Rad Ware

Report
2022
Global Threat
Analysis Report
Radware’s 2022 Global Threat Analysis Report reviews the year’s
most important cybersecurity events and provides detailed
insights into the attack activity of 2022. The report leverages
intelligence provided by Radware’s Threat Intelligence Team, and
network and application attack activity sourced from Radware’s
Cloud and Managed Services, Global Deception Network and
Threat Research team.
2022 Global Threat Analysis Report
Contents
Executive Summary ....................................................................................................... 3 Unsolicited Network Activity................................................................................ 28
Most Scanned and Attacked TCP Ports.................................................................... 29
Denial-of-Service Attack Activity......................................................................... 5
Most Scanned and Attacked UDP Ports...................................................................30
Attack Trends........................................................................................................................5
Attacking Countries.......................................................................................................... 31
Attack Sizes...........................................................................................................................6
Web Service Exploits....................................................................................................... 32
Regions and Industries......................................................................................................7
Top User Agents................................................................................................................ 33
The Americas.............................................................................................................8
Top HTTP Credentials...................................................................................................... 33
Europe, Middle East and Africa......................................................................... 10
Top SSH Usernames........................................................................................................34
Asia Pacific (APAC)................................................................................................ 12
Attack Protocols and Applications.............................................................................. 14 Appendix A.......................................................................................................................... 35
HTTPS Attack Vectors......................................................................................... 16
List of Figures................................................................................................................... 36
HTTP Attack Vectors............................................................................................ 16
Tables....................................................................................................................... 36
DNS Attack Vectors.............................................................................................. 17
IPv6 Attack Vectors.............................................................................................. 18 Methodology and Sources...................................................................................... 37
Attack Vector Characterization.................................................................................... 19 About Radware...................................................................................................... 37
Attack Complexity............................................................................................................ 21 Editors...................................................................................................................... 37
Network Scanning and Exploit Activity..................................................................... 22 Executive Sponsors.............................................................................................. 37
Log4Shell............................................................................................................................. 23 Production............................................................................................................... 37
Web Application Attack Activity......................................................................... 25

Security Violations............................................................................................................ 26
Attacked Industries.......................................................................................................... 27
Attacking Countries.......................................................................................................... 27
2 Contents
Executive Summary
During 2022, cybersecurity threats continued to evolve DDoS attacks continued to be a major issue. The cyber landscape was marked
and become more sophisticated. Ransomware by a sharp increase in malicious activities and DDoS attacks, particularly
targeting organizations in the financial, healthcare, and technology sectors.
continued to be a major issue, with many organizations
Radware’s Cloud DDoS Service recorded a 233% growth in blocked malicious
falling victim to these attacks. Cybercriminals increasingly targeted events compared to the previous year, with the number of DDoS attacks
cloud infrastructure and remote workers. Social engineering growing by 150%. The total attack volume reached 4.44PB, a 32% increase
attacks, such as phishing and business email compromise (BEC) from 2021. The largest recorded attack in 2022 was 1.46Tbps, a staggering
scams, remained popular among attackers. Additionally, a number 2.8 times larger than the largest attack recorded in 2021.
of high-profile data breaches resulted in the loss of sensitive The frequency of attacks also saw a significant uptick, with organizations
personal and financial information. In response to these threats, mitigating an average of 29.3 attacks per day in Q4 of 2022, a 3.5x increase
organizations and governments stepped up their efforts to compared to the previous year. EMEA was the most targeted region, with over
improve cybersecurity and protect against attacks. half of all attacks aimed at organizations located in the region. The financial
sector bore the brunt of the attacks globally, accounting for 52.6% of the
Distributed Denial of Service (DDoS) attacks have been a common and growing overall attack activity. The technology sector also saw a significant share of
threat for many years, causing significant disruption to organizations. In 2022, attacks at 20.3%, with healthcare third at 10.5%.
DDoS Attack Trend Highlights
Number of malicious events Total attack volume in 2022
1.5x 4.44PB
blocked by Radware’s
Cloud DDoS Service
233% The number of DDoS

attacks grew by 150%
An increase of 32%
compared to 2021
3 Executive Summary
The Americas saw a substantial increase in malicious activities, with a 328%

growth in blocked malicious events and a 212% increase in DDoS attacks
compared to 2021. The largest attack recorded in 2022 in this region was Web application and
1.46Tbps, 6.8 times larger than the largest attack of 214Gbps recorded in 2021.
The finance and healthcare sectors were the most targeted, with 31.5% and API attacks grew
23.9% of the overall attack activity, respectively.
exponentially throughout
In contrast, the EMEA region saw a decrease in attack volume of 44%. However,
the frequency of attacks increased with organizations mitigating an average of 2022, resulting in
45 attacks per day in Q4 of 2022, a 4x increase compared to the previous year.
The financial sector continued to be the most targeted, with 70.6% of the attack
an increase of 128%
activity, followed by the technology sector at 16%.
compared to 2021, a
The increase in cyberattacks in 2022 can be attributed to a number of geopolitical
events that took place during the year. The ongoing tensions between major significantly faster growth
world powers led to an increase in state-sponsored cyberattacks and espionage
activities. Additionally, the ongoing global shift towards digitalization and remote
compared to 88% growth
work due to the pandemic created new vulnerabilities for attackers to exploit. in 2021
Web application and API attacks grew exponentially throughout 2022, resulting
in an increase of 128% compared to 2021, a significantly faster growth compared
to the 88% growth in 2021. Predictable resource location attacks targeting the
hidden content and functionality of web applications accounted for almost half
of attack activity in 2022. Code injection and SQL injection attacks represented
more than a quarter of web application attacks. Retail & wholesale trade, high
tech and carriers represented 60% of all blocked web application attacks.
Overall, the threat landscape in 2022 was a complex and rapidly evolving one,
requiring organizations to have a comprehensive security strategy in place to
protect against the wide range of threats they faced.
4 Executive Summary
Denial-of-Service Attack Activity

The total number of malicious events blocked by Figure 1: Malicious events, DDoS attacks, volume and largest attack 2022 vs 2021
Radware’s Cloud DDoS Service in 2022 grew by 233%,
compared to 2021. The number of DDoS attacks grew
Attack Volume Number of DDoS Attacks Largest Attack Number of Malicious Events
Attack Volume Number of DDoS Attacks Largest Attack Number of Malicious Events
2022
by 150%. The total attack volume in 2022 was 4.44PB, an 2022 2022 2022
2022
2022
2022 2022
increase of 32% compared to 2021. The largest attack recorded in 2021
2022 was 1.46Tbps, 2.8 times compared to the largest attack of 2021
2021 2021 2021
2021
520Gbps in 2021.
2021 2021
Attack Trends DDoS Attacks per Customer

Throughout the year, the number of DDoS attacks per customer kept
increasing every quarter, from less than 1,000 attacks per quarter in Q4 of Figure 2 2500
2021 to over 2,500 attacks per customer in Q4 of 2022. By the end of 2022, Number of attacks
Number of Attacks
2000
the average number of attacks mitigated per customer increased by over per quarter,
normalized per
three times. For comparison, in 2021 the average number of attacks per
1500
customer
customer in Q4 of 2020 was slightly higher than the number of attacks in 1000
Q4 of 2021. The busiest quarter of 2021 (Q2) saw a rise of almost 50% in the 20Q4 21Q1 21Q2 21Q3 21Q4 22Q1 22Q2 22Q3 22Q4
average number of attacks per customer.
The trend for the number of attacks to increase is significant and concerning.
Attack Volume perCustomer
Customer
To put this in perspective, the number of attacks a customer witnessed per Attack Volume per
day at the end of 2021 was 8.41, compared to 29.3 attacks on average per day 15
15
by the end of 2022, a 3.5x increase. Figure 3

10
Yearly attack volume
The attack volume per customer did not grow at the same rate as the number
TB
per customer 10
of attacks. The average total attack volume per customer in 2022 was 15TB, a 5
TB
modest increase of 14.3% compared to 2021. 5
0
2021 2022
0
2021 2022
1. To calculate the average number of attacks per day, the average number of attacks per quarter is divided by 91 (number of days in a
quarter for 2 x 30 + 1 x 31)
5 Denial-of-Service Attack Activity

Attack Sizes
To compare the characteristics of attacks
Figure 4: Number of attacks by attack size bracket Figure 5: Change in number of attacks per attack size bracket
recorded in 2022 and 2021, these were divided for 2022 compared to 2021
into buckets by attack size bracket. An upper and
lower attack size defines each bracket and the Number of attacks by attack size Increase in 2022 attacks
attacks in the bucket. 1M

2021 100k
100k 2022
Compared to 2021, in 2022 there was a

10k
10k
count (log)
count (log)
1000
significant increase in the number of attacks 1000
100
100
below 10Gbps, and a moderate but not 10 10
insignificant increase in attacks above 250Gbps. 1

[0,1) [1,10) [10,50) [50,100) [100,250) [250,500) > 500
1
[0,1) [1,10) [10,50) [50,100) [100,250) [250,500) > 500
The average size of attacks above 500Gbps was Attack Size [Gbps] Attack Size [Gbps]
significantly larger in 2022.
Attacks in 2022 were pushed out from the center

to both ends of the attack size spectrum. The
increase in attacks was most significant at the The longest attacks seem to gather between
lower end of the attack size spectrum. In the
100 and 250Gbps, where on average the
center of the attack size spectrum, there was a
moderate decrease in attacks, while the higher attacks lasted 66 hours, or 2.75 days
end of the spectrum showed a moderate increase.
On average, smaller attacks tend to be shorter.

Attacks below 1Gbps last on average 4 minutes,
while attacks between 50 and 100Gbps last on Figure 6: Average attack duration per attack size Figure 7: Average attack size per size bracket
average 8.67 hours. The longest attacks seem
to gather between 100 and 250Gbps, where on Average duration per attack size Average Attack Size
average the attacks lasted 66 hours, or 2.75 days.
1000 2021
66.0 hours 2022
While the increase in the higher end of the attack

4000
800
Duration [minutes]
3000
size spectrum was less significant, the attacks

600
Gbps
2000
26.28 hours 400
did hit significantly harder compared to the 1000

7.12 hours 8.67 hours
17.59 hours
200
biggest attacks in 2021.

4.14 hours
4 mins
0 0
[0,1) [1,10) [10,50) [50,100) [100,250) [250,500) >500
[0,1) [1,10) [10,50) [50,100) [100,250) [250,500) > 500
Attack Size [Gbps]

Regions and Industries

In 2022, more than half of the attacks
Figure 8: Figure 9: Figure 10:
targeted organizations in EMEA. The Americas
Blocked attacks per region for 2022 Blocked attack volume per region for 2022 Most attacked industries in 2022
accounted for 35% of the attacks while 7.11%
of the attacks targeted APAC organizations.
The most significant attack volumes targeted

customers in the Americas, accounting
for 84% of the total attack volume. EMEA
customers, representing more than half of
the number of attacks, accounted for 15.2%
of the total attack volume.
Finance was the most attacked industry

in 2022, with 52.6% of the overall attack
activity and a frequency of attacks growing a
modest 2.4% compared to 2021. Technology
represented 20.3% of the overall attack
activity and suffered nearly the same Figure 11: Attack growth per industry in 2022, compared to 2021
number of attacks (+0.5%) compared to Finance was the
Attack Growth per Industry
2021. Healthcare was the third most
most attacked
attacked industry with 10.5% of attacks and
+72%
was slightly more frequently the target of 60 industry in 2022,

attackers (+1%) compared to 2021. Other with 52.6% of the
% increase
industries under attack in 2022 included

40
communications (4.47%), government (3.9%) 20

+22% overall attack activity
and a frequency of
+15%
and research & education (2.28%). +4.4% +3.6% +2.4%
+2.0% +1.9% +1.7% +1.0% +0.9% +0.7% +0.5% +0.3%
attacks growing 2.4%

0
Industrials were attacked 72% more often in Ind
ust
En
erg
Re
sea
Go
v
Ma
nu
Fin
an
E-C T C H
om ransp omm ealth utom tilitie echn
A U T Tel
e
-0.1% -0.6%
Re
tai
Ga
mi
ria y rch ernm fac ce m o u c o s olo com l ng
2022 compared to 2021. Energy and research
r n a t
compared to 2021
ls &E en tur erc tat ica re ive gy
du t i ng e ion tio
cat &L n s
ion og
& education were the second and third most
isti
cs
significant growth industries when comparing

attacks in 2022 to 2021.

The Americas
In 2022, the number of malicious events
Figure 12: Malicious events, DDoS attacks, attack volume and largest attack
targeting customers in the Americas blocked 2022 vs 2021, The Americas The number of
by Radware’s Cloud DDoS Service grew by
328%, compared to 2021. The number of DDoS Number ofofmalicious
Number events- Americas
malicious events - Americas Number ofofDDoS
Number DDoS attacks
attacks - -Americas
Americas DDoS attacks grew
attacks grew by 212%. The total attack volume by 212%. The total
in 2022 increased by 110% compared to 2021. 2022
attack volume in 2022
2022 2022
2022
The largest attack recorded in 2022 was
1.46Tbps, 6.8 times greater than the largest
2021
increased by 110%
2021 attack of 214Gbps.
compared to 2021.
2021
2021 2021
The average number of attacks per customer The largest attack

in the Americas ended 2021 with 603 attacks
per quarter and grew steeply to 1,420 attacks Attack
AttackVolume
Volume --Americas
Americas Largest
LargestAttack
Attack -- Americas
Americas
recorded in 2022
in Q1 of 2022. The number of attacks per was 1.46Tbps,
customer peaked at 2,142 per quarter in Q3
and ended with 1,831 attacks per customer
2022
2022
2022
6.8 times greater
than the largest 2021
2022
per quarter in Q4 of 2022. On average,
2021
organizations located in the Americas
2021 2021 attack of 214Gbps
mitigated 20.1 attacks per day2 in Q4 of 2022, 2021
a 3x increase compared to 6.6 attacks per day
in Q4 of 2021.
The average yearly attack volume blocked by

Figure 13: Average number of attacks per Americas organization, per quarter
Americas organizations increased by 88.1% in
2022 to an average of 34.44TB per customer. DDoS Attacks per Customer - Americas
2000
Number of Attacks
1500
1000
2. To calculate the average number of attacks per day, the average number of
attacks per quarter is divided by 91 (number of days in a quarter for 2 x 30 + 500
20Q4 21Q1 21Q2 21Q3 21Q4 22Q1 22Q2 22Q3 22Q4
1 x 31)

Finance was the most attacked industry in

Figure 14: Figure 15:
the Americas in 2022, with 31.5% of attack
Average yearly attack volume for Americas organizations Most attacked industries in the Americas in 2022
activity, and the frequency of attacks growing
in line with global growth of 2.4% compared Attacked Industries - Americas
to 2021. Healthcare represented 23.9% of Attack Volume per Customer - Americas

Healthcare
the attack activity, a slight increase of 1.7% 23.9%
compared to 2021. Technology was the third 30
most attacked industry in the Americas with

17.2% of the attacks, slightly more frequently 20
Technology Finance
TB
31.5%
the target of attackers (+1.5%) compared
17.2%
to 2021. Other industries attacked in the

10
Americas in 2022 included communications 0

Co
m
m
2021 2022
(12.3%), research & education (4.41%) and
u
12 nica
.3% ti
ons
Other
government (2.75%). 7.96% Government

2.75%
Research & Education
Industrials were attacked 72% more often 4.41%
in 2022 compared to 2021. Research &

education and government were the second Figure 16: Attack growth per industry in the Americas in 2022, compared to 2021
and third most significant growth industries

Attack Growth per Industry - Americas
when comparing attacks in 2022 to 2021.
+72%
60
% increase
40
20
+9.8%
+7.4%
+3.9% +3.6% +2.4% +2.2% +1.7% +1.7% +1.5%
0
-0.4%
Ind Re Go Ma Tel Fin Tra He Co Tec Re
ust sea ver nu ecom an n spo alt mm h no tai
ria rc n me fac ce hca un log l
ls h& turi rta re ica
Ed nt ng tio tio y
ucat n& ns
io Lo
n gisti
cs

Europe, Middle East and Africa

Figure 17: Malicious events, DDoS attacks, attack volume and largest attack
targeting EMEA customers blocked by 2022 vs 2021, EMEA
In 2022, the number
Radware’s Cloud DDoS Service grew by
158%, compared to 2021. The number of Number ofofmalicious
Number events- EMEA
malicious events - EMEA Number
NumberofofDDoS attacks- EMEA
DDoS attacks - EMEA of DDoS attacks
DDoS attacks grew by 140%. The total attack
2022
targeting EMEA
volume in 2022 decreased by 44% compared 2022 2022
organizations grew
2022
to 2021. The largest attack recorded in 2022
was 518.7Gbps, similar in size to the largest 2021 2021 by 140%. In Q4
2021 attack of 519.6Gbps. 2021 2021
of 2022, EMEA
The average number of attacks per customer
organizations blocked
in EMEA almost tripled between the first
and last quarter of the year. In Q4 of 2021, Attack
AttackVolume
Volume --EMEA
EMEA Largest
LargestAttack
Attack --EMEA
EMEA
on average 45 attacks
EMEA organizations mitigated on average
2021 2022
2022 2021
2021
per day, a 4x increase
1,029 attacks or 11.3 attacks per day3. In Q4 2021
of 2022, EMEA organizations mitigated on compared to Q4

average 4,093 attacks, or 45 attacks per day, 2022
of 2021
a 4x increase compared to Q4 of 2021. 2022
In 2022, the average yearly attack volume

blocked by organizations in EMEA decreased by
49.5% to an average of 6.50TB per customer.
Figure 18: Average number of attacks per EMEA organization, per quarter
DDoS Attacks per Customer - EMEA
4000
Number of Attacks
3000
2000
3. To calculate the average number of attacks per day, the average number of 1000
attacks per quarter is divided by 91 (number of days in a quarter for 2 x 30 +

1 x 31) 20Q4 21Q1 21Q2 21Q3 21Q4 22Q1 22Q2 22Q3 22Q4

In 2022, finance was the most attacked

Figure 19: Average yearly attack volume for EMEA organizations Figure 20: Most attacked industries in EMEA in 2022
industry in EMEA with 70.6% of the attack
activity. This represents a 2.6% rise year-over- Attacked Industries - EMEA
year, a slightly faster growth compared to the Attack Volume per Customer - EMEA
global rate of 2.4%. Technology represented Technology
Go 4.09
16%
ve
rn
16% of the attack activity, a slight decrease
me
Other
%
nt
3.6%
He
alt
of 0.1% compared to 2021. Government was
Research & Education h
1.28% 3.3 care
2%
10 Telecom
the third most attacked industry in EMEA

1.13%
with 4.09% of the attacks and the fastest
TB
5
growing industry with 11% more attacks
compared to 2021. Other notable industries
in 2022 included healthcare (3.32%), research 0
2021 2022
Finance
& education (1.28%) and telecom (1.13%). 70.6%
E-commerce and healthcare were the second

and third most significant growth industries
when comparing attacks in 2022 to 2021.
Figure 21: Attack growth per industry in EMEA in 2022 compared to 2021
Attack Growth per Industry - EMEA
+11%
10
8
+6.0%
% increase
6
+4.2%
4
+2.6%
+2.2% +2.1%
2 +1.2% +1.0% +0.9% +0.7%
0
-0.1% -0.2% -0.5%
Go E-C He Fin Ma En Tra Tel Au Uti Tec Re Ga
ver om alt an nu erg n spo ecom to mo liti h no tai mi
nme me hca ce fac y es log l ng
rce re turi rta tiv
nt ng tio e y
n&
Lo
gisti
cs

Asia Pacific (APAC)

Figure 22: Malicious events, DDoS attacks and largest attack 2022 vs 2021, APAC
targeting APAC customers blocked by
In 2022, the number of
Radware’s Cloud DDoS Service grew by 207%
compared to 2021. The number of DDoS Number ofofmalicious
Number events- APAC
malicious events - APAC Number
NumberofofDDoS attacks- APAC
DDoS attacks - APAC DDoS attacks targeting
attacks grew by 51%. The largest attack 2022
2022 APAC organizations
recorded in 2022 was 74.1Gbps, a third the 2022
size of the largest attack of 228Gbps in 2021.

2022
grew by 51%.
The average number of attacks per APAC 2021
2021
2021
In Q4 of 2022,
organization started 2022 slightly above 2021 organizations in
Q4 of 2021. The average number reached a
APAC mitigated on
minimum of 215 attacks per quarter in Q2 and
swiftly rose to an average of 1,110 attacks Largest
LargestAttack
Attack --APAC
APAC
average 12.2 attacks
per organization in Q4 of 2022. In Q4 of 2021, per day, a 2.7x
APAC organizations mitigated on average 405
attacks, or 4.5 attacks per day4. In Q4 of 2022,
2021
2021 increase compared
APAC organizations mitigated on average to Q4 of 2021
1,110 attacks, or 12.2 attacks per day, a 2.7x 2022
2022
increase compared to Q4 of 2021.
Figure 23: Average number of attacks per APAC organization, per quarter
DDoS Attacks per Customer - APAC
1200
Number of Attacks
1000
800
600
400
4. To calculate the average number of attacks per day, the average number of
attacks per quarter is divided by 91 (number of days in a quarter for 2 x 30 + 200
1 x 31) 20Q4 21Q1 21Q2 21Q3 21Q4 22Q1 22Q2 22Q3 22Q4

Technology was the most attacked industry in APAC in 2022, with Figure 25:
70.2% of the APAC attack activity representing a growth of 9.9% year- Most attacked industries in
over-year, a significantly faster growth compared to the global 0.5%. APAC in 2022
Finance represented 9.35% of the attack activity, a slight decrease of 0.4%
compared to 2021. Government was the third most attacked industry in
APAC with 7.92% of attacks, slightly up by 0.4% compared to 2021. Other
industries attacked in 2022 included retail (3.46%), healthcare (2.61%) and
communications (2.3%).
In 2022, APAC organizations in the manufacturing and technology industries

were attacked 10% more often compared to 2021. Communications and
retail were the third and fourth most significant growth industries when
comparing attacks in 2022 to those in 2021.
Figure 26: Attack growth per industry in APAC in 2022, compared to 2021
Attack Growth per Industry - APAC
+10%
+9.9%
10
% increase 4
+2.7%
+2.1%
2
+0.4%
0
-0.1% -0.4%
-0.8% -0.9% -0.9%
Ma Tec Co Re Go E-C Fin Tel He Ga
nu hno mm tai ver om an eco alt mi
fac log un l nme me ce m hca ng
turi y ica nt rce re
ng tio
ns

Attack Protocols and Applications

User Datagram Protocol (UDP) is by far the most leveraged protocol in DDoS
Figure 27: Protocols leveraged by attacks in 2022 Figure 28: Top targeted applications by volume
attacks. Because of its stateless character, UDP allows legitimate services
to be abused to send large volumes of unsolicited traffic to victims through Protocols by Packets Top Applications by Volume
reflection and amplification attacks. TCP SYN and out-of-state packets UDP
TCP
HTTP
DNS
can be leveraged for volumetric attacks, but TCP is typically the most used ICMP
IP
HTTPS
26%
HTTPS
NTP
protocol for exhausting resources on devices and servers.

GGP Memcached
IGMP SIP
DNS Chargen
TCP 26.4%
15.1% SSDP
HTTP, DNS, HTTPS and NTP were the most targeted applications. NTP
DHDiscover
SMTP
Online applications were the most obvious targets for attacks in 2022, ICMP
0.267%
5.75%
IP
representing 62.5% of the targeted applications. DNS represented 26.4% of

Memcached
0.078% UDP 2.92%
GGP 84.6% SIP
0.00015%
the targeted applications, unsurprising because DNS is an important way

1.52%
IGMP Chargen
0.00000831% 0.444%
of targeting online applications. If the name of a web resource cannot be

SSDP
0.327%
HTTP
DHDiscover
36.5%
resolved to an IP address through DNS, the resource will be inaccessible and

0.109%
SMTP
0.0531%
appear offline even though the service is available and able to process new
requests and transactions.
By a significant margin, the top attack vector was UDP flood (78.1%), Figure 29: Top attack vectors by packets
followed by UDP fragment flood (5.73%). TCP attacks through several
Top Attack Vectors by Packets
variations of flag attacks completed the vectors above 1% comprising TCP
SYN (5.53%), TCP Out-of-State (5.27%), TCP SYN-ACK (2.27%) and TCP RST
UDP Flood
UDP Frag
SYN Flood
(1.59%) floods. UDP Frag

5.73%
TCP Out-of-State
SYN-ACK Flood
RST Flood
NTP Amp
Attackers leverage amplification services that are publicly exposed on the SYN Flood
5.53%
DNS Flood
DNS-A Flood
internet. If it’s UDP and it is exposed to the internet, it can be weaponized

ICMP Flood
TCP Out-of-State
5.27%
for DDoS amplification attacks. The motivation to weaponize a specific

UDP Flood
SYN-ACK Flood 78.1%
2.27%
protocol depends on the amplification factor (AF) – the ratio between the RST Flood
1.59%
NTP Amp
size of the request and the reply – and the number of available or exposed 0.785%
DNS Flood
0.414%
services on the internet. A higher AF means a more efficient attack. More

DNS-A Flood
0.185%
ICMP Flood
exposed services represent a larger total aggregate bandwidth and a higher

0.181%
diversity in source IPs in the attack traffic, making detection (a little) harder.

Some of the most important and top amplification vectors and their
Table 1: DDoS amplification attack vectors
associated maximum amplification factor are listed in Table 1.
DNS amplification was the amplification attack vector that generated Amplification Vector Amplification Factor Port
the most volume in 2022, representing 77.1% of the total amplification NTP 500x UDP/123
volume. NTP amplification was the second most abused amplification DNS 160x UDP/53
attack vector, accounting for 13% of the volume. Smaller volumes were SSDP 30x UDP/1900
generated by Memcached, SSDP, Chargen, DHCP Discover (IPv6), NXNS, Memcached 50,000x UDP/11211
Chargen 1,000x UDP/19
ARMS, WSD and CLDAP.
ARMS 30x UDP/3283
CLDAP 50x UDP/398
DHCPDiscover 25x UDP/37810
SNMP 880x UDP/161
RDP 80x UDP/3389
CoAP 30x UDP/5683
mDNS 5x UDP/5353
WSD 500x UDP/3702, TCP/3702
Plex (PMSSDP) 5x UDP/32410
Figure 30: Top amplification attack vectors
Top Amplification Vectors
DNS Amp
NTP Amp
Memcached Amp
SSDP Amp
NTP Amp
13% Chargen Amp
DHCPDiscover Amp
NXNS Amp
Memcached Amp ARMS Amp
5.17% WSD UDP Amp
CLDAP Amp
SSDP Amp
2.25%
Chargen Amp
1.09%
DHCPDiscover Amp
0.709%
DNS Amp
NXNS Amp
77.1%
0.299%
ARMS Amp
0.226%
WSD UDP Amp
0.109%
CLDAP Amp
0.0841%

HTTPS Attack Vectors

HTTPS is still a crucial port for online web applications and services. Even
Figure 31: Top attack vectors targeting HTTPS
with QUIC (a UDP-based protocol) gaining traction, the most obvious
HTTPS
way to impact web applications and APIs is by targeting TCP port 443. Top HTTPS Attack Vectors by Packets
UDP floods are the number one attack vector leveraged against HTTPS UDP Flood
RST Flood
services were
services. While this might seem odd since HTTPS is TCP-based, there predominantly
SYN Flood
UDP Flood TCP Out-of-State
44.6%
is good reason to expect UDP floods. When the objective of an attacker

SYN-ACK Flood
targeted by
TCP Connection Flood
SSL-ClearText
is to flood the service and saturate the internet connection, UDP is the RST Flood
16.4%
NTP Amp
UDP Floods
tcp-zero-seq
preferred protocol as it can leverage multiple amplification services to tcp-ack-zero-ack-num
generate high-bandwidth attacks.
When targeting the web server itself, attackers will typically resort to TCP- SYN Flood
16.1% tcp-ack-zero-ack-num
based attack vectors such as RST, SYN, SYN-ACK, Out-of-State TCP floods,
2.05%
tcp-zero-seq
2.09%
or even TCP connection floods that send clear text (HTTP) to a service
NTP Amp
2.91%
TCP Out-of-State SSL-ClearText
expecting encrypted communications. 5.53% 3.23%

TCP Connection Flood
3.36%
SYN-ACK Flood
3.72%
HTTP Attack Vectors

While most internet communications used by B2B and e-commerce
Figure 32: Top attack vectors targeting HTTP
are encrypted, there is still a plethora of internet devices that expose
unencrypted HTTP services on the internet. Referred to as IoT (Internet of Top HTTP Attack Vectors by Packets
HTTP services
Things), these consist of modems, routers, and IP cameras. These typically SYN Flood
RST Flood
were most
unmanaged devices are left exposed by unaware home users or businesses targeted by TCP
UDP Flood
TCP Out-of-State
and are targeted by attackers for all kinds of malicious activities, including
tcp-ack-zero-ack-num
SYN floods
RST Flood SYN-ACK Flood
9.96% NTP Amp
exploiting compromised devices in large-scale botnets to conduct highly FIN-ACK Flood

UDP Frag
distributed denial-of-service attacks. UDP Flood

DNS Amp
8.26%
SYN Flood
While HTTP on port 80 should no longer be used in mission critical TCP Out-of-State
0.943%
79.1%
environments, there is still a good amount of DDoS activity targeting it. In tcp-ack-zero-ack-num
0.717%
SYN-ACK Flood
2022, the most common attack vectors included different types of TCP flag 0.349%
NTP Amp
0.231%
attacks such as SYN, RST, SYN-ACK, FIN-ACK, and Out-of-State floods, but FIN-ACK Flood
0.179%
UDP Frag
also amplified UDP-based floods. 0.168%

DNS Amp
0.132%

DNS Attack Vectors

The Domain Name System (DNS) is the forgotten cornerstone of the internet. It should be clear that DNS is both essential for ensuring the good working of
DNS is responsible for resolving hostnames into IP addresses. If DNS fails, the internet and critical for keeping businesses online. As such, DNS provides an
the online applications, services, and third-party web APIs many applications interesting target for attackers attempting to disrupt online businesses.
depend on become unavailable. While the root servers of the hierarchical DNS
Since DNS is UDP-based and unauthenticated, it can be leveraged as a DDoS
infrastructure can resist most attacks, the authoritative servers can be the
amplification service (see earlier discussion on page 14). Any type of query
subject of denial-of-service attacks. Taking out the authoritative DNS server of
resulting in large responses is preferred for amplification attacks. Considering
a domain will disable name resolution for the domain and result in inaccessible
that DNS primarily uses UDP for the client side, UDP floods and UDP
applications and services for that domain. In some attacks, the recursive caching
amplification attacks such as NTP amplification or DNS amplification will be the
DNS servers can be leveraged to amplify attacks against the authoritative
most effective way to disrupt service to clients.
domain servers, such as Pseudo Random Subdomain (PRSD) floods, also known
as the ‘DNS water torture’ attack.
Figure 33: Top attack vectors targeting DNS
Besides online web applications and APIs, DNS is one of the services most The Domain Name
targeted by DDoS attackers. DNS uses both TCP and UDP; TCP for zone Top DNS Attack Vectors by Packets
transfers between servers and UDP for name resolution and querying DNS Flood
DNS-A Flood
System (DNS)
servers for different types of records. The most common DNS record types DNS Flood
UDP Flood
Memcached Amp is the forgotten
are A, AAAA, CNAME, MX and TXT. A DNS A record provides the translation
44% NTP Amp
cornerstone of the
DNS-OTHER Flood
DNS-AAAA Flood
from a hostname to an IPv4 address. A DNS AAAA record provides the SYN Flood
internet. Taking
DNS-TEXT Flood
translation of a hostname to an IPv6 address. The DNS CNAME (Canonical

DNS-A Flood
22.6% DNS-SOA Flood
Name) record can be used as a hostname alias and points to the original
out the DNS server
hostname in the same or another domain or subdomain, but does not
translate to an IP address. The DNS Mail Exchanger (MX) record points to the UDP Flood
10.9%
DNS-SOA Flood
0.639%
DNS-TEXT Flood
of a domain will
SMTP email servers for the domain. The DNS text (TXT) record is a freeform result in inaccessible
NTP Amp 0.655%
5.61% SYN Flood
Memcached Amp 1.05%
record that can resolve to any configured string. Some spam prevention
10.7% DNS-AAAA Flood
applications and
1.06%
DNS-OTHER Flood
systems, such as the Sender Policy Framework (SPF), rely on TXT records to
2.82%
verify ownership of a domain. services for that

domain

IPv6 Attack Vectors

While IPv6 attack vectors represent less than 1% of the total attack activity in
Radware’s Cloud DDoS Service, it’s still worth understanding the top attack
vectors targeting IPv6-based protocols and applications.
As with its IPv4 counterpart, IPv6 is mainly leveraged in UDP and UDP
fragmentation floods. The number one application targeted with IPv6 is DNS
through several types of query floods. New IPv6 protocol features are also
subject of attacks, such as IPv6 Neighbor Discovery ICMP floods.
Figure 34: Top IPv6 attack vectors
Top IPv6 Attack Vectors by Packets
UDP Frag
UDP Flood
UDP Flood DNS IPv6 A Flood
23.1% TCP SYN Flood
d
oo
ICMP Flood
.4% Fl
19 6 A
DNS IPv6 OTHER Flood

Pv
SI
DNS IPv6 AAAA Flood

DN
DNS IPv6 PTR Flood

DNS IPv6 TEXT Flood
IPv6-ND-ICMP58-HOPLimi255-NS
TCP SYN Flood
3.19%
ICMP Flood
0.492%
DNS IPv6 OTHER Flood
0.223%
DNS IPv6 AAAA Flood
0.00227%
DNS IPv6 PTR Flood
0.000139%
DNS IPv6 TEXT Flood
0.0000516% UDP Frag
IPv6-ND-ICMP58-HOPLimi255-NS 53.6%
0.00000459%

Attack Vector Characterization Figure 35: Relative attack vector size evolution
A DDoS attack consists of one or more attack vectors. Attack vectors Relative attack vector size evolution
can change during an attack, increasing its complexity. In this section 5.29x
< 1Gbps
5
individual attack vectors are analyzed to understand and characterize the
1Gbps to 100Gbps
> 100Gbps
Number of vectors (relative)

nature of the DDoS attack threat landscape. 4 3.75x
3 2.75x
To compare the size evolution, attack vectors are split into three
categories based on their attack size, expressed in bits per second. Small 2 1.79x
1
attacks are those below 1Gbps, while large attacks are those above 1 1.31x 1.29x
100Gbps. By normalizing the number of vectors in each size category 2020 2021 2022
against 2020, their relative vector size evolution can be compared.

Figure 36: Average attack vector duration for TCP and UDP as a function of its bandwidth
The number of attack vectors below 1Gbps increased faster than
exponentially year-on-year, from just below 2x in 2021 to over 5x in 2022. Average vector duration
The number of attack vectors above 100Gbps increased almost 3x in 2021 150 UDP
and kept increasing, albeit at a slower than linear rate, to a 3.75x increase in TCP
Duration [minutes]
2022 compared to 2020. The number of mid-sized attack vectors, between 100
1Gbps and 100Gbps, remained relatively unchanged over time, with a 1.31x
increase in 2021 and ending with 1.29x increase in 2022 compared to 2020. 50
The average duration of an attack vector varies with the attack bandwidth 0
(bits per second) and the throughput (packets per second). The longest
[0,1) [1,10) [10,50) [50,100) >100
Vector bandwidth [Gbps]

attack vectors were also the biggest attack vectors in terms of bandwidth
and throughput. On average, UDP attack vectors above 100Gbps lasted
Figure 37: Average attack vector duration for TCP and UDP as a function of its packet rate
147 minutes or about 2.5 hours. In contrast, attacks above 100Gbps,
Average vector duration
consisting of an average of 9.32 vectors per attack (see below), lasted on
average between 18 and 66 hours (see Figure 6). 100 2021
2022
80
Duration [minutes]
60
40
20
0
[0,100) [100,10K) [10K,1M) [1M,100M) >100M
Packets per second [PPS]

The attack bandwidth is governed by the packet rate and the size of the
Figure 38: Average attack vector packet size for TCP and UDP as a function of its bandwidth
packets. Average packet size is an important metric to maximize the impact
Average packet size
of an attack depending on the resources available to the attackers or the
victims. Attacks will typically favor larger packets to increase the bandwidth UDP
TCP
of the attack when packet rates are constrained by the available processing
Packet Size [Bytes]

1000
resources. When attempting to exhaust the processing resources of network

components and servers, the packet rate will be the most effective tactic.
Consequently, bandwidth can be reduced by leveraging smaller packets
500
without impacting the effectiveness of the attack.

[0,1) [1,10) [10,50) [50,100) >100
Vector bandwidth [Gbps]
Figure 39: Average attack vector packet size for TCP and UDP as a function of its packet rate
Average packet size
1000 2021
2022
800
Paket size [bytes]

600
400
200
0
[0,100) [100,10K) [10K,1M) [1M,100M) >100M
Packets rate (PPS)

Attack Complexity
While a single attack vector can be devastating, attackers will typically leverage
multiple and dissimilar vectors to increase the impact and confuse detection to
make attack mitigation harder. When attackers leverage multiple amplification
Attacks above 1Gbps on average had more than two
servers and protocols, a single attack will consist of several dissimilar concurrent dissimilar attack vectors per attack which doubled
attack vectors. Attackers will also change attack vectors over time to evade in number for attacks above 10Gbps. Attacks above
mitigation by manually crafted access control lists. While changing attack vectors
is typically not sufficient to evade automated DDoS mitigation services, it can still 100Gbps had on average more than nine dissimilar
be effective against targets that have inadequate DDoS protection in place. attack vectors with the most complex attacks
An attack is considered more sophisticated or complex when it leverages a leveraging 38 dissimilar attack vectors
greater number of dissimilar attack vectors. Attacks that make use of multiple
concurrent or changing attack vectors will make mitigation harder. Fast shifts
and high numbers of concurrent vectors are impossible to mitigate without Figure 40: Number of dissimilar attack vectors per attack as a function of attack size
automated mitigation solutions. Number of dissimilar vectors per attack in function of attack size
The average complexity of attacks in 2022 increased along with the attack size. 40 38 Max
Since the average number of attack vectors in a single attack can’t be smaller Avg
30
Number of vectors
than one, smaller attacks exhibit a more isolated character as their average
27
25
vectors per attack becomes closer to this number. Attacks above 1Gbps on 20
19
average had more than two dissimilar attack vectors per attack which doubled 10
12
9.32
in number for attacks above 10Gbps. Attacks above 100Gbps had on average
5.66 5.06
2.68
1.04
more than nine dissimilar attack vectors with the most complex attacks 0
[0,1) [1,10) [10,50) [50,100) >100
leveraging 38 dissimilar attack vectors. Vector bandwidth [Gbps]

Network Scanning and Exploit Activity

Not all malicious events targeting exposed internet assets are DoS attacks. Unsurprisingly, the number one most blocked exploit in 2022 was Log4Shell.
Network intrusion attacks consist of easy-to-execute exploits based on known Disclosed by the end of 2021, Log4Shell took the internet by storm and exploit
vulnerabilities. These range from scanning using open-source or commercial activity grew to the number three most exploited vulnerability of 2021 within
tools to information disclosure attempts for reconnaissance, as well as path weeks. Log4Shell exploit activity remained a constant throughout 2022.
traversal and buffer overflow exploitation attempts that could render a system
The top 10 intrusions in 2022 had a good amount of overlap with those of
inoperable or allow access to systems and sensitive information.
2021 and even 2020. For example, the most blocked intrusion of 2020, ZmEu
When considering malicious events targeting the same assets and resources, vulnerability scans, only dropped to the second most blocked intrusion in 2021
the number of recorded intrusion events is typically larger than the number of where it remained throughout 2022.
DoS attacks. This difference in numbers should not be interpreted as assets
having to block more traffic from intrusions than from DoS events. Intrusions Figure 42: 2020 vs 2021 vs 2022 Top Network Intrusions
are typically smaller, consisting of one or few packets, compared to DoS 2021 Top Network Intrusions
2022 2022
TopTop
Network Intrusions 2020 2020
TopTop
Network Intrusions
events where a single event can consist of millions of packets and significant
Network Intrusions 2021 Top Network Intrusions Network Intrusions
Log4j2 CVE-2021-44228 HTTP-Reply-MS-IE-MalfrmdBMPBO HTTP-MISC-ZMEU-SCANNER
attack volume.
Log4j2 CVE-2021-44228 HTTP-Reply-MS-IE-MalfrmdBMPBO HTTP-MISC-ZMEU-SCANNER
HTTP-MISC-ZMEU-SCANNER HTTP-MISC-ZMEU-SCANNER DNS-named-version-attempt
ZMap Scan Log4j2 CVE-2021-44228 cmd32

HTTP-MISC-ZMEU-SCANNER HTTP-MISC-ZMEU-SCANNER DNS-named-version-attempt
DNS-Web Proxy Auto Discovery-Query SIP-Scanner-SIPVicious SIP-Scanner-SIPVicious
The number of intrusions in 2022 accounted for over two thirds of all blocked
ZMap Scan Log4j2 CVE-2021-44228 cmd32
HTTP-Reply-MS-IE-MalfrmdBMPBO DNS-named-version-attempt HTTP-MISC-masscan-Scanner
SIP-Scanner-SIPVicious cmd32 HTTP-IOT-BOTNET-SATORI-LIKED

DNS-Web Proxy Auto Discovery-Query SIP-Scanner-SIPVicious SIP-Scanner-SIPVicious
malicious events. In terms of volume, however, intrusions represented less than

DNS-named-version-attempt SMTP-MS-Excel-BO HTTP-SCANNER-XDEBUG-SESSION
HTTP-Reply-MS-IE-MalfrmdBMPBO
Web-etc/passwd-Dir-Traversal
DNS-named-version-attempt
Web-etc/passwd-Dir-Traversal
HTTP-MISC-masscan-Scanner
HTTP-Reply-MS-IE-MalfrmdBMPBO
Web-etc/passwd Web-etc/passwd HTTP-SQL-INJECTION-EXP2
0.04% of the total blocked attack volume.

SIP-Scanner-SIPVicious cmd32 HTTP-IOT-BOTNET-SATORI-LIKED
Log4j2 CVE-2021-44230 HTTP-Reply-MS-Excel-IMData-BO SQL-Inj-Pang-GMSSQLInt1
DNS-named-version-attempt SMTP-MS-Excel-BO HTTP-SCANNER-XDEBUG-SESSION
Web-etc/passwd-Dir-Traversal Web-etc/passwd-Dir-Traversal HTTP-Reply-MS-IE-MalfrmdBMPBO
SIP5 scanning leveraging a tool named SIPVicious was another strong performer
Web-etc/passwd Web-etc/passwd HTTP-SQL-INJECTION-EXP2
Figure 41: Malicious events by attack category Log4j2 CVE-2021-44230 HTTP-Reply-MS-Excel-IMData-BO SQL-Inj-Pang-GMSSQLInt1
across all three years. SIPVicious is a set of open-source security tools used to
Attack Categories by Event count Attack Categories by Volume
Intrusions 0.0378%
audit SIP-based Voice-over-IP (VoIP) systems. It allows discovery of SIP servers,
Intrusions
DoS
Intrusions
DoS enumeration of SIP extensions, and password brute-forcing and scanning
DoS
22.5%
for known vulnerabilities. SIP scanning activity was the fourth most blocked
intrusion in 2020 and 2021 and took a solid sixth place in 2022. The Malformed
BMP file buffer overflow vulnerability in Microsoft Internet Explorer moved from
an 8th place in 2020 to the most blocked intrusion in 2021, before declining to a
respectful 5th place in 2022. See Appendix A for a detailed description of the top
network intrusions.
Intrusions
77.5%
DoS
100%
5. SIP, or Session Initiation Protocol, is a protocol that can be used to set up and take down VoIP calls and can also be used to send
multimedia messages over the Internet using PCs and mobile devices.

Log4Shell
The December 9 2021 publicly disclosed log4j By December 15, a good amount of clear-text
vulnerability attracted huge attention across activity was blocked by freshly created and
Peaks of several tens of thousands
the security community. A vulnerability in a deployed Log4Shell signatures in Radware’s
commonly used Java logging library, this allowed network level DefensePro devices. Exploits of exploits per day were not
an unauthenticated attacker to leverage publicly leveraging encrypted transport and targeting exceptional. By the end of 2022,
available exploits for remote command execution web applications were detected and blocked by
(RCE). This was the most critical vulnerability of the WAF AppWall. AppWall detected Log4Shell a total of almost 13.5 million
2021, and some even argued it was the worst exploits at day one without requiring specific Log4Shell exploit attempts
vulnerability of the decade. signatures because the exploit was only possible
by using a URI to a secondary server detected as a
were blocked by Radware
While Radware assessed the vulnerability to be
Server-Side Request Forgery (CSRF) violation. Cloud services
easy to exploit, we also noted that performing
remote command execution was a more involved
process and harder to achieve. The remote
command would need to be executed in the Figure 43: Daily blocked Log4Shell activity in Radware Cloud WAF and Cloud DDoS Services
security context of the logging application, which
according to best practice should run as a limited
Blocked Log4Shell exploits per day (a total of 13,418,194 exploits blocked)
user. However, immediate action was required to 160k

Cloud WAF
DefensePro
close the vulnerability in applications, systems

and devices across the globe. The vulnerability 140k
could still allow attackers to escalate privileges 120k
on compromised systems, move laterally across

the network, and access backend databases and 100k
Log4j Events
information stores accessible by the application. 80k
Scanning and exploit activity was detected and 60k
blocked by the Radware Cloud WAF Service as

early as December 9, 6pm UTC, only hours after 40k
disclosure of the vulnerability. By December

10, scanning and exploit activity ran to several
20k
thousands of events per day. 0

Jan 2022 Mar 2022 May 2022 Jul 2022 Sep 2022 Nov 2022
Day

Log4Shell exploits were a constant in 2022. Peaks

of several tens of thousands of exploits per day
were not exceptional. By the end of 2022, a total
of almost 13.5 million Log4Shell exploit attempts
were blocked by Radware Cloud services.
As is the case with all vulnerability scanning

activity, a portion of the recorded events and
exploits originate from benign actors and
organizations performing internet-wide scans to
assess risks organizations might not be aware of.
Bug bounty programs were initiated to motivate
vulnerability researchers to discover vulnerable
services and organizations. While the numbers
are alarming, a portion of the activity can be
considered non-malicious. The size of that non-
malicious portion is unfortunately harder to
quantify since white, grey and black hat scanners
all use very similar attack methods. Some of the
white hat scanners were kind enough to identify
themselves through web application parameters
or user agent strings, but their identifiers
were inconsistent at best and do not allow us
to distinguish between benign and malicious
operations.

Web Application Attack Activity

The total number of web application transactions Figure 44
Malicious Web Application Transactions
blocked by the Radware Cloud WAF service grew 128% Yearly Blocked
from 2021 to 2022, faster compared to the 88% growth Web Application
Number of blocked transactions

Transactions
between 2020 and 2021.
During the first three quarters of 2021, the number of blocked transactions
steadily increased. In Q4 the number decreased but was still above the
quarterly levels recorded in 2020. The activity in every quarter of 2021 was 2020 2021 2022
above the activity in all quarters of 2020. In 2022, we saw an acceleration of

this growth trend every quarter. Web application and online API attacks are
growing exponentially.
Malicious Web Application Transactions
Figure 45
Web application transactions can be blocked by application-specific custom
Quarterly Blocked
2020
rules created by the security operation center (SOC), or by automated

2021
Web Application
2022
detection based on signature rules and behavioral algorithms. The remainder
Number of blocked transactions

Transactions
of this section will consider only transactions blocked by signature and
behavioral rules. This makes it possible to understand threats independent
of the specificities of protected applications while eliminating the potential
bias of customer-specific security policies. Figure 46 shows the total number
of blocked transactions and the share of transactions that were blocked by Q1 Q2 Q3 Q4
signature and behavioral detection modules. In 2022, 50% of the blocked web
transactions were based on known malicious behavior.
Total blocked web application transactions vs blocked by signature
Figure 46
Total blocked
Blocked Transactions
Signature Attacks
web application
transactions vs
Number of blocked events

transactions blocked
by signature
21 Q1 21 Q2 21 Q3 21 Q4 22 Q1 22 Q2 22 Q3 22 Q4
25 Web Application Attack Activity

Security Violations
The most important security violation – predictable resource location attacks
Figure 47: Top security violation types
featured in Figure 47 – accounted for almost half of all attacks witnessed in
2022. Predictable resource location attacks target the hidden content and Top Violation Types
functionality of web applications. By guessing common names for directories Code Injection
or files, an attack may be able to access resources that were unintentionally 14.4% Predictable Resource Location
Code Injection
exposed. Examples of resources that might be uncovered through guessing SQL Injection
techniques include backup data, configuration files with insufficient access Server Information Leakage
Cross Site Scripting
permissions, and yet-to-be-published, forgotten, or outdated elements of a SQL Injection Path Traversal
Security Misconfiguration
web application. Predictable resource location attempts cover several top web
10.9%
Server Misconfiguration
application security risks in the OWASP 2021 Top 106, but the #1 and most Unauthorized Access Attempt
URL Access Violation
important risk is ‘A01 Broken Access Control’. Server Information Leakage
Folder Access Violation
5.74% Buffer Overflow
Code and SQL injection attacks represent more than one quarter of all web
Application Information Leakage
File Upload Violation
Cross Site Scripting
application attacks. The earlier discussed Log4Shell exploit, leveraged by 4.8%
Predictable
most of the Java based online applications, contributed significantly to Path Traversal Resource Location
48.5%
4.3%
the number of code injections blocked in 2022. Together with Cross Site Security Misconfiguration
4.08%
Scripting, Code and SQL Injection were the top three attack vectors most Server Misconfiguration
File Upload Violation
0.152%
2.07%
often used by criminals against online web applications and APIs. Unauthorized Access Attempt
Application Information Leakage
0.255%
1.89%
Buffer Overflow
URL Access Violation
0.718%
1.12%
Folder Access Violation
1.08%
6. The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus
about the most critical security risks to web applications and is published by the OWASP® Foundation.

Attacked Industries Attacking Countries

The most attacked industries in 2022 were retail & wholesale trade (25.3%), Most blocked web security events originated from the United States (48.4%).
high tech (19.5%), and carriers (15.2%), together accounting for 60% of India, Italy, Russia, and the Netherlands completed the top five in 2022, not far
blocked web application attacks. ahead of Canada, Germany, the United Kingdom, France, and Japan.
It is important to note that the country where an attack originates does

not necessarily correspond to the nationality of the threat actor. Often, the
country where the attack originates will not be the home country of the
The most attacked industries in 2022 were retail threat actor. Threat actors leverage anonymizing VPNs, dark net routers and
& wholesale trade (25.3%), high tech (19.5%), and compromised systems as jump hosts to perform attacks. The originating
country of an attack will sometimes be chosen based on the location of the
carriers (15.2%), together accounting for 60% of target or the nation the threat actor wants to see attributed during false
blocked web application attacks flag operations.
Figure 48: Web application attacks by industry Figure 49: Top attacking countries in 2022
Top Attacked Industries (normalized) Top Attacking Countries
India
RETAIL & WHOLESALE TRADE 9.94%
HIGH TECH PRODUCTS & SERVICES United States
19.5% HIGH TECH PRODUCTS & SERVICES
India
RETAIL & WHOLESALE TRADE CARRIER
25.3% Italy
RETAIL Italy
Russia
8.13%
SAAS PROVIDERS
Netherlands
ONLINE COMMERCE & GAMING
Canada
EDUCATION
Germany
HEALTH CARE
United Kingdom
TRANSPORTATION Russia
France
BANKING & FINANCE 7.22%
United States Japan
MANUFACTURING
UTILITY 48.4% Turkey
CARRIER GOVERNMENT
1.62%
15.2% GOVERNMENT UTILITY
Netherlands
2.28% 5.79%
MANUFACTURING
2.77%
BANKING & FINANCE
3% Canada
5.64%
TRANSPORTATION
3.05%
RETAIL HEALTH CARE Germany
8.77% 3.31% 4.78%
EDUCATION United Kingdom
SAAS PROVIDERS 3.33% 3.97% Turkey
7.32% ONLINE COMMERCE & GAMING France 0.628%
4.56% 3.12%
Japan
2.44%

Unsolicited Network Activity

The Radware Global Deception Network (GDN) Figure 50: The number of events per month recorded by Radware’s GDN
consists of a network of globally-distributed
Number of Events
sensors that collect data on unsolicited traffic and
attack attempts. Unsolicited events include DDoS backscatter
and spoofed and non-spoofed scans and exploits. 300M
The major difference between the GDN events discussed in this section
events
200M
and the web application and DDoS attack events in previous sections, is the
100M
unsolicited nature of the events. Web application and DDoS attack events
were collected from real-world services accessible via the internet. In the 0
latter case, attackers are targeting a particular organization or a specific Jan 2021 Apr 2021 Jul 2021 Oct 2021 Jan 2022 Apr 2022 Jul 2022 Oct 2022
application or service. By contrast, the unsolicited events recorded by

the GDN are random acts. The scans or attacks are not targeting known
services or a particular organization. The IP addresses of the sensors in the
Figure 51: The number of unique IPs per month registered by Radware’s GDN
GDN are not published in DNS and do not provide accessible applications
or services. No client, agent or device has a legitimate reason to reach a Number of unique IPs
Radware GDN sensor. 1M
In 2022, the Deception Network collected a total of 2.65 billion unsolicited 0.8M
events, an average of 7.3 million events per day. Compared to 2021, the 0.6M
unique IPs
total number of events in 2022 decreased slightly by 8.21%.
0.4M
The number of unique IP addresses provides a measure for the evolution of

0.2M
the number of malicious hosts and devices randomly scanning the internet
and exploiting known vulnerabilities. In 2022, the deception network 0
Jan 2021 Apr 2021 Jul 2021 Oct 2021 Jan 2022 Apr 2022 Jul 2022 Oct 2022
registered an average of 52,860 unique IPs per day. A total of 12.75 million
unique IPv4 addresses were recorded in 2022, representing 0.34% of the
3.7 billion IPv4 addresses available for non-reserved use on the internet. In
other words, one in every 290 potential devices on the internet was caught
doing something unexpected in the deception network.
28 Unsolicited Network Activity

Most Scanned and Attacked TCP Ports

For TCP services, the most attacked service was
Figure 52: Top scanned and attacked TCP ports, 2021 vs 2022
SSH on port 22, followed by Telnet and HTTP. The
top 10 is completed by Redis, HTTPS, RDP, SMB 2021 Top Scanned Ports - TCP 2022 Top Scanned Ports - TCP
and VNC, followed by two popular IP camera web SSH 505,989,471 SSH 451,757,212
UI ports, 8088 and 8080. HTTP (8088) 93,883,992 Telnet 97,277,783
RDP 90,460,877 HTTP 73,277,243
While Telnet was a favorite of the Mirai botnet VNC 83,977,664 Redis 71,240,941
for a long time, the number of access attempts SMB 60,576,573 HTTPS 68,398,455
on SSH surpassed Telnet by a good margin. HTTP 52,429,150 RDP 58,231,272
SSH attacks are leveraged in account takeover HTTPS 43,382,737 SMB 56,073,035
and brute force attempts. Leveraging default

Telnet 28,400,910 VNC 53,733,142
credentials or leaked credentials, attackers

SMTP 25,972,860 HTTP (8088) 51,640,943
Redis 24,004,407 HTTP (8080) 44,438,215
try to get unauthorized access to devices and

systems to move laterally across organizations’
networks, abuse the resources of cloud instances build a botnet. The malware mimicked the Redis Server Message Block (SMB) is a popular file and
for cryptomining, leverage the foothold as protocol to communicate with its command & printer sharing protocol leveraged by Microsoft
a jump host to anonymize targeted attacks, control (C2) infrastructure. The objective of the in Windows and many Linux implementations
plant cryptolocking malware for ransomware botnet and the attackers remains unknown. through Samba or the more recent ksmbd kernel
campaigns, or hijack the devices’ connectivity to service. In December, a critical vulnerability with a
Remote Desktop Protocol (RDP) is a proprietary
perform DDoS attacks. CVSS score of 10 was disclosed that could enable
protocol developed by Microsoft which provides
remote attackers to execute arbitrary code on
Redis (port 6379) is an open-source (BSD a user with a graphical interface to connect to
Linux servers exposing the SMB protocol from
licensed) in-memory data structure store used another computer over a network connection. RDP
Linux servers with ksmbd enabled.
as a database, cache and message broker. In is still a regularly exposed remote access protocol
March, the Muhstik malware gang was actively in remote location for industrial control systems Virtual Network Computing (VNC) is a graphical
targeting and exploiting a Lua sandbox escape (ICS) and became more exposed as people worked desktop sharing system that uses the Remote
vulnerability in Redis, tracked as CVE-2022-0543, remotely during the COVID pandemic. RDP is one Frame Buffer protocol (RFB) to remotely control
after the release of a proof-of-concept exploit. In of the favorite initial attack vectors leveraged by another computer. It transmits the keyboard and
December, a previously undocumented Golang- Initial Access Brokers (IAB), who purchase and mouse input from one computer to another, relaying
based malware, dubbed Redigo, was targeting exploit leaked accounts from underground forums the graphical screen updates over a network.
Redis servers aiming to take control of systems to gain access to organizations, subsequently
vulnerable to CVE-2022-0543, most likely to installing cryptolocking ransom malware.

Most Scanned and Attacked UDP Ports

With the exception of LDAP moving down a
Figure 53: Top scanned and attacked UDP ports, 2021 vs 2022
few positions in the top ten, the top eight most
scanned and attacked UDP ports remained 2021 Top Scanned Ports - UDP 2022 Top Scanned Ports - UDP
identical between 2021 and 2022. SIP (port 5060) SIP 2,357,786 SIP 3,289,085
was again the most targeted UDP-based service NTP 1,635,179 NTP 1,717,137
in 2022. Port 5060 is used by many SIP-based Memcached 1,098,456 Memcached 1,046,250
VoIP phones and providers. VoIP remains critical LDAP 940,094 SSDP 704,972
to organizations to ensure their productivity and

SSDP 575,958 SNMP 702,738
SNMP 536,140 mDNS 504,962
for this reason also made the charts as one of the NetBIOS 288,489 LDAP 503,164
most targeted services for DDoS attacks in 2021. MSSQL 279,167 MSSQL 423,948
Vulnerabilities and weak or default passwords in mDNS 263,746 NetBIOS 382,165
VoIP services allow attackers to abuse them for Port 5070 246,997 CoAP 340,755
initial access, spying, and moving laterally inside

organizations’ networks. CoAP (port 5683) is a new addition to this
NTP (port 123), Memcached (port 11211), SSDP/

year’s top 10 most scanned and attacked UDP NTP (port 123), Memcached (port
ports. Constrained Application Protocol (CoAP)
UPnP (port 1900), SNMP (port 161), mDNS (port
is a specialized Internet application protocol for 11211), SSDP/UPnP (port 1900),
5353), and LDAP (port 389) are among the most
abused protocols for DDoS amplification attacks.
constrained devices, as defined in RFC 7252. SNMP (port 161), mDNS (port
CoAP is designed for use between devices on the
Many black and white hat actors are continuously
same constrained network (e.g., low-power, lossy
5353), and LDAP (port 389) are
scanning and cataloging the internet’s
networks), between devices and general nodes among the most abused protocols
addressable range to abuse for DDoS attacks
on the internet, and between devices on different
(black hat) or assess the risk in the DDoS threat for DDoS amplification attacks
constrained networks connected via the internet.
landscape (white hat).
CoAP is also one of the most popular services with systems prior to Microsoft Windows 2000
MSSQL (port 1434) is used by the Microsoft SQL targeted by attackers in DDoS amplification attacks. which require name resolution through WINS.
Server database management system monitor. Otherwise, internet name resolution is done via
NetBIOS (port 137) defines a software interface
It is abused through remote code execution DNS. Openly accessible NetBIOS name services
and a naming convention. NetBIOS includes a
vulnerabilities and is known for the W32.Spybot. can be abused for DDoS reflection attacks against
name service, often called WINS on Microsoft
Worm that spread through MSSQL Server 2000 third parties. Furthermore, they allow potential
Windows operating systems. The NetBIOS name
and MSDE 2000 from the early 2000s onwards. It attackers to gather information on the server or
service is only needed within local networks and
remained a very solicited port in 2021. network for the preparation of further attacks.

Attacking Countries
The top countries from which unsolicited network
activity originated in 2022 were the United States,
The top countries from which
Russia, China, the Netherlands, and the United
Kingdom. However, as mentioned earlier, the real unsolicited network activity
origin of an attack can be spoofed to impersonate originated in 2022 were the
attacks from a different country.
United States, Russia, China,
Figure 54: Top attacking countries the Netherlands, and the
Top Attacking Countries
United Kingdom
United States
Russia
Russia China
15.5% Netherlands
United Kingdom
Hong Kong
Bulgaria
Germany
United States Singapore
China 42.5%
South Korea
14.6%
Netherlands
6.75%
4.1 ong
K
%
United Kingdom
Bulgaria
ng
Germany
4.09%
Ho
4.21%
3.5%
South Korea
2.16%
Singapore
2.57%

Web Service Exploits

The top attacked HTTP Uniform Resource Identifiers (URI) were led by ‘/’, /ws/v1/cluster/app/new-application
the universal URI for testing the presence of a web service and collecting A known vulnerability used to exploit Hadoop YARN services and schedule arbitrary workloads on
Hadoop clusters. An exploit abused by many cryptojacking campaigns that try to leverage the cloud
information from header fields in server responses. There is a significant instances of enterprises and research institutions illegitimately. Was #2 in 2021.
difference in the top targeted URIs for unsolicited events compared to the /level/15/exec/-/sh/run/CR
top targets in web application attacks where services are supporting real In Aug 2002 Cisco released IOS 11.2 for Cisco routers that offered an HTTP interface allowing a user to
applications. This section covers unsolicited events, meaning there is no real execute commands directly from a URL. Today, attackers are still trying to find Cisco routers without
application or service running on the web server. The top URIs need to be authentication on the HTTP interface. Many routers have been deployed without changing default
passwords or basic hardening practices allowing such opportunistic behavior by threat actors to bear
interpreted as the top services and applications that are targeted by actors that fruit. Was #5 in 2021.
are randomly scanning and exploiting the internet. Typically, a URI will conform /manager/html
with a known and disclosed vulnerability. Apache Tomcat Manager Application Upload Authenticated Code Execution vulnerability. This
module can be used to execute a payload on Apache Tomcat servers that have an exposed
‘manager’ application. The payload is uploaded as a WAR archive containing a JSP application using a
Figure 55: Top scanned URI POST request against the /manager/html/upload component. Was #4 in 2021.
Top URI /v1.16/version
/
26,445,640 Used by threat actors to identify the available Docker API version through invoking a command for an old
/ws/v1/cluster/apps/new-application
version. Used by cryptocurrency miners for abusing containers through the Docker API. Was #6 in 2021.
/nice%20ports%2C/Tri%6Eity.txt%2ebak
6,901,732
/level/15/exec/-/sh/run/CR
3,014,431 Request for “/nice ports,/Trinity.txt.bak” is used by Nmap’s service detection routine to test how a
/.env
server handles escape characters within a URI. Was #10 in 2021.
/ctrlt/DeviceUpgrade_1
2,038,146
/manager/html
1,349,097
Huawei HG532 routers Remote Code Execution vulnerability, CVE-2017-17215.
login.cgi
1,160,507
/v1.16/version
1,043,277
*
516,749
/nice%20ports%2C/Tri%6Eity.txt%2ebak
438,083
/ctrlt/DeviceUpgrade_1
413,618

Top User Agents

In HTTP, the user-agent string is often used for content negotiation, where
Figure 56: Top user agents
the origin server selects suitable content or operating parameters for the Top User Agents
response. For example, the user-agent string might be used by a web server Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
to choose variants based on the known capabilities of a particular version 4,464,867
of client software, and to differentiate its interface for smartphones or

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36
4,163,087
desktop browsers. The concept of content tailoring is built into the HTTP python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1160.45.1.el7.x86_64
3,045,759
standard in RFC1945. Mozilla/5.0 zgrab/0.x

2,826,295
As such, the user-agent field in a web request can be used to identify the Linux Gnu (cow)
1,174,282
client agent that makes the request. Some malicious actors are aware of this Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
identifying feature being used to score the legitimacy of a web request by

816,125
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36
web security modules. This causes them to mask their origins by randomly 800,372
Go-http-client/1.1
generating and changing the user-agent to known legitimate values. 799,056
Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.95 Safari/537.36
Commercial and open-source web service vulnerability scanning tools can 747,522
python-requests/2.6.0 CPython/2.6.6 Linux/2.6.32-754.35.1.el6.x86_64

be identified through their user agent, such as ‘zgrab’, the application-layer 680,174
network scanning component of the Zmap open-source scanning tool.
Top HTTP Credentials

Not all web service vulnerabilities can be exploited without authenticating. Figure 57: Top HTTP credentials
Some web services have widely used defaults and some even have hard- Top HTTP Credentials
coded secrets to protect access from unauthorized users or devices. Typically, admin:admin
weak passwords are combined in credential pairs such as ‘admin’, ‘password’,

admin:
‘1234567890’, or no password. These weak password permutations make up

admin:123456
nine of the top 10 credentials. These are universally agreed to be the worst
credentials and are abused because they provide access to devices that did
admin:password
not have their default credentials changed during installation.

admin:1234
admin:12345
The credential ‘report:8Jg0SR8K50’ is hard-coded in digital video admin:123
recorders (DVRs) from vendor LILIN and was publicly disclosed in March admin:1234567890
2020. DVRs are ubiquitous in the IoT landscape, as are the security report:8Jg0SR8K50
cameras that feed them. 0 10k 20k 30k 40k 50k 60k 70k 80k 90k

Top SSH Usernames

The top usernames used during SSH authentication give an indication of the
Figure 58: Top SSH usernames
services most vulnerable to brute forcing. Amongst the top 10 are ‘postgres’,
Top SSH Usernames
‘oracle’, ‘ftpuser’, ‘git’, and ‘mysql’. The others are the most leveraged
usernames by administrators for default accounts, for example, ‘admin’, ‘user’,
admin
‘test’, ‘guest’, and ‘testuser’.
user
test
postgres
oracle
ftpuser
git
guest
mysql
testuser
0 0.5M 1M 1.5M 2M 2.5M 3M 3.5M 4M

Appendix A
Radware ID Classification CVE
Log4j2 CVE-2021-44228 RCE CVE-2021-44228
Log4j remote code execution vulnerability, also known as Log4Shell – A JNDI Injection vulnerability has been reported in the
JndiManager class of Apache Log4j. This vulnerability is due to improper handling of a logged error. A remote, unauthenticated attacker
who can control log messages or log message parameters can exploit this vulnerability by sending a specially crafted parameter to the
target application. Successful exploitation results in the target server retrieving a potentially malicious serialized object from an attacker-
controlled server which may lead to the execution of arbitrary code in the security context of the affected server.
SIP-Scanner-SIPVicious Scanning --
SIPVicious is a SIP information gathering and scanning tool. It detects SIP devices, identifies active extensions on a PBX, and the
existence of known vulnerabilities.
HTTP-Reply-MS-IE-MalfrmdBMPBO Buffer Overflow CVE-2004-0566

Microsoft Internet Explorer Malformed BMP File Buffer Overflow – A vulnerability in the Microsoft Internet Explorer application that
could allow a malicious website to execute arbitrary code when a specially crafted BMP file is loaded.
HTTP-MISC-ZMEU-SCANNER Scanning --
ZmEu is a vulnerability scanner which searches for web servers that are vulnerable to attacks. It also attempts to guess passwords
through brute force methods which may lead to DoS.
DNS-named-version-attempt Information disclosure --

IQUERY version on named – The Bind named DNS service is vulnerable to an information disclosure attack allowing an attacker to
determine if the server supports IQUERY requests. The information disclosed contains server version information.
Web-etc/passwd-Dir-Traversal Information disclosure CVE-2021-41733

‘../../etc/passwd’ file access with Directory Traversal – Various web servers may be vulnerable to an information disclosure attack
that occurs when the webserver is misconfigured or contains coding errors that allow access to sensitive files. A recently discovered
vulnerability in Apache HTTP Server (CVE-2021-41733) started being actively exploited in the wild in October 2021. This vulnerability was
introduced in a recent version of Apache (2.4.49). Users running older versions of Apache are not currently affected. The fix for CVE-2021-
41733 in 2.4.50 was found to be insufficient, leading to a second, new vulnerability (CVE-2021-42013) that Apache is now reporting. As a
result, version 2.4.51 was released to fully address the issue.
35 Appendix A
List of Figures
Figure 1: Malicious events, DDoS attacks, attack volume and largest attack 2022 vs 2021.......5 Figure 32: Top attack vectors targeting HTTP.............................................................................................16
Figure 2: Number of attacks per quarter, normalized per customer......................................................5 Figure 33: Top attack vectors targeting DNS................................................................................................17
Figure 3: Yearly attack volume per customer.................................................................................................5 Figure 34: Top IPv6 attack vectors.................................................................................................................. 18
Figure 4: Number of attacks by attack size bracket.....................................................................................6 Figure 35: Relative attack vector size evolution..........................................................................................19
Figure 5: Change in number of attacks per attack size bracket for 2022 compared to 2021.......6 Figure 36: Average attack vector duration for TCP and UDP as a function of its bandwidth.........19
Figure 6: Average attack duration per attack size.........................................................................................6 Figure 37: Average attack vector duration for TCP and UDP as a function of its packet rate.........19
Figure 7: Average attack size per size bracket................................................................................................6 Figure 38: Average attack vector packet size for TCP and UDP as a function of its bandwidth......20
Figure 8: Blocked attacks per region for 2022...............................................................................................7 Figure 39: Average attack vector packet size for TCP and UDP as a function of its packet rate...20
Figure 9: Blocked attack volume per region for 2022..................................................................................7 Figure 40: Number of dissimilar attack vectors per attack,as a function of attack size............. 21
Figure 10: Most attacked industries in 2022..................................................................................................7 Figure 41: Malicious events by attack category.......................................................................................... 22
Figure 11: Attack growth per industry in 2022 compared to 2021........................................................7 Figure 42: 2020 vs 2021 vs 2022 Top Network Intrusions.................................................................... 22
Figure 12: Malicious events, DDoS attacks, attack volume and largest attack 2022 vs 2021, Figure 43: Daily blocked Log4Shell activity in Radware Cloud WAF and Cloud DDoS Services.23
The Americas...............................................................................................................................................................8 Figure 44: Yearly Blocked Web Application Transactions........................................................................ 25
Figure 13: Average number of attacks per Americas organization, per quarter................................8 Figure 45: Quarterly Blocked Web Application Transactions................................................................. 25
Figure 14: Average yearly attack volume for Americas organizations..................................................9 Figure 46: Total blocked web application transactions vs transactions blocked by signature. 25
Figure 15: Most attacked industries in the Americas in 2022..................................................................9 Figure 47: Top security violation types........................................................................................................... 26
Figure 16: Attack growth per industry in the Americas in 2022 compared to 2021........................9 Figure 48: Web application attacks by industry.......................................................................................... 27
Figure 17: Malicious events, DDoS attacks, attack volume & largest attack 2022 vs 2021, EMEA... 10 Figure 49: Top attacking countries in 2022.................................................................................................. 27
Figure 18: Average number of attacks per EMEA organization, per quarter................................... 10 Figure 50: The number of events per month recorded by Radware’s GDN...................................... 28
Figure 19: Average yearly attack volume for EMEA organizations......................................................11 Figure 51: The number of unique IPs per month registered by Radware’s GDN............................ 28
Figure 20: Most attacked industries in EMEA in 2022..............................................................................11 Figure 52: Top scanned and attacked TCP ports, 2021 vs 2022.......................................................... 29
Figure 21: Attack growth per industry in EMEA in 2022 compared to 2021....................................11 Figure 53: Top scanned and attacked UDP ports, 2021 vs 2022......................................................... 30
Figure 22: Malicious events, DDoS attacks & largest attack 2022 vs 2021, APAC.........................12 Figure 54: Top attacking countries................................................................................................................... 31
Figure 23: Average number of attacks per APAC organization, per quarter.....................................12 Figure 55: Top scanned URI................................................................................................................................ 32
Figure 25: Most attacked industries in APAC in 2022...............................................................................13 Figure 56: Top user agents.................................................................................................................................. 33
Figure 26: Attack growth per industry in APAC in 2022, compared to 2021....................................13 Figure 57: Top HTTP credentials....................................................................................................................... 33
Figure 27: Protocols leveraged by attacks in 2022.....................................................................................14 Figure 58: Top SSH usernames......................................................................................................................... 34
Figure 28: Top targeted applications by volume..........................................................................................14
Figure 29: Top attack vectors by packets.......................................................................................................14 Tables
Figure 30: Top amplification attack vectors..................................................................................................15 Table 1: DDoS Amplification Attack Vectors..................................................................................................15
Figure 31: Top attack vectors targeting HTTPS...........................................................................................16
36 List of Figures
Methodology and Sources

The data for DDoS events and volumes was collected from a sampled set This document is not warranted to be error-free, nor subject to any other
of Radware devices deployed in Radware cloud scrubbing centers and on- warranties or conditions, whether expressed orally or implied in law.
premise managed devices in Radware hybrid and peak protection services. Radware specifically disclaims any liability with respect to this document,
and no contractual obligations are formed either directly or indirectly by this
Radware’s Global Deception Network (GDN) provides detailed events and
document. The technologies, functionalities, services or processes described
payload data on a wide range of attacks and serves as a basis for the
herein are subject to change without notice.
‘Unsolicited Network Scanning and Attack Activity’ section.
The data for web application attacks was collected from blocked application Editors
security events from the Radware Cloud WAF Service. Collected events were Pascal Geenens | Director of Threat Intelligence
based solely on automatically detected and known vulnerability exploits and Daniel Smith | Head of Threat Research
exclude any events that might be blocked or reported by custom rules added
to a web application policy by managed services and/or customers. Executive Sponsors
Ron Meyran | Sr Director of Corporate Enablement
About Radware Deborah Myers | Sr Director of Corporate Marketing
Radware® (NASDAQ: RDWR) is a global leader of cybersecurity and application
delivery solutions for physical, cloud and software-defined data centers. Its Production
award-winning solutions portfolio secures the digital experience by providing Gerri Dyrek | Director of Public Relations
infrastructure, application and corporate IT protection and availability services to Jeffrey Komanetsky | Content Development Manager
enterprises globally. Radware’s solutions empower more than 12,500 enterprise
and carrier customers worldwide to adapt quickly to market challenges,
maintain business continuity and achieve maximum productivity while keeping
costs down. For more information, please visit www.radware.com.
Radware encourages you to join our community and follow us on: Radware
Blog, LinkedIn, Facebook, Twitter, SlideShare, YouTube, Radware Connect app
for iPhone® and our Security Research Center that provides a comprehensive
analysis of DDoS attack tools, trends and threats. This document is provided
for information purposes only.
© 2023 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this report are protected by trademarks, patents and pending patent applications of Radware
in the U.S. and other countries. For more details, please see https://www.radware.com/LegalNotice. All other trademarks and names are the property of their respective owners.
37 Methodology and Sources

Rad Ware

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rad Ware

Uploaded by

Copyright:

Available Formats

Report

Attack Complexity............................................................................................................ 21 Editors...................................................................................................................... 37

Network Scanning and Exploit Activity..................................................................... 22 Executive Sponsors.............................................................................................. 37

Web Application Attack Activity......................................................................... 25

DDoS Attack Trend Highlights

Number of malicious events Total attack volume in 2022

233% The number of DDoS

The Americas saw a substantial increase in malicious activities, with a 328%

Denial-of-Service Attack Activity

Attack Trends DDoS Attacks per Customer

average number of attacks per customer.

by the end of 2022, a 3.5x increase. Figure 3

5 Denial-of-Service Attack Activity

attacks in the bucket. 1M

Compared to 2021, in 2022 there was a

significant increase in the number of attacks 1000

below 10Gbps, and a moderate but not 10 10

insignificant increase in attacks above 250Gbps. 1

significantly larger in 2022.

Attacks in 2022 were pushed out from the center

On average, smaller attacks tend to be shorter.

While the increase in the higher end of the attack

size spectrum was less significant, the attacks

did hit significantly harder compared to the 1000

biggest attacks in 2021.

Attack Size [Gbps]

6 Denial-of-Service Attack Activity

Regions and Industries

The most significant attack volumes targeted

Finance was the most attacked industry

was slightly more frequently the target of 60 industry in 2022,

industries under attack in 2022 included

communications (4.47%), government (3.9%) 20

attacks growing 2.4%

significant growth industries when comparing

7 Denial-of-Service Attack Activity

The average number of attacks per customer The largest attack

The average yearly attack volume blocked by

8 Denial-of-Service Attack Activity

Finance was the most attacked industry in

to 2021. Healthcare represented 23.9% of Attack Volume per Customer - Americas

the attack activity, a slight increase of 1.7% 23.9%

compared to 2021. Technology was the third 30

most attacked industry in the Americas with

to 2021. Other industries attacked in the

Americas in 2022 included communications 0

government (2.75%). 7.96% Government

Industrials were attacked 72% more often 4.41%

in 2022 compared to 2021. Research &

and third most significant growth industries

9 Denial-of-Service Attack Activity

Europe, Middle East and Africa

of 2022, EMEA organizations mitigated on compared to Q4

In 2022, the average yearly attack volume

DDoS Attacks per Customer - EMEA

attacks per quarter is divided by 91 (number of days in a quarter for 2 x 30 +

10 Denial-of-Service Attack Activity

In 2022, finance was the most attacked

global rate of 2.4%. Technology represented Technology

the third most attacked industry in EMEA

with 4.09% of the attacks and the fastest

& education (1.28%) and telecom (1.13%). 70.6%

E-commerce and healthcare were the second

Attack Growth per Industry - EMEA