New Zayo report analyses trends in DDoS attacks from 2023

Author: Isha Jain

Zayo Group, a global communications infrastructure provider, has released its annual Distributed Denial of Service (DDoS) Insights report, which found a significant increase in the intensity of DDoS attacks and their impacts on businesses in the second half of 2023.

According to new Zayo data, the average DDoS attack lasted 68 minutes in 2023. With unprotected organisations shelling out an average of £4,700 per minute of each attack, that totals a startling £325,000 average cost to businesses for DDoS attacks. 

A key driver to this enormous cost was the steep rise in the duration of DDoS attacks throughout the year. The average length of attacks surged by more than 400% from Q1 to Q4 of last year — from an average of 24 minutes to 121 minutes — signalling a worrying trend from both security and cost perspectives.

The astonishing volume of DDoS attacks in the first half of 2023 – up 200% from all of 2022 – seemed to have contracted in the second half of the year. Across all industries, comparing Q4 to Q1 2023, companies saw a 16% increase in attack activity. The outlook isn’t exactly rosy, however, volumetric attacks are being replaced by multi-vector attacks, spreading destruction more widely by targeting individual IP addresses, email systems, databases or web browsers, which are much harder to detect.

“What we’re seeing is that cyber crime is only getting savvier,” says Anna Claiborne, Senior VP of Network Connectivity at Zayo. “AI is presenting itself as a double-edged sword in this space. On one side of the blade, criminals are using AI to increase the sophistication of attacks and circumvent traditional defence mechanisms; on the other, mitigation platforms are using AI to dynamically identify and defend against new and emerging threats. As DDoS remains a profitable model for cyber criminals, attacks will continue to be a brutal inevitability for businesses. But luckily, DDoS protection is also rising to the occasion.”

Key findings by the industry:

• Telecommunications companies experienced the most frequent attacks, comprising about 40% of total attack volume with nearly 13,000 attacks in H2 2023.
• Retail and healthcare companies experienced the largest attacks in H2, with an average attack size of 2.5Gbps across companies in these two industries.
• Government entities once again experienced the longest attacks with the average attack duration increasing from four hours in H1, to 18 hours in H2, increasing by 322%. This is a 1,141% increase from Q1 to Q4 of 2023.
• Educational institutions accounted for 17% of all attacks last year, thanks in part to the ease and affordability of botnet-for-hire services combined with frequent gaps in the cyber security of the institutions. 

Why it matters:

DDoS attacks are here to stay, and cyber criminals are not discriminating over an organisation’s size, industry or business model. These attacks cost organisations thousands of dollars per attack, not to mention reputational harm and customer churn, and many of the factors contributing to a vulnerable environment, such as increased digitisation, political unrest and hybrid work, are not going away anytime soon. 

The sheer sophistication of these attacks, which are meticulously planned to hit during a business’ busiest time of day and often utilise automation, like bots, to make it easier, makes it a crucial time for organisations to have advanced, forward-thinking DDoS protection. For every company, it is not a matter of if, but when.

“Most people on the internet aren’t plotting a DDoS attack, but the internet is a big place and Dark Web crime is the fastest growing business on earth,” says Eric O’Neill, National Security Strategist at Carbon Black. “We’re in an attacker’s market and they are leveraging sophisticated technologies and cutting-edge techniques to innovate the way they deceive, disrupt and destroy our most critical data. To stop the attackers from gaining the upper hand, we need DDoS protection that is as easy and effective as turning on a switch.”