Economy class attacks – Kommersant

The duration of DDoS attacks on Russian IT resources has decreased by more than six times since last year and has become an average of two days, analysts calculated. Attackers have become more selective in their choice of victims, and have stopped using expensive attack tools and now prefer to attack unprotected resources in the most cost-effective way, experts say.

“Kommersant” got acquainted with the report of the company on protection against Internet threats Qrator Labs for the first quarter, dedicated to hacker DDoS attacks (attack on the server according to the “denial of service” model). The researchers found that compared to the first quarter of 2022, the duration of DDoS attacks was reduced by more than six times. So, if in the first quarter of 2022 the maximum duration of attacks was more than ten days, then in 2023 this figure became less than two days. The longest attacks, they write in Qrator Labs, were recorded on fiscal data operators (OFD, 22 hours), online education (20 hours), media (20 hours) and software services (10 hours).

At the same time, for the whole of 2022, the duration of attacks increased significantly: only in the first three months the record for their maximum duration was updated several times – one of the DDoS attacks, which began in May, lasted almost 29 days (see Kommersant dated July 21, 2022 ).

RTK-Solar estimated the reduction in the time that Russian resources were under attack by hackers on average by four times compared to the first quarter of 2022. But the company notes that they also recorded attacks lasting up to 32 days, and organizations of various sectors of the economy became the targets of such a DDoS: insurance, retail, and industry.

The reduction in the maximum duration of DDoS attacks in the first quarter of the year can be associated with the expansion of the range of attack targets for attackers, says Alexander Lyamin, founder and CEO of Qrator Labs. Now, according to him, they do not focus on individual resources, trying to “put” them for a long period: in case of failure, hackers simply do not waste time continuing the attack, but are looking for new victims.

Indeed, there is a change in the attack vector from chaotic to better ones, they agree at DDoS-Guard. Attackers analyze resources and choose as victims those who do not have DDoS protection or use weak ones. The most affected by such attacks in the first quarter were the regional media, entertainment resources, learning platforms, accounting and banking sectors, says DDoS-Guard.

Softline also agrees with the trend to reduce the duration of attacks: “This can be explained by the fact that many companies have begun to block incoming traffic by geolocation, which, in turn, makes attacks from abroad ineffective. In this regard, Russian socks servers have increased in price in the gray markets, which made a powerful DDoS attack very expensive to implement.”

Previously, attackers had not very high-quality tools to “measure the success of attacks.” They could continue to send malicious traffic to the victim for a long time, not knowing that the bot that checks the success of the attack, accessing the resource, has already been blocked, Alexander Lyamin argues: “Now the quality of monitoring has improved, and if the result is unsatisfactory, they fix it immediately and stop attack that failed.

If we compare March 2022 and 2023, we can note a significant (from 38% to 8.5%) reduction in the share of more expensive DDoS attacks (consisting of sending a large number of requests in a fairly short time), while the share of attacks that do not require a botnet, has more than doubled (from 5% to 12%), since they are cheaper to sell, confirms Alexey Pashkov, head of the WAF and Anti-DDoS divisions at RTK-Solar. This trend is also confirmed by the situation with other types of cyberattacks: the time it took for attackers to hack into the victim’s IT infrastructure in 2023 decreased by about 20% compared to the beginning of last year (see Kommersant on April 13). This is facilitated by new tools, including sales on specialized forums of the necessary inexpensive codes to carry out attacks.

Tatyana Isakova