DDoS attackers are pouncing on unpatched vulnerabilities
Who needs a new attack vector when you can exploit old, public, and well-documented vulnerabilities?


IoT manufacturers are failing to help prevent DDoS attacks by fixing known vulnerabilities, allowing criminals to launch years-long campaigns.
Unpatched or poorly secured devices, purpose-built to keep costs down, allowed attackers to launch over 27,000 botnet-driven DDoS attacks during March alone. New figures from NetScout reveal that service providers were hit with an average of one attack every two minutes.
Overall, there were around 880 confirmed DDoS attacks per day, peaking on March 10 with more than 1,600 incidents.
The average event lasted about 18 minutes and 24 seconds - slightly longer than in previous months, and much longer than the five-to-fifteen-minute global average for DDoS attacks. This, said the firm, indicates a trend towards smaller, more persistent targeting.
NoName057(16) was behind more than 475 claimed attacks in March, more than three times as many as the next most active group.
The group's particularly involved in politically motivated DDoS campaigns targeting governments, infrastructure and organisations.
"We observed more than 26,000 attack configurations linked to the group’s infrastructure, representing variations in vector combinations, targets, and timing," NetScout said.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
"In total, more than 500 IP addresses and more than 575 domains were targeted, indicating a substantial volume of unclaimed activity and sustained command-and-control operations throughout the month."
The most common TCP port combo, NetScout found, was 80 and 443, used in more than 850 attacks. For UDP, 443 and 80 dominated, reflecting a focus on encrypted and web-facing services.
Top attack vector was TCP SYN floods, appearing in more than 5,500 attacks, and accounting for one-in-five of all DDoS events in March. Multi-vector attacks were common, including combinations such as TCP SYN + DNS Flooding and TCP ACK + TCP SYN.
There were a number of sources for these attacks: Mongolia led with more than 2,900 attacks, mainly traced to localized IoT and router infections.
But there were also a number of multi-country combinations, the top one being Germany and the US, which were involved together in more than 600 attacks.
"This pairing likely reflects attacker interest in leveraging reliable infrastructure — such as cloud-hosted resources or enterprise devices — alongside continued abuse of under-secured networks in other regions," said NetScout.
Many of the vulnerabilities exploited are old, public, and well-documented. They include CVE-2017-16894, CVE-2019-17050, and CVE-2021-41714, often seen in bot clusters focused on service-provider infrastructure. Meanwhile, CVE-2021-27162 and related exploits showed up across thousands of events, pointing to broader exploitation campaigns.
"Service providers are still squarely in the crosshairs, and March made that even more obvious," said the firm, advising service providers to be vigilant.
"It’s not just about stopping traffic; it’s about understanding where that traffic is coming from, why it’s happening, and what it could become. March’s activity shows that DDoS attacks are still growing in sophistication and intent."
MORE FROM ITPRO
- Surging DDoS attack rates show no sign of slowing down
- How to recover from a DDoS attack – and what they can teach businesses
- NCA takes down world’s most prolific DDoS-for-hire website
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Westcoast brings Snapdragon X Series processors to UK channel
News The IT distributor has struck up a new partnership with Qualcomm to help resellers unlock the potential of AI applications
-
CIOs are battling to temper expectations as enterprises ramp up AI adoption
News Boards are rushing to invest in the technology, but CIOs are advising caution
-
Europol just took down 27 DDoS-for-hire sites
News The festive period period usually sees a big bump in DDoS attacks - but this year may be a little safer
-
Anonymous Sudan: Who are the hackers behind Microsoft’s cloud outages?
News The highly aggressive ‘hacktivist’ group is thought to have links to the pro-Russian Killnet hacker collective
-
Cloudflare unveils new One Partner Program with zero trust at its core
News Cloudflare CEO Matthew Prince says the initiative aims to take the complexity out of zero trust architecture
-
What is 502 bad gateway and how do you fix it?
In-depth We explain what the 502 Bad Gateway networking error means for users and website owners, and some potential steps for fixing it
-
Everything you need to know about Cloudflare
In-depth A look at Cloudflare’s journey from a web security startup to a leader in internet performance, including what customers can expect from the company