ThreatList: DDoS Attack Sizes Drop 85 Percent Post FBI Crackdown

Posted By

Threat Post


March 19, 2019

The FBI’s crackdown on 15 DDoS-for-hire sites appears to have had an impact on DDoS attacks, the average size for which dropped 85 percent in the fourth quarter of 2018, a new report found.

The average size of distributed denial of service (DDoS) attacks decreased significantly, dropping by 85 percent in the fourth quarter of 2018.

Researchers with NexusGuard said in a Tuesday report shared with Threatpost, that the number of DDoS attacks also dipped significantly, sinking by almost 11 percent in the fourth quarter of 2018.

These decreases stem from a recent FBI December crackdown on DDoS for hire services, researchers said, which led the Justice Department to take offline 15 DDoS-for-hire internet domains.

“The decrease was largely attributed to the FBI’s successful takedown of 15 large ‘Booter’ websites that were alleged to be responsible for having generating more than 200,000 DDoS attacks since 2014,” researchers said in their report. “The FBI’s highly effective crackdown not only suppressed the number of total attacks YoY, but also the average and maximum attack sizes, decreasing both by 85.36 percent and 23.91 percent, respectively.”

DDoS-for-hire, known as “booter” services, make it easy to carry out DDoS attacks, flooding targets with internet traffic to overwhelm a site or IP address and eventually knock it offline.

The crackdown on DDoS-for-hire services, including,, and, decreased the average size of attacks: In fact, more than 90 percent of DDoS attacks rated smaller than one Gbps in size. The quarterly average duration was 452.89 minutes, while the longest attack lasted 18 days, 21 hours, and 59 minutes, said researchers.

For comparison’s sake, the largest DDoS attack, recorded in March 2018 and targeting GitHub, measured 1.3 Tbps of sustained traffic for eight minutes; while the infamous 2016 Mirai botnet maxed-out at 620 Gbps.

SSDP Amplification Attacks Soar
SSDP amplification attacks made up 48.26 percent of all attack methods in the fourth quarter of 2018, with UDP attacks coming in second place (14.26 percent) and HTTPS flood attacks following (9.10 percent).

Conventional attacks like UDP, TCP SYN and ICMP dropped significantly on a year over year base, with other newer, more insidious methods rising past them in popularity.

“UDP flood” denial of service attacks overwhelm random ports on the targeted host with IP packets containing User Datagram Protocol (UDP) datagrams; TCP SYN DDoS attacks exploit part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive; and Internet Control Message Protocol (ICMP) attacks overwhelm a targeted device with ICMP echo-request packets.

These types of attacks are making now making way for a new and malicious type of attack: Simple Service Discovery Protocol (SSDP) Amplification attacks, which increased a whopping 3,122 percent year over year.

SSDP is a network based protocol used for the advertisement and discovery of network services; an SSDP amplication attack is launched over UDP via Universal Plug and Play devices such as printers, web cameras, routers, and servers.

Regardless of the type of DDoS attack vector and any future law enforcement crackdown, DDoS attacks will only continue due to human error and vulnerabilities in connected products.

“The root cause of botnets stems from hardware/software vulnerabilities and human ignorance or negligence that leave the door open for malware to enter and take control,” researchers said. “Patching all vulnerabilities and raising security awareness across all levels of users, in theory, is a way out. But in reality that’s easier said than done — so botnets and DDoS-for-hire services are not likely to disappear any time soon.”