Contribution of Russia–Ukraine conflict in Q3 DDoS trends

In the third quarter of 2022, the DDoS hacking attacks were plenty, and the majority of them appeared to have geo-political motivations. The following list includes a few of these attacks:
  • Over 200 websites in Estonia, including the ESTO AS payment system, was hacked by the pro-Russian group Killnet, which has been active since January.
  • The energy business Ignitis Group's websites and online services were compromised in Lithuania.
  • A DDoS attack on the US Electronic Federal Tax Payment System website and services was also attributed to Killnet. Additionally, it briefly interrupted the US Congress website.
  • DDoS assaults by Killnet threat actors targeted 20 websites from four different government departments in Japan.
  • The attacks on the website of the Finnish parliament were claimed as being the work of Noname057 (16).
  • DDoS.hacking attack attempts by pro-Ukrainian hackers were made against Russian resources such Unistream, Korona Pay, and Mir payment systems.
  • Media outlets like RIA Novosti and Sputnik suffered hacking attacks that lasted almost 24 hours, while the website of Argumenti i Fakti was unavailable for some time. 
  • A wave of DDoS attacks swept across many tech and entertainment companies as well. Hackers attacked around 20 Russian video-conferencing platforms.

Other DDoS attacks

Besides the Russia–Ukraine conflict, there were reports of politically motivated DDoS hacking attacks in other countries too. 
  • The websites of Taiwan’s president and its Ministry of National Defense experienced downtime. Also affected were the online resources of the Ministry of Foreign Affairs and Taoyuan International Airport. 
  • Israel, too, became a DDoS target when cybercriminals attacked the websites of the country’s Ministry of Health and Tel Aviv-Yafo Municipality.


The third quarter saw a huge increase in DDoS attacks of all kinds, which is the first thing to note. 51% of all hacking attacks attempt were thwarted in September by the Kaspersky DDoS Protection team. No new records were set for the length of a DDoS attack in Q3; whereas Q2 saw the longest attack ever seen, Q3 attacks averaged roughly eight hours.

DDoS attack statistics

Only when there is less than a 24-hour gap between botnet activity periods are incidents considered to be single DDoS attacks. The IP addresses of both the C2 servers used to relay commands and the DDoS attack victims identify their respective geographical locations. In the quarterly data, the number of distinct targets of DDoS hacking attacks is calculated using the number of distinct IP addresses.
  • The 57,116 DDoS attempts were discovered by Kaspersky's DDoS Intelligence system.
  • The US was the location of 39.61% of targets and 39.60 percent of attacks.
  • The busiest day of the week for attacks (15.36%) was Friday, while Thursday had the fewest (12.99%).
  • The sharpest contrast was in July: just 135 attacks occurred on July 24 while there were 1494 and 1492 attacks on July 1, respectively.
  • Hacking attacks lasting under four hours made up 94.29% of all attacks and accounted for 60.65 percent of their total time.
  • 51.84 percent of attacks were caused by UDP flooding, and 26.96% by SYN flooding.
  • The US (17.60%) had the highest percentage of bots attempting to access Kaspersky SSH honeypots.

DDoS attack geography

The top four nations in terms of resources attacked in Q3 2022 stayed the same as in the previous reporting quarter. Despite dropping 6.35% points, the US (39.60%) nevertheless held the top spot. Mainland China boosted its share (13.98%) by nearly the same amount, or 6.31 percentage points, taking second place. France (4.81%) is in fourth place, and Germany (5.07%) is still in third.

Duration and types of DDoS attacks

  • 19.05% of all attacks in Q3 2022 lasted at least 20 hours and were prolonged hacking attacks. After declining during the previous reporting period, this number nearly tripled, practically returning to its level at the start of the year. As a result, the percentage of long-lasting attacks rose numerically, from 0.29 to 0.94%.
  • Only 94.29% of quick hacking attacks that lasted up to four hours were detected. The 3rd quarter's longest attack lasted 451 hours (18 days and 19 hours).

Geographic distribution of botnets

Despite a 3% point decline, the majority of botnet C2 servers (43.10%) are still in the US. The Netherlands, which came in second position last quarter with 9.34%, dropped more than 5% points and once more switched places with Germany (10.19%). Fourth-placed Russia (5.94%) held its position.


After a turbulent first half of the year, the scenario in Q3 2022 suggests that the DDoS market is stabilizing, albeit it is still challenging. However, the situation is always shifting, and forecasts are at best speculative. Almost everything is possible, nobody anticipates any substantial increases or decreases in Q4.
Cyware Publisher