News page header image


Distributed denial-of-service attacks through the eyes of Evolink

Review of the past year 2022

Distributed denial of service attacks are gaining more and more popularity on the Internet. Such type of attacks aim at the exhaustion of technological resources in various layers of traditional network communication models. The most common target of attack is the organization’s corporate structure, as a group of compromised devices coordinately send illegitimate requests to the final destination. In this way, the goal is to exhaust the system resources of the organization's key equipment or to flood the network.

Having extensive experience and detailed statistics, network specialists from Evolink annually perform a detailed analysis of the most common attacks, new trends, as well as interesting facts about one of the most common hacker attacks, namely DDoS.

The attacks in 2022

All statistics in this document are solely from Evolink's monitoring and protection systems and concern the Internet traffic of the company's customers for the period December 2021 - November 2022.


The year in brief:

  • DDoS anomalies: 55,860 attacks
  • Volume of cleaned traffic: 9.4 PB
  • Maximum single attack capacity: 36.3Gbps


The total volume of malicious traffic filtered by Evolink's Anti-DDoS security platforms for the past 12 months is measured in Petabytes (1 Petabyte = 1000 Terabytes). The peak capacity of illegitimate packets during the attack was reported to be 36.3 Gbps. By comparison, standard Internet service today is usually between 100 and 1000 Mbps. An attack of this volume can repeatedly flood the network and system resources of the infrastructure.


Attack Type



DNS Size Abnormal



Location Attack



ACK Flood



UDP Flood









Global TCP Abnormal



DNS Format Error




 Types of DDoS attacks


One of the significant trends observed this year is the constantly increasing number of intense DDoS attacks with a capacity of over 5Gbps.

Number of DDoS attacks over 5G


There is also a growing trend of Amplification / Reflection attacks. Such attacks are performed whereas the perpetrators of the attack make requests to publicly available servers using the victim's IP address as the source identifier. In this way, the servers return a response to the real address of the final destination. The resources in question that "reflect" the requests of malicious users are most often "Domain Name", "Network Time Protocol" or WEB servers. This can be discovered when looking at the "source port" attribute of the Level 4 segment of the "Open Systems Interconnection" communication model. When we see a source port on UDP segment 53, it becomes clear that we are observing a DNS Amplification flood. The same applies to TCP port 21/80/443, from which we understand that FTP/HTTP/HTTPS communication protocols are used. TCP attacks can be of several types, with attackers typically taking advantage of the communication method and the various stages of the 3-way handshake required to establish a TCP session. Such type are SYN / ACK / SYN-ACK / FIN / RST flood.

We observe a growing number of multi-vector attacks as well. When attackers see that one type of attack is not working, they change their attack pattern and start using another type of servers for reflection or a different botnet network. Occasionally we observe several types of attacks using and/or targeting different resources at the same time. Evolink systems report a 70/30 ratio of Single-Vector / Multi-Vector attacks.

An interesting fact about "reflective" attacks is the resources that are used. In the first half of 2022 we observed a large number of attacks whose traffic mainly originates from "Universal Plug and Play (UPnP)" devices such as DVRs, cameras and printers. It is a good practice when using this type of equipment to change the standard ports for the management protocols and to configure a complex and long password with different characters and symbols.


DDoS time distribution


As can be seen in the statistics above, the most common duration of the attacks is under 30 minutes but attacks aiming to interrupt the connectivity of the end user for longer than an hour are also a significant share and should not be overlooked. The diagram on the other hand shows the time intervals during the day when malicious traffic is observed and as it indicates they are of equal values regardless of the time of the day.

Attempts to sabotage the network infrastructure before the end destination are increasing in number. Several devices are being attacked along the way to the end host, with the aim to overload the system resources of the network equipment and causing the victim to lose global network connectivity. Evolink advises following best practices for IP communication by configuring security policies where they are lacking.


  • Blocking incoming requests from RFC 1918 private IP addresses.
  • Prohibiting of access from DNS and NTP servers that are not strictly vetted and pre-approved.
  • Using RFC 1918 private IP addresses for IGP routing in the organization's backbone network.
  • Configuring of QoS policies to prioritize important traffic.
  • Checking and updating CoPP (Control Plane Policing) values in line with the resources of the network equipment used.


Back to all news