DDoS report shows telecoms under siege

Zayo Group’s annual report on distributed denial of service (DDoS) raised the curtain on a significant upswing in attacks, with the telecom industry hit the hardest.

DDoS is an attack where the target’s internet circuit is flooded with false or unauthorized traffic, obstructing legitimate user traffic from flowing through. The report found a 314% increase in overall attacks from the first half of 2022 to H1 of 2023, which Zayo attributed to “increasing digitization, political unrest and the emergence of widespread adoption of work-from-home,” as well as attackers expanding their use of artificial intelligence (AI) and automation.

Telecom companies emerging as a primary focus for attackers has been a recurring trend this year. Zayo’s report showed the telecom industry was hit with DDoS attacks most frequently, making up about half of the total attack volume with 37,000 attacks in the first half of 2023.

The largest aggregate attack reported—978Gbps—was in the telecom sector. An attack size of just 3 Gbps is “a large enough attack to take down one to two offices depending on the company size,” Zayo noted.

Education had the highest frequency of attacks in the first half of 2022 and fell just behind the telecom industry this year. Cloud and Software-as-a-Service (SaaS) companies also saw a significant increase in the frequency of attacks from the first half of 2022 to the first half of 2023.

The average duration of attacks increased by 216% from Q1 to Q2 across all industries, with the finance industry seeing that number jump from 41 minutes to 108 minutes.

Other reports have indicated complex, multi-vector DDoS attacks are on rise. An internal Lumen report found that 44% of the company’s Q2 DDoS mitigations this year were multi-vector in nature, meaning the threat actors combined two or more attack techniques. Lumen’s quarter-over-quarter data showed that attackers are continuously attempting to get through the company's countermeasures by changing the number and types of vector combinations they deploy.

“Multi-vector attacks are significantly more complex than single vector and require sophisticated countermeasures like Lumen's to mitigate,” the company said. “When threat actors deploy multi-vector attacks, they are targeting victims who are unprepared for the new vector combinations.”

According to HubSpot, organizations experience an average mitigation cost of $200,000 per DDoS attack. But Zayo SVP Anna Claiborne noted the “long-tail loss of customer confidence” is more difficult to quantify and perhaps even more difficult to fix.

“When your business will get hit by a DDoS attack is a game of probability,” said Claiborne in a statement. “With a huge rise in attacks in 2023 and more attacks over 100Gbps, the odds are not in your favor.”