Distributed denial of service (DDoS) attacks have evolved from social protests through criminal extortion, hack attack smokescreens and competitor suppression to geopolitical vengeance. All these drivers currently coexist, but aggressive geopolitical revenge now dominates.
This is the primary conclusion to be drawn from StormWall’s Q4 2023 review of global DDoS attacks. StormWall, based in Bratislava, Slovakia, offers a DDoS protection service delivered through a global network of scrubbing centers.
The effect of geopolitics is clearly seen in the timing and volume of current attacks against Israel. In Q3, 2023, less than 1% of global attacks targeted Israel. But following the Hamas raid on October 7, 2023, and the retaliatory invasion of Gaza by the Israeli military, this number leapt to 10.6% — with size and durations ranging from 1.2 Gbps to 135 Gbps, and from a few minutes to 24 hours. In Q4, 2023, tiny Israel became the fourth most DDoS attacked nation in the world, behind China (12.6%), USA (12.2%) and India (11.7%).
Other indications of a geopolitical motivation behind DDoS attacks can be seen in the individual targets. StormWall’s figures show that government (21% of attacks), retail (17%), telecommunications (15%), finance (12%), and energy (9%) are the five most attacked sectors. All but retail could be described as mainstream critical infrastructure and are primary targets for any attacker wishing to inflict economic damage and disturbance on an enemy. These targets further support the idea that DDoS hacktivism is now largely driven by geopolitical vengeance.
Retail is a bit of an anomaly. Attacking individual shops or retail chains would disrupt the companies, but not the economy. Compare the economic effect to that of taking down large swathes of the internet through targeting telecommunications.
For retail, all Q4 figures are disturbed by the holiday season, but it is still anomalous. StormWall posits the possibility that retail DDoS figures are affected by several non-geopolitical attacks: over-aggressive competitors.
It is impossible to determine the individual actors behind a DDoS attack without their public claim of responsibility (Killnet?). Only the target is clear. However, in the same way that malware researchers detect clues allowing them to suggest ‘with some confidence, we believe that nnn group is behind this attack’, so too can DDoS defenders point the finger in general directions.
In the case of retail, StormWall CMO, Daniil Korolev, told SecurityWeek that monitoring the IT Army of Ukraine (the world’s largest semi-visible group of geopolitical activists) shows no geopolitical interest in targeting retail. “These guys have certain patterns in their attacks. By cross examination we can deduce they have almost zero interest in retail. You can be pretty sure that retail is attacked by competitors because they are never of interest to a hacktivist group — they’re just not that interesting.”
If not geopolitics, what motivations remain? The primary options are criminals for extortion (the loss of e-commerce sales during the holiday season could be critical), and unfair competitors.
Further indications of the vengeance motive can be seen in the dominance of government as an attack sector, and the rapid rise of the energy sector. Twenty-one percent of all attacks were against the government sector, with a 162% year on year increase. “These attacks, first focused mostly on Europe, have now spread to the Middle East due to the Israel-Palestine conflict,” says StormWall. European targets were probably in response to UK and EU support for Ukraine, but the focus has now shifted to Israel.
The energy sector has also seen an escalation in attacks – a 109% increase year on year, now representing 9% of all attacks. The energy sector serves as both a target for, and a source of, DDoS attacks. “Attackers are also targeting IoT devices used in energy plant operations to initiate further botnet attacks,” warns StormWall.
Eighty-six percent of all attacks were HTTP/HTTPS attacks, while 9% targeted TCP/UDP. However, StormWall calls attention to the growth in DNS laundering (where attackers bombard DNS servers with requests for random subdomains), and mDNS attacks that exploit local network protocols to amplify attacks.
More specifically, the firm notes, “There’s been an increase in botnet, DNS amplification, and multi-vector attacks. Notably, Hyper-Volumetric HTTP DDoS attacks exploited the HTTP/2 rapid reset flaw.” Most of the attacks are short in duration, lasting less than 30 minutes. Such attacks are often designed to test the target’s defenses, before a larger assault is launched.
Nobody is immune from a DDoS attack. While geopolitics dominates the attack motivation, it is not the only motivation. The entertainment industry is still subject to criminal extortion. The retail, finance, and logistics sectors all saw a spike in attacks during key shopping periods like Black Friday and the Christmas-New Year season, “often driven by competitors”, suggests StormWall.
“Our data from Q4 2024 clearly demonstrates how quickly the threat landscape can evolve in response to global events,” warns Ramil Khantimirov, CEO and co-founder of StormWall. “If online infrastructures aren’t prepared now, setting up DDoS protection becomes much harder once they’re targeted.” Preparation to defend against DDoS is a better tactic than hope.
Related: Were 3 Million Toothbrushes Really Used for a DDoS Attack?
Related: MySQL Servers, Docker Hosts Infected With DDoS Malware
Related: Major ChatGPT Outage Caused by DDoS Attack
Related: Organizations Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks
