IoT manufacturers are failing to help prevent DDoS attacks by fixing known vulnerabilities, allowing criminals to launch years-long campaigns.
Unpatched or poorly secured devices, purpose-built to keep costs down, allowed attackers to launch over 27,000 botnet-driven DDoS attacks during March alone. New figures from NetScout reveal that service providers were hit with an average of one attack every two minutes.
Overall, there were around 880 confirmed DDoS attacks per day, peaking on March 10 with more than 1,600 incidents.
The average event lasted about 18 minutes and 24 seconds - slightly longer than in previous months, and much longer than the five-to-fifteen-minute global average for DDoS attacks. This, said the firm, indicates a trend towards smaller, more persistent targeting.
NoName057(16) was behind more than 475 claimed attacks in March, more than three times as many as the next most active group.
The group's particularly involved in politically motivated DDoS campaigns targeting governments, infrastructure and organisations.
"We observed more than 26,000 attack configurations linked to the group’s infrastructure, representing variations in vector combinations, targets, and timing," NetScout said.
"In total, more than 500 IP addresses and more than 575 domains were targeted, indicating a substantial volume of unclaimed activity and sustained command-and-control operations throughout the month."
The most common TCP port combo, NetScout found, was 80 and 443, used in more than 850 attacks. For UDP, 443 and 80 dominated, reflecting a focus on encrypted and web-facing services.
Top attack vector was TCP SYN floods, appearing in more than 5,500 attacks, and accounting for one-in-five of all DDoS events in March. Multi-vector attacks were common, including combinations such as TCP SYN + DNS Flooding and TCP ACK + TCP SYN.
There were a number of sources for these attacks: Mongolia led with more than 2,900 attacks, mainly traced to localized IoT and router infections.
But there were also a number of multi-country combinations, the top one being Germany and the US, which were involved together in more than 600 attacks.
"This pairing likely reflects attacker interest in leveraging reliable infrastructure — such as cloud-hosted resources or enterprise devices — alongside continued abuse of under-secured networks in other regions," said NetScout.
Many of the vulnerabilities exploited are old, public, and well-documented. They include CVE-2017-16894, CVE-2019-17050, and CVE-2021-41714, often seen in bot clusters focused on service-provider infrastructure. Meanwhile, CVE-2021-27162 and related exploits showed up across thousands of events, pointing to broader exploitation campaigns.
"Service providers are still squarely in the crosshairs, and March made that even more obvious," said the firm, advising service providers to be vigilant.
"It’s not just about stopping traffic; it’s about understanding where that traffic is coming from, why it’s happening, and what it could become. March’s activity shows that DDoS attacks are still growing in sophistication and intent."
MORE FROM ITPRO
- Surging DDoS attack rates show no sign of slowing down
- How to recover from a DDoS attack – and what they can teach businesses
- NCA takes down world’s most prolific DDoS-for-hire website
-
Magnetic tape is still going strong in the age of AINews Magnetic tape storage might seem like a relic of a bygone era, but it’s still going strong in 2025 – and new upgrades mean it’s set to get even better.
-
Nvidia just announced new supercomputers and an open AI model family for science at SC 2025News The chipmaker is building out its ecosystem for scientific HPC, even as it doubles down on AI factories
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Critical networks face unprecedented threat as DDoS attacks are getting shorter and more intensenews Attackers have stepped up their intrusions into core networks, according to Nokia's 11th annual Threat Intelligence Report
-
US authorities just took down 'one of the most powerful DDoS botnets to ever exist’ with help from AWS
News The Rapper Bot botnet was responsible for a series of large-scale DDoS attacks on government agencies and tech companies. Now it's gone.
-
Think DDoS attacks are bad now? Wait until hackers start using AI assistants to coordinate attacks, researchers warnNews The use of AI in DDoS attacks would change the game for hackers and force security teams to overhaul existing defenses
-
Application layer DDoS attacks are skyrocketing – here's whyNews The industry is seen as a prime target thanks to a reliance on online services and real-time transactions
-
Europol just took down 27 DDoS-for-hire sitesNews The festive period period usually sees a big bump in DDoS attacks - but this year may be a little safer
-
Anonymous Sudan: Who are the hackers behind Microsoft’s cloud outages?News The highly aggressive ‘hacktivist’ group is thought to have links to the pro-Russian Killnet hacker collective
-
Cloudflare unveils new One Partner Program with zero trust at its coreNews Cloudflare CEO Matthew Prince says the initiative aims to take the complexity out of zero trust architecture
