Lumen (formerly CenturyLink), operating approximately 450,000 route fiber miles while serving customers in more than 60 countries, has released its quarterly DDoS report for the first quarter of 2021. The largest DDoS attack Lumen measured by bandwidth scrubbed was 268 Gbps. The largest DDoS attack measured by packet rate scrubbed was 26 Mpps.
The longest Distributed Denial of Service (DDoS) attack period Lumen mitigated for an individual customer lasted almost two weeks. Multi-vector DDoS mitigations represented 41% of all DDoS mitigations, with the most common using a DNS query flood combined with a TCP SYN flood. The top three industries targeted in the 500 largest DDoS attacks in Q1 2021 were: Finance, Software & Technology, and Government.
Well-known IoT botnets like Gafgyt and Mirai remain serious DDoS threats, says Lumen, with 700 active Command and Control servers (C2s) attacking 28,000 unique victims combined. Lumen tracked nearly 3,000 DDoS C2s globally in Q1. The most were hosted in Serbia (1,260), followed by the United States (380) and China (373). Of the most active global C2s that Lumen observed issuing DDoS attack commands, the United States had the most (163), followed by the Netherlands (73) and Germany (70).
Lumen tracked more than 160,000 global DDoS botnet hosts. Nearly 42,000 were in the United States – the most of any country.
Black Lotus Labs
To create the report, the security team at Lumen looked at intelligence from Black Lotus Labs – the company’s threat research arm – and attack trends from the Lumen DDoS Mitigation Service platform, which integrates countermeasures directly into the company’s extensive and deeply peered global network.
“As organizations’ dependency on applications to generate revenue deepens, many are realizing they can no longer risk foregoing essential DDoS defenses,” said Mike Benjamin, Lumen vice president of security and Black Lotus Labs. “The information in this report is more evidence of that. As IoT DDoS botnets continue to evolve, Lumen is focused on leveraging our visibility to identify and disrupt malicious infrastructure.”
One of the key tools in the hands of cybercriminals seeking to increase the bandwidth of their attacks is UDP-based reflection leveraging services such as Memcached, CLDAP and DNS. Through this process, an attacker spoofs a source IP, then uses an intermediary server – a reflector – to send massive response packets to the victim’s IP rather than back to the attacker.
Black Lotus Labs leverages the visibility from its extensive global network to identify services potentially being leveraged to launch these types of attacks. Based on data from Q1 2021, Black Lotus Labs sees Memcached, CLDAP and DNS services being actively exploited today. For a more detailed look at UDP reflectors, read the latest Black Lotus Labs blog: Tracking UDP Reflectors for a Safer Internet.