During this period, a campaign of blackmail attempts claimed to be from the Russian advanced attackerFancy Bear . Their attack opened with a small DDoS attack as a demonstration, followed by a payment demand for hundreds of thousands of dollars. Pay up or they will “make sure your services will remain offline until you pay.” What is curious is that Fancy Bear is a cyberespionage group that is not known for DDoS attacks or blackmail, but rather espionage and political disruption.¹ It's highly unlikely that the real Fancy Bear is carrying out these recent campaigns.

Shift in DDoS Attack Types in 2020

Overall, most of the reported DDoS attacks are volumetric, targeting network bandwidth and saturating it with junk packets to clog up the connections for legitimate users. A common method for doing this is a DNS amplification attack, which spoofs DNS requests to flood back at a victim. In 2019, 17% of all DDoS attacks reported to the F5 SIRT were identified as DNS amplification attacks. However, in 2020, that number nearly doubled, to 31%.

Another DNS DDoS technique is a DNS query flood, where an attacker sends malicious DNS requests that are purposely malformed to cause a DNS server to exhaust its resources. During the 2020 period, 12% of the DDoS attacks were malicious DNS requests against customer DNS servers.

The first half of 2020 also saw a rise in DDoS attacks targeting websites and applications. In 2019, 4.2% of the DDoS attacks reported to the F5 SIRT were identified as targeting web apps. However, this increased sixfold in 2020 to 26%.

The F5 SIRT incident data also revealed geographic differences in attack type. The Asia/Pacific region had the highest percentage (83%) of incidents reported as DDoS attacks across the globe. Europe, the Middle East, and Africa (EMEA) saw the next highest, with 54% of reported incidents categorized as DDoS attacks.

Changes in Access Attacks on Password Logins

Credential stuffing and brute force are major threats on the Internet. With the pandemic causing a huge shift from in-store buying to electronic commerce, it seemed logical to expect increased levels of password attacks on retailers. Indeed, 67% of all F5 SIRT-reported attacks on retailers in 2020 were password attacks; in 2019, it was only 40%. Also in 2020, half of the incident reports from service providers were attributed to password login attacks. Financial services customers also reported 43% of incidents as password logins.

F5 Labs also keeps an eye on the specific kinds of technical services being hit by password login attacks. One growth area is authentication attacks on APIs, which the F5 SIRT reports show doubled from 2.6% in 2019 to 5% so far in 2020.

Conclusion

Expect more turbulence with the changes in the economy, the pandemic, and the holiday shopping season, more will likely be done more online this year. One thing is clear: our increased usage and dependence on technology has also brought increased levels in the already-growing attack trends.