DDoS attack trends in the network layer during the COVID-19 crisis


woman working in a cybersecurity operations center


During the new era of lockdowns and shelter in place, Internet traffic has exploded, with increases of up to 50%. And cyber criminals have responded by stepping up their DDoS attacks, focusing on shorter, smaller bitrate attacks and a substantial increase in maximum attack size.

Many of these attacks target the network layer in the OSI model — or the network-to-network connections in which packets of data are sent back and forth using certain protocols. What this means for you is that, as the attacker sends large volumes of junk network traffic your way, your site can become slow or even inaccessible — preventing users from accessing your site.

This article can help you better understand DDoS attack trends in the network layer, so your security teams can be better prepared to thwart these evolving threats.


Wave of short, small attacks

These days, almost anyone can launch a DDoS attack. For just around a dollar a minute, a non-technical criminal can easily wreak havoc on your business with a short, small DDoS attack. As the bar to entry lowers, more participants get into the game.

This approach appears to be gaining traction. In Q1 2020, most of the attacks observed by Cloudflare were under 10 Gbps, with 64% of these coming in at less than 500Mbps. And 13.5% of all DDoS attacks throughout January to March 2020 were generated using free, publicly available Mirai code variations.

Despite their small size, 10 Gbps attacks are quite effective against underprotected Internet properties. These hit-and-run attacks can easily enable criminals to extort a ransom in exchange for allowing a website to stay open for business.


Less persistence, more variety

While smaller attacks are on the rise, DDoS attack persistence appears to be falling. For instance, during the holidays (Q4 2019), attackers launched up to 523 DDoS attacks in one day against a single Cloudflare IP. Then, with the onset of the COVID-19 crisis, the total volume of attacks increased. However, the average persistence rate dropped as low as 2.2 attacks per IP address per day, with a maximum of 311 attacks on a single IP.

These numbers represent a 40% drop in attack persistence compared to the 2019 holiday quarter. Are attackers getting lazy? More likely there are more total attacks — including smaller, shorter ones — which may dilute the persistence rate.


Rolling out the big guns

Despite the high volume of smaller attacks and waning persistence, larger attacks are by no means fading away. For instance, in March 2020, both attack volume and size ramped up considerably. There were 55% more attacks observed in the second half of the month versus the first half. Additionally, 94% of the attacks were as large as 300-400 Gbps in the month of March.

Other data shows that the maximum duration of DDoS attacks increased up to 264% in Q1 2020 compared to Q1 2019. This is especially troubling given that a DDoS attack can cost you up to $20,000-40,000 per hour.


Threat mitigation requires agile, distributed & interconnected security

Given the evolving threat landscape, DDoS prevention security must adapt to and anticipate all of these changes. Based on the trends reviewed above, a three-pronged defense works brilliantly:

  • Agility: The time to mitigate network layer DDoS attacks should be 10 seconds or less. Detection should be fast and automatic. This mitigates the small, short attack segment.
  • Distribution: Distributed security architecture employs hundreds of data centers to provide full DDoS mitigation capabilities. This thwarts high-powered localized attacks, as every node is capable of repelling an attack.
  • Interconnectivity: Massive interconnected network capacity is the most effective way to nullify large distributed volumetric attacks. A globally distributed architecture allows for attack mitigation, of any size, close to the source.


Secure your environment

Put this three-pronged defense approach to work for your organization, with Cloudflare and Rackspace Technology. Cloudflare is known for its vast network scale, integrated security, performance and reliability solutions, with easy, unified control and multicloud functionality. And with expert support from Rackspace Technology, you can unlock even more value from Cloudflare and its add-on functionality — including advanced policies and features deployments for bot or SSL management, load balancing, rate limiting, analytics and more. 

Rackspace Technology and Cloudflare helped TeamSnap improve security and run rates with a scalable platform — to help ensure service availability during peak traffic seasons. TeamSnap now enjoys faster load times and greater security with the ability to scale on demand. 


“From the customer experience, we got faster load times, lower latencies, and just an overall more refined experience.”

Tim Soderstrom
Database Administrator, TeamSnap


Get started on your journey to DDoS prevention. Start with our whitepaper, “Taming the ever-evolving DDoS monster,” where you’ll discover the three ugly heads of the DDoS monster, its growing appetite and how to slay it in the cloud.


Tame the ever-evolving DDoS monster.