Quarantine Chronicles: How DDoS Grew

4 min

As you know, laziness is the engine of progress. And self-isolation is DDoS’s engine, we add based on the results of understanding the “past” in March-May 2020. While someone was suffering from the hopelessness (literally) of their situation, “mother hackers” suffered bullshit from the inevitability of online learning and upcoming exams. “Actively” suffered (this energy would be in a peaceful direction!). In terms of the number of DDoS attacks in education, the highest growth dynamics were observed. At the peak – in April – the number of attempts to make a denial of service to educational resources (electronic diaries, sites with test work, sites for online lessons, etc.) increased 5.5 times in relation to March and 17 times in relation to by January 2020. All these were low-power (and probably free) attacks using simple, easily accessible tools. Of course, other industries fell into the sight of attackers (though already more advanced ones), but here it was expected: online trading, the public sector, the financial sector, telecom and the gaming segment. Details, as always, under the cut.

The analytics we provide below are based on data from attacks on Rostelecom networks from January to May 2020.

How the number of attacks has changed

So. In March-May 2020, the number of DDoS attacks increased 5 times in comparison with the same period last year. In general, in the first five months of 2020, the total number of such attacks year-over-year increased by more than 4 times.

It is clearly seen how cybercriminals increased their activity with the introduction of quarantine measures. The peak occurred in April, when the number of attacks compared to January increased by 88%. It is worth noting that a year earlier the dynamics was not so bright, and the number of attacks from month to month remained the same, plus or minus.

During the period of self-isolation, the nature of Internet traffic has changed. Many organizations that previously worked only offline have launched their own online resources.including free. Add mass udalenka here – and we will get a new reality on the network: if earlier Internet activity gradually increased, reaching a peak by 17: 00-21: 00, now a sharp increase was noted at about 10:00 and did not decrease before 23:00. In general, traffic over the five months of 2020 increased by about 20% (and where traffic is there, “saboteurs”).

Attack Characteristics

With a sharp increase in the number of DDoS attacks, their complexity and power as a whole decreased. Mostly the attackers used the usual DNS or NTP amplification of small volumes (up to 3 Gb / s).

It is noteworthy that at the end of 2019, we recorded the opposite trend: a sharp increase in power and the technical complexity of attacks. During the pandemic, the number of such did not decrease, but the share as a whole fell against the backdrop of a sharp increase in simple “worker-peasant” DDoS’s. This once again indicates that during the self-isolation, it was not the “pros” who were especially active, but rather the “amateurs” who decided to take advantage of the situation.

Who were hunted

As we said above, in the first five months the attackers’ interest in educational resources sharply increased. Considering the fact that in most cases the “garbage” traffic was sent explicitly by “lovers”, the conclusions about the organizers are self-evident (and yes – this is not for you to hide or warm the thermometer under the bed to avoid control).

But DDoS was not alive as a single school. The number of attacks on state institutions has also increased – in April, more than 3 times in comparison with March.

The third industry with the most pronounced dynamics was gaming (the growth of attacks in April was almost 3 times in comparison with March). The isolation mode has attracted not only many new users to this industry, but also zoo-gold money (and where money is there … well, you understand). In a word, a serious struggle unfolded on the fields of gaming, not only among players, but also among platforms.

Despite the fact that overall attack power fell during the reporting period, telecom operators and data centers stood out in the general statistics: 150+ GB attacks more often than usual. DDoS in these two segments allows you to disable not just one specific site, but hit “in bulk” on the operator’s clients and resources that the data center serves. Moreover, such companies are better protected than, for example, government agencies or the educational segment. Therefore, attackers have to use more advanced tools. During a pandemic, attacks on these two segments were fast and powerful and were most likely carried out through real hosts assembled into a single botnet with the ability to redirect it to a new victim in a matter of minutes.

In general, such a division by industry continues the trend that was formed back in 2019. For example, in 2018, the telecom industry accounted for only 10% of all DDoS attacks, and in 2019 – already 31%. The targets of the hackers were small regional Internet providers, hosting and data centers, which usually do not have the resources necessary to repel attacks.


• During the quarantine period, against the backdrop of the spread of COVID-19 (March-May 2020), five times more DDoS attacks were recorded than a year earlier.

• The proportion of simple and low-power attacks has increased, which indicates the activity of “unprofessional” attackers.

• The number of attacks on educational resources increased 5.5 times, and the most powerful attacks during the reporting period were on telecom operators and data centers.

The largest volume of attacks in March-May occurred in the online trading sector (31%), which is traditionally one of the main targets for DDoS. The second most popular was the public sector (21% of attacks). This is followed by the financial sector (17%), telecom (15%), education (9%) and the gaming segment (7%).

The most difficult month for the owners of Internet resources was April, when in Russia there was a strict regime of self-isolation. In May, the activity of dedosers gradually began to decline – this trend will continue even if the situation in Russia and the world stabilizes. You can also predict a decrease in the number of attacks in the field of education when the entrance and final exams end.

However, as the past quarantine showed, it is impossible to predict for sure when exactly DDoS will come to the company, so it is better to lay the straw in advance.


Leave a Reply