COVID-19 Sparks Big DDoS & Password Login Attack Surge


The COVID-19 pandemic has driven a significant spike in DDoS and password login attacks, according to new analysis from F5 Labs.

Based on new global data sourced from the F5 Security Incident Response Team (SIRT), the research reveals an unprecedently febrile and vulnerable threat landscape post-lockdown.

“F5 Labs reviewed all the reported incidents from the beginning of 2020 until August, and attackers are clearly doing everything they can to exploit pandemic-related online behavior,” said Raymond Pompon, Director of F5 Labs.

“Expect more turbulence on the horizon as COVID-19 continues to evolve and wield an economic impact. This year’s holiday shopping season, for example, will be more online than ever and under intense fire from cybercriminals. One thing is clear: our rising usage and dependence on technology have also brought increased levels of already growing attack trends.”


Lockdowns unlocking new threats

In January, the number of all reported SIRT incidents was half the average reported in previous years. As lockdowns hit from March onwards, incidents rose sharply. Numbers plateaued with a three-fold spike over previous years in April, and only began to fall back to normal in May and June. In July, they crept back up to twice the level seen at the same time in 2019.

The attacks fell into two large buckets: Distributed Denial of Service (DDoS) and password login attacks. Password login attacks were comprised of brute force and credential stuffing attacks. Both involve attackers trying guess their way past a password login.

From January through August, 45% of SIRT reported incidents were related to DDoS and 43% were password login attacks. The remaining 12% were reported incidents for things like malware infections, web attacks, or attacks that were not classified.


DDoS surges and shifts

In January, DDoS attacks started off as just a tenth of reported incidents. By March, they had grown to three times that of all incidents.

In 2019, 4,2% of DDoS attacks reported to the F5 SIRT were identified as targeting web apps.  This increased six-fold in 2020 to 26%.

Meanwhile, attack types are becoming more diverse. In 2019, 17% of all DDoS attacks reported to the SIRT were identified as DNS amplification attacks, which spoof DNS requests to flood back at a victim. The number nearly doubled to 31% this year.

DNS Query Flood are also on the rise. This is where an attacker sends malicious requests that are purposely malformed to cause a DNS server to exhaust its resources. 12% of DDoS attacks during the period studied by F5 Labs used this method.


Retail bears brunt of login attacks

67% of all SIRT-reported attacks on retailers in 2020 were password attacks, which is a 27% rise on last year.

During the same period, half of all incident reports from service providers were attributed to password login attacks. The figure stood at 43% of incidents for financial services customers.

F5 Labs also observed a spike in authentication attacks on APIs, which doubled from 2.6% in 2019 to 5% so far in 2020.