Geopolitical Tensions Drive Explosion in DDoS Attacks

16-August-24

Web distributed denial of service (DDoS) attacks rose by 265% in the first half of 2024 compared to H2 2023, according to new findings from Radware.



Application-layer DNS DDoS activity also tripled from H2 2023 to H1 2024, while a 16% increase in locked network-layer DDoS attacks was observed in the same period.



The researchers highlighted growing worldwide geopolitical tensions as a major driver of this trend, with hacktivist groups claiming between 1000 to 1200 DDoS attacks per month in the first six months of 2024. Ukraine was the most heavily targeted country by hacktivists during H1 2024, followed by the US, Israel, India and Moldova.



The Ukrainian domains rada.gov.ua and tax.gov.ua were the most targeted by DDoS attacks since January 2023, Radware found.



Pro-Russia group NoName057(16) was the most active hacktivist threat actor during H1 2024, frequently collaborating with other groups like the Cyber Army of Russia Reborn to target Ukraine and other countries.



The most prominent attacker collectives targeting Israel included RipperSec, 1915 Team, Sylhet Gang, Anonymous Muslims, LulzSec Indonesia, Team ARXU, StarsX Team and Dark Storm Team.



The researchers noted that the US was an important target for DDoS-as-a-service providers to demonstrate their proof-of-capability to potential customers. The Telegram groups Channel DDoS v2, ZeusAPI Services and Krypton Networks claimed the most attacks targeting the US in the first six months of 2024.The report found that Web DDoS attacks have increased in frequency and intensity in H1 2024. Almost 3% of web DDoS attacks were over 1 million RPS and around 17% were between 100,000 and 250,000 RPS.



Additionally, the fraction of Web DDoS attacks below 50,000 RPS decreased from 74% in H2 2023 to 55% in H1 2024.



Radware also highlighted a six-day attack campaign targeting a UAE financial institution during H1 2024. The attack consisted of several four to 20-hour Web DDoS attack waves totaling 100 hours of Web DDoS and sustaining an average of 4.5 million RPS with a peak of 14.7 million RPS.



The attackers gave up after six days and 100 hours of generating malicious web requests. The campaign was attributed to hacktivist threat group SN_BLACKMETA by Radware. The firm also believes that the infrastructure leveraged during the attack could be part of the InfraShutdown premium DDoS-for-hire service.The researchers also observed a 22% rise in web application and API attacks in H1 2024 compared to H2 2023.



The most common web application attack technique was vulnerability exploitation, making up 32.9% of attacks. This was followed by access violation (9.98%), data leakage (4.83%) and SQL injection (2.3%).



Around two-thirds (66%) of web attacks applications and APIs located in North America. Applications in EMEA accounted for 23% of the attack activity.



Additionally, bad bot transactions increased by 61% in H1 2024, with North America experiencing around half of this activity.

Read More…