The Federal Bureau of Investigation has released a security notice that specifically warns emergency call centers against a new threat. FBI investigators have noticed that there is a high probability that telephony denial of service (TDoS) attacks are going to flood these centers with the intention of taking them offline. A TDoS attack is quite simple in its execution. Much like how a distributed denial-of-service (DDoS) attack floods a computer server with too many requests from multiple locations, a telephony denial-of-service attack floods a target that uses telephones in the same manner.

The security notice speaks of the threat as follows:

Public Safety Answering Points (PSAPs) are call centers responsible for connecting callers to emergency services, such as police, firefighting, or ambulance services. PSAPs represent key infrastructure that enables emergency responders to identify and respond to critical events affecting the public.

TDoS attacks pose a genuine threat to public safety, especially if used in conjunction with a physical attack, by preventing callers from being able to request service. The public can protect themselves if 911 is unavailable by identifying in advance non-emergency phone numbers and alternate ways to request emergency services in their area.

As for sources and motives of the potential TDoS attacks, the FBI does not single out specific sources. The notice states that hacktivists may use the TDoS to push their agenda, whereas cybercriminals may seek financial gain by holding the emergency call center hostage.

The FBI advises civilians to prepare for 911 outages by following these steps: See if text-to-911 is available in your area: save non-emergency contact numbers for fire, rescue, and law enforcement, sign up for automated emergency notifications from where you live (county, city, etc.) to be kept aware of incidents, and finally, find social media and other websites of emergency services in your area for potential point-of-contact.


Cybercriminals had a busy year in 2020, with rapidly increasing numbers of distributed denial of service (DDoS) weapons, widespread botnet activity, and some of the largest DDoS attacks ever recorded. As COVID-19 drove an urgent shift online for everything from education and healthcare, to consumer shopping, to office work, hackers had more targets available than ever—many of them under protected due to the difficulty of maintaining security best practices in an emergency scenario. At the same time, the ongoing rollout of 5G technologies has accelerated the proliferation of IoT and smart devices around the world, making unsuspecting new recruits available for botnet armies to launch crushing attacks on a massive scale.

In our ongoing tracking of DDoS attacks, DDoS attack methods, and malware activity, A10 Networks has observed a steady increase in the frequency, intensity, and sophistication of these threats, most recently in our State of DDoS Weapons Report for H2 2020, which covers the second half of the past year. During this period, we saw an increase of over 12% in the number of potential DDoS weapons available on the internet, with a total of approximately 12.5 million weapons detected. The good news is that proven methods of protection continue to be effective even as threat levels rise.

So how can organizations defend against this common and highly damaging type of attack?

Botnets drive DDoS attack levels to new heights

While organizations of all sizes fell victim to DDoS last year, two of the world’s largest companies made headlines for suffering unprecedented attacks. In June 2020, Amazon revealed a DDoS attack on its public cloud earlier that year that peaked at 2.3 Tbps, almost twice the size of the previous largest recorded attack. Soon afterwards, Google revealed details of an even larger DDoS attack that peaked at 2.5 Tbps. A10 Networks has also been privately notified of even larger attacks, underscoring the perennial threat and growing impact of this type of cybercrime.

Unlike other types of cyberattacks that depend on concealment, DDoS attacks aim to simply overwhelm an organization’s defenses with a massive flood of service requests delivered from a large number of sources. The distributed nature of the attack makes it especially difficult to repel, as the victim can’t simply block requests from a single illicit source.

In recent years, hackers have evolved their methods and broadened their base of attack by using malware to hijack vulnerable compute nodes such as computers, servers, routers, cameras, and other IoT devices and recruit them as bots. Assembled into botnet armies under the attacker’s control, these weapons make it possible for attacks to be sourced from different locations across the globe to suit the attacker’s needs. In the second half of 2020, the top locations where botnet agents were detected include India, Egypt, and China, which together accounted for approximately three-quarters of the total. Activity sourced from DDoS-enabled bots in India spiked in September 2020, with more than 130,000 unique IP addresses showing behavior associated with the Mirai malware strain. A10’s most recent State of DDoS Weapons Report explores our findings about the largest contributor to this botnet activity, a major cable broadband provider, which accounted for more than 200,000 unique sources of Mirai-like behavior.

Blocking botnet recruiters

The identification of IP addresses associated with DDoS attacks gives organizations a way to defend their systems against questionable activity and potential threats. To protect services, users and customers from impending DDoS attacks, companies should block traffic from possibly compromised IP addresses unless it is essential for the business, or to rate-limit it until the issue is resolved. Automated traffic baselining, artificial intelligence (AI), and machine learning (ML) techniques can help security teams recognize and deal with zero-day attacks more quickly by recognizing anomalous behavior compared with historical norms.

Another important step is to make sure that your organization’s own devices are not being recruited as bots. All IoT devices should be updated to the latest version to alleviate infection by malware. To detect any pre-existing infections, monitor for unrecognized outbound connections from these devices, and check whether BitTorrent has ever been seen sourced or destined to these devices, which can be a sign of infection. Outbound connections should be blocked as well. This will prevent the device from making the call required for the installation of malware such as mozi.m or mozi.a as part of the bot recruitment process.

Amplification attacks and how to prevent them

The scope of a DDoS attack can be vastly expanded through amplification, a technique that exploits the connectionless nature of the UDP protocol. The attacker spoofs the victim’s IP address and uses it to send numerous small requests to internet-exposed servers. Servers configured to answer unauthenticated requests, and running applications or protocols with amplification capabilities, will then generate a response many times larger than the size of each request, generating an overwhelming volume of traffic that can devastate the victim’s systems. Capable of leveraging millions of exposed DNS, NTP, SSDP, SNMP, and CLDAP UDP-based services, amplification reflection attacks have resulted in record-breaking volumetric attacks and account for the majority of DDoS attacks.

The SSDP protocol, with more than 2.5 million unique systems, led the list of amplification attack weapons exposed to the internet in 2020. With an amplification factor of over 30x, SSDP is considered one of the most potent DDoS weapons. The most straightforward blanket protection against such attacks is to simply block port 1900 traffic sourced from the internet unless there is a specific use case for SSDP usage across the internet. Blocking SSDP traffic from specific geo-locations where a high-level botnet activity has been detected can also be effective for more surgical protection.

As recent trends make clear, the DDoS threat will only continue to grow as rising online activity across sectors, a rapidly expanding universe of IoT devices, and increasingly sophisticated methods offer new opportunities for cybercriminals. Organizations should take an active approach to defense by closing unnecessary ports, using AI and ML to monitor for signs of compromise or attack, and blocking traffic from IP addresses known to have exhibited illicit behavior.


For many enterprises, 2020 was a tough year for cyberattacks, with dozens suffering from devastating DDoS attacks due to the newfound reliance on digital tools, according to a new report from cybersecurity firm Akamai.

In its report, “Retrospective 2020: DDoS was Back — Bigger and Badder than Ever Before,” the company found that it had more customers attacked in November 2020 than any prior month going back to 2016. The company had more customers attacked over 50Gbps in August 2020 than any month before, another record that dates back to 2016.

“In fact, across all attacks, 7 of the 11 industries we track saw more attacks in 2020 than any year to date. Think about that. This was led by huge jumps in Business Services (960%), Education (180%), Financial Services (190%), Retail & Consumer Goods (445%), and Software & Tech (196%),” the report said.

“During Cyberweek 2020 alone we saw: 65% more attacks launched against our customers vs Cyberweek 2019, the number of customers targeted was up 57% YoY, and threat actors launching attacks across an expanded industry base.”

Tom Emmons, Akamai’s principal product architect, said in an interview that he and other researchers observed a “significant evolution in DDoS attacks throughout 2020, maybe the most DDoS disruption of any year on record.”

For Emmons, the rise in the number of customers seeing attacks, the steady growth in large attacks, and the shift in industries targeted were startling and disturbing for him to see.

“As more and more activity moved online (work, shopping, learning, etc) due to COVID-19-related restrictions and behavioral adjustments, it made internet-facing infrastructure more important. Not long after COVID-19 hit, attacks started trending up and really just continued to accelerate as the year progressed. The basic idea here is the more important something is, the more likely to be attacked,” Emmons said.

“We saw attackers who clearly did their homework on scouting out targets in a well-coordinated manner. The most interesting thing the DDoS extortionists are doing is choosing good targets, and managing to get their emails and chats through to the right folks, navigating spam filters, and unread boxes.”

The report cites a number of record-breaking attacks, including a 1.44 Tbps attack against a major bank in Europe as well as an 809 Mpps attack on an internet hosting provider. According to the study’s findings, some of the largest DDoS extortion campaigns took place in 2020 and the numbers only continued to grow throughout the year.

Akamai reported that more of its customers were attacked than any other year on record since 2003, with one industry seeing a 960% increase in the number of attacks.

The steep increase in attacks was attributed to COVID-19, which forced almost every enterprise into using some form of digital tools in order to survive. Emmons also noted that there have been improvements in the tools used for DDoS attacks, allowing less experienced attackers to go after big targets.

When researchers mapped it out, the timing of the increases in attacks coincides perfectly with the start of the COVID-19 pandemic, particularly in Europe and the US.

“Customers and prospects shifted to focus on protecting VPNs and communications endpoints more than ‘generic’ data centers, as their risk profile and postures rapidly evolved,” the report said. “Looking back, as businesses across all industries had to adapt to remote work and the increasing reliance on internet connectivity, it’s clear that more and more types of organizations would be attractive and lucrative targets for DDoS threat vectors.”

The report adds that the complexity of the attacks was also concerning considering the number of attack vectors and botnet tools used. In 2020, Akamai reported that 65% of the DDoS attacks they dealt with involved “multi-vector assaults” and “as many as 14 different DDoS vectors were noted in a single attack.”

There was a significant increase in extortion-related DDoS attacks that began in August but the unnerving aspect for Akamai researchers was the specificity of the surveillance done before the attacks.

“A notable characteristic of this campaign was the level of reconnaissance conducted by the attackers prior to sending the extortion letters. The bad actors were highly targeted in their threats and wanted victims to know that they had uncovered specific weaknesses across internet-facing infrastructure or had identified revenue-impacting IPs that would be taken offline unless their Bitcoin extortion demands were met,” the report said.

“The 2020 campaign also signaled a significant shift in the types of industries typically targeted — a foreshadowing of future DDoS activity — with the threat actors pivoting from one vertical to the next depending on the week, in some cases circling back to organizations who had been previously victimized. As is the case with extortion, criminal rings won’t stop until arrests are made, and the fact that the extortion campaigns are ongoing indicates businesses are caving to their demands, which further incentivizes the activity.”

When asked about the motivations behind this increase in attacks, Emmons said most were generally launched for money, either through extortion or by attempting to damage an organization financially through disruption.

Society’s overwhelming reliance on digital tools made it easy for attackers to go after “low hanging fruit.”

The study notes that Akamai continues to see extortion-related attacks that led to a “record emergency onboarding of new customers,” with the report adding that this was a signal that the problem seems likely to persist well into 2021.

All signs point to continued DDoS attack growth. Not one of the indicators we track is flat or trending down,” Emmons said.

“We’ve got more new customers doing emergency integrations than ever, and the percentage of customers running always on vs. on-demand defenses is at an all-time high. When in doubt follow the customers.”


The healthcare sector should brace itself against an increase in cyberattack rates and a variety of attack vectors over the coming months, researchers have warned.

On Tuesday, cybersecurity firm Check Point released new statisticsthat show a 45% increase in cyberattacks since November against the global healthcare sector, over double an increase of 22% against all worldwide industries in the same time period.

According to the researchers, attack vectors employed by threat actors are wide-ranging; including distributed denial-of-service (DDoS) attacks, social engineering, botnets, phishing, and ransomware.

However, ransomware, in particular, is of serious concern.

We’ve already seen just how debilitating a ransomware attack wave can be. The WannaCry outbreak of 2017 locked up and disrupted operations for countless businesses worldwide, and in the past four years, ransomware has continued to grow in popularity due to how lucrative a criminal business it has become.

When it comes to hospitals, some providers will pay blackmail fees demanded by ransomware operators rather than risk patient care. The death of a patient due to a ransomware attack on a hospital has already occurred.

Check Point says that ransomware attack rates are surging against the healthcare sector. The Ryuk ransomware strain is now the most popular malware to deploy in these attacks, followed by Sodinokibi.

Overall, an average of 626 attacks was recorded on a weekly basis against healthcare organizations in November, in comparison to 430 in October. Central Europe has been hardest hit in the past two months, with a 145% increase in healthcare-related attacks, followed by East Asia, Latin America, and then the rest of Europe and North America.

Healthcare organizations in Canada and Germany experienced the largest surge in cyberattack rates at 250% and 220%, respectively.


Check Point says that the reason for the increase is financial, with threat actors seeking to cash in on the worldwide disruption caused by COVID-19. While bog-standard fraudsters are targeting the general public through phishing, emails, texts, and phone calls in coronavirus-related campaigns, other groups are hoping to profit through more debilitating attacks on core services.

“As the world’s attention continues to focus on dealing with the pandemic, cybercriminals will also continue to use and try to exploit that focus for their own illegal purposes — so it’s essential that both organizations and individuals maintain good cyber-hygiene to protect themselves against covid-related online crime,” the team says.


Kaspersky identified a significant increase in DDoS attacks year-on-year.

According to cybersecurity firm Kaspersky, it’s been a busy year for cybercriminals who favour DDoS as their method of attack.

The Russian firm’s DDoS protection tool reportedly blocked 44 percent more attacks in Q4 2019 than in the same period the previous year.

Sundays were also busier than ever, highlighting the ever present nature of the threat posed by cybercrime. More than a quarter (28 percent) of all attacks happened on weekends, and the share of attacks performed on Sundays grew by 2.5 percent (to 13 percent overall).

Despite DDoS attacks growing year-on-year, they haven’t risen dramatically quarter-on-quarter. There was a “marginal” 8 percent increase between Q3 and Q4 2019, Kaspersky says.

A more notable rise (27 percent) was spotted in so-called smart DDoS attacks, which focus on the application layer and are usually carried out by skilled attackers.

“Despite the significant growth in general, the season turned out to be quieter than expected,” said Alexey Kiselev, Business Development Manager on the Kaspersky DDoS Protection team.

“Attackers can still find a way to spoil your leisure time, as cybercrime is not an ordinary nine-to-five job, so it is important to ensure that your DDoS prevention solution can automatically protect your web assets.”