have risen in tandem with increased adoption of web applications, and web apps are by far the top hacking vector in breaches.
Ubiquitous DNS attacks
The domain name system (DNS) has long been a popular target for DDoS attacks, both as an amplification vector and as a direct target, as well as for other types of exploits. Common threats to DNS include attacks that deliver a bad answer to DNS queries (DNS hijacking, for example), attacks that prevent the DNS from answering queries (flood attacks or reflection/amplification attacks) and attacks that use DNS as a transport mechanism to convey information through firewalls (DNS tunneling). These attacks can be difficult to defend against without the appropriate technology and expertise, and rectifying problems can be time-consuming and costly.
According to a September 2021 Neustar International Security Council report, 72% of organisations surveyed had experienced at least one DNS attack in the previous 12 months, and the impact was significant in 58% of cases. The most common types of DNS attacks were DNS hijacking (experienced by 47% of organisations in the past 12 months), followed closely by DNS flood, reflection/amplification or other type of DDoS attack (46%), DNS tunneling (35%) and cache poisoning (33%).
To read more exclusive features and latest news please see our Q4 issue here.
Media contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: [email protected]
