Asia-Pacific
One of the most notable observations for the region is a consistent fluctuation of attacks surrounding various geopolitical events that either are taking place in the region or that are launched because of policies or statements related to the international political landscape. As with other areas of the world, Asia-Pacific (APAC) experienced an increase in attacks whenever a support was voiced for either Russia or Ukraine. This held true regardless of which side received support.
In 1H 2022, we observed about 1.3 million DDoS attacks targeting organizations in the APAC region, a rate of attack that is virtually unchanged from 1H 2021. This equates to about 8,600 DDoS attacks per day, with a new attack launched every 10 seconds.
In many ways, APAC has been a bellwether for trends in the DDoS space, as evidenced by early increases in attacks on wireless telecommunications carriers and weaponization of DDoS as a nation-state tool of choice. The same holds true for DDoS attack vectors, with TCP-based attacks outshining any other in the region. In fact, almost every type of TCP-based attack now ranks above reflection/amplification attacks, which once held this dubious honor.
Key Findings
-
1
Direct-path and botnet sourced attacks surged in APAC as TCP (SYN, ACK, RST, and SYN/ACK Amplification) surged.
-
2
Geopolitical tension between China and Taiwan heavily impacted the DDoS threat landscape.
-
3
Taiwan received the largest number of attacks in a single day while South Korea was the most targeted with 26% of all DDoS attacks in the region.
APAC Data was drawn from…
Countries
Industry Verticals
Autonomous System Numbers (ASNs)
By The Numbers
Attack Count
A decrease of 9% over 2H 2021
Vector Analysis
APAC provides a great snapshot into ongoing efforts to implement solutions such as source address validation (SAV) to drive down volumetric (reflection/amplification) attacks. Throughout the past 18 months, TCP-based attacks have consistently been the favorite attack of choice for adversaries. Even TCP SYN/ACK amplification attacks supplanted DNS amplification (a 38 percent decrease) in 1H 2022.
Other prominent DDoS attack vectors during 1H 2022 include MS SQL amplification, mDNS amplification, memcached amplification, SNMP amplification, and CLDAP amplification. Of special interest is a rapid surge in exploitation of the new TP240 amplification DDoS vector, which was jointly discovered and disclosed by NETSCOUT and multiple industry partners. While not one of the top attack vectors in the region, it nevertheless had a significant impact on related organizations.
Taking a slightly different view of trending vectors, we clearly see the impact of TCP-based attacks in APAC such that pure UDP-based volumetric attacks have not exceeded TCP-based attacks in more than 18 months.
NOTE: It should be noted that many attacks are multi-vector and will include both TCP and UDP or some other combination.
The above graphic is intended to show proportionality of distinct vectors used in attacks.
Country Analysis
Taiwan: Most DDoS Attacks in a Single Day
Although Taiwan was targeted in only 6 percent of observed DDoS attacks in APAC during the first half of the year, it was on the receiving end of the highest daily total of attacks in the region, at 3,598. This event occurred in late March, with Taiwanese wireline and wireless broadband ISPs, transit ISPs, and cloud-hosting providers withstanding most of the attacks. There were many vectors employed in this “day of DDoS,” but the most prominently featured were direct-path TCP-based attacks (SYN, ACK, and RST).
This daylong attack campaign coincided with public remarks at a policy seminar sponsored by Taiwan’s representative to the United States.
South Korea: Most Frequently-Attacked
Fully 26 percent of all observed DDoS attacks in the region targeted South Korea during 1H 2022. Most of these attacks were directed toward broadband access provider networks, with the majority likely related to online gaming and intergroup/interpersonal disputes. Attack cadence in South Korea was consistent throughout this reporting period, with no significant spikes in attacks coinciding with national or regional events.
The highest-bandwidth DDoS attack targeting South Korea during 1H 2022 was a 325 Gbps attack that utilized direct-path TCP SYN and ACK floods. Most floods of this nature incorporate small packets and are throughput-oriented; however, this attack made use of atypically large packets and was a bandwidth-oriented attack. Large-packet TCP floods have increased in popularity over the past several years, with the increasing prevalence of TCP Fast Open (RFC7413) making this attack methodology attractive to some attackers, since payload-bearing SYN and ACK packets are no longer automatically suspect.
India
India was the second-most-attacked APAC country, targeted by nearly 16 percent of observed DDoS attacks during the reporting period. We noted significant variations in attack cadence against Indian targets during Q1 2022 that coincided with India’s diplomatic stance related to the Russia/Ukraine conflict. An additional spike in attack cadence at the tail end of the reporting period appears to coincide with the Indian presidential election scheduled for mid-July.
Largest Attack by Bandwidth
519 Gbps
Target
Wired + Wireless Telecommunications Carriers
Vectors
CLDAP amplification, DNS Query Flood, L2TP amp, MS SQL RS amp, NetBIOS amp, RIPv1 amp, rpcbind amp, SNMP amp
Largest Attack by Throughput
212 Mpps
Target
Wired + Wireless Telecommunications Carriers
Vectors
TCP ACK flood, DNS Query flood, and a small proportion of NTP amp and DNS amp
Hong Kong
Hong Kong received the third-highest rate of attacks, amounting to about 15 percent of attacks for the reporting period. Attack cadence in Hong Kong is largely consistent with ongoing protests, arrests of key democracy advocates, and the appointment of Beijing loyalist John Lee to Chief Executive of Hong Kong.
Largest Attack by Bandwidth
550 Gbps
Target
Wireless Telecommunications Carriers
Vectors
NTP amp, SSDP amp, WS-DD amp
Largest Attack by Throughput
220 Mpps
Target
Wireless Telecommunications Carriers
Vectors
TCP SYN flood, TCP ACK flood, TCP RST flood, and some SSDP amp
China
China was the target of more than 11 percent of observed DDoS attacks in the region during 1H 2022. Significant increases in attack cadence occurred in early and mid-April; early and mid-May; and mid- and late June. These spikes in attack frequency appear to correlate with escalating tensions between China and Taiwan, China and Japan, and China and the United States.
Throughout the years, China has gained a reputation for deploying DDoS attacks as part of its nation-state cyber activities to disrupt communications or access to critical systems and services. It comes as no surprise, then, that many spikes in DDoS attacks across the country coincide with periods of intense geopolitical activism and events.
Most DDoS attacks against targets in China during the reporting period were directed toward cloud-hosting providers, wired and wireless telecommunications providers, online electronic retailers and distributors, and telecommunications-related resellers. Regarding cloud computing and hosting firms, the actual intended targets were likely end-customer organizations that utilize these services.
Singapore
Rounding out the top countries targeted by DDoS, Singapore accounted for approximately 9 percent of observed DDoS attacks against a wide variety of industries, with no apparent surges or spikes related to events within the country.
Industry Spotlight
Telecommunications
The telecommunications industry is always a focus for attackers, and the APAC region is no exception. In fact, the top four industries include various forms of communications, including wired carriers, wireless, and cloud-based providers. Although the attack frequency fluctuated, there has been a noticeable increase for more than a year in “all other telecommunications,” which includes bring-your-own-device internet services and VoIP providers. Overall, this sector experienced a 59 percent increase in 2021, followed by a 31 percent increase in 2022, which moved this category to third place for all attacks, dropping wireless telecommunications to fourth place.
Internet Publishing and Broadcasting
We also saw increased attacks against internet publishing and broadcasting services (72 percent). Globally, there has been a decline that coincides with the easing of COVID-19 pandemic restrictions in this sector, which includes services such as Netflix and Zoom. That attackers continue to target this sector in APAC is interesting and suggests that adversaries are still finding success with such attacks in APAC.
Note: Industry data and attack counts are based on a sampling of our data and aligned to the North American Industry Code database, which often includes limited labeling in other regions.
Conclusion
The Asia-Pacific region boasts more than 35 countries, but only 7 of these countries account for more than 75 percent of all DDoS attacks in the region. Many of these DDoS attacks, including surges and outliers, appear to coincide with geopolitical events within the region, heralding the real-life ripple effect into the virtual cyberworld. APAC is not unique in this trend: Every region experienced similar echoes of real-world events, politics, and military movement that correlated to attack frequency. Security practitioners should learn from these events and prepare for DDoS attacks during significant national and international events that may draw ire from political activists and would-be DDoS attackers.
