DDoS attacks on the rise - an anomaly or a resurgence?

Back in September, data from the Financial Conduct Authority (FCA) in the UK revealed a significant increase in the number of distributed denial-of-service (DDoS) attacks on financial institutions in the first half of 2022. In total, it stated that 25% of all 'material' cyber incidents reported to the FCA - those that have had a significant impact on an organisation - were as a result of a DDoS attack - compared with just 4% of all incidents reported in 2021.

Continuing this outline trend, our Global Threat Intelligence team identified an increase in DDoS attacks across all sectors in the first three months of the second half of the year, with 1,282 attacks in total and in particular a significant rise of 101% between August and September.

The trend continued into October with total number of attacks observed in a month increasing again to 2,090.

Figure 1: DDoS Attacks by Month 2022*

Matt Hull, Global Head of Threat Intelligence at NCC Group, explores why this increase might have happened and offers advice for organisations.

How can DDoS attacks impact an organisation?

Distributed denial-of-service (DDoS) attacks are malicious attempts to overwhelm a server, service or network with a flood of false traffic in an attempt to interrupt or suspend their capabilities, creating disruption. DDoS attacks tend to have the most impact on organisations where downtime of services disrupts a core function of an organisation, creating distress among staff, partners and customers.

Our DDoS analysis from October noted that the overwhelming majority of attacks last between 2 and 5 minutes. However, the average length was recorded as 35 minutes, which is skewed by a handful of attacks lasting for multiple days.

Beyond the cost of paying a ransom for an attack to stop, the attack impact can lead to long term reputational damage and could also be used as a smokescreen for other types of targeted hacking attempts.

What's behind the increase?

The increase could be indicative of ransomware operators adding yet another string to their bow.

When the term 'ransomware' first appeared, it originally referred to a type of software that encrypts data for the purposes of extortion. Then came double extortion which covered ransomware and then a subsequent leaking of sensitive data on a 'leak site'- also known as 'pay-now-or-get-breached'. Now we are seeing prolific ransomware operators such as Lockbit 3.0 using DDoS attacks to add even more pressure to a victim organisation - known as triple extortion.

In September alone, LockBit 3.0 were responsible for over 100 ransomware attacks, as reported in NCC Group's latest Monthly Threat Pulse.

What learnings can we take from this increase in DDoS attacks?

Notably, as DDoS attacks are not new, organisations globally are both aware of the attack type and able to benefit from years of anti-DDoS product development. This might go some way to explaining why most attacks only last a matter of minutes; defensive measures are more sophisticated and able to defeat most incoming DDoS attacks quickly, leaving only the largest and most sophisticated attacks unchecked for longer.

The rise in DDoS attacks on is a pertinent reminder on the importance of creating a robust cyber security strategy, regardless of sector. As organisations and people become more reliant on the digital world, an effective framework that accounts for a DDoS attack has never been more important. As we experience a resurgence of DDoS, organisations should be sure to familiarise themselves with relevant anti-DDoS mitigation measures and implement them effectively.

* NCC Group TI team continue to identify new data sources for both retrospective and ongoing DDoS analysis. The data captured has, at the time of writing, not unearthed data for May 2022. While this is likely to be an anomaly, and as with all other areas of intelligence collection, the TI team will continue to identify sources that can fill this intelligence gap.

Public link

Please use the above public link if you want to share this noodl on another website.