Skip to main content

Network traffic insights in the time of COVID-19: June 4 update


Executive summary

  • Peak traffic “normalizes” at 25-30% above pre-pandemic levels
  • Aggregate traffic volumes continue to be over 25% above pre-pandemic levels
  • Video streaming rates back to normal (no speed/quality reduction) almost everywhere
  • Distributed Denial of Service attacks on the rise; DDoS traffic increases 40-50% (February to May)


Societies across the world are preparing to reopen slowly. With the majority of people still working and learning from home, the effects of COVID-19 pandemic on global networks continue to be present.

In this blog – a follow-up to our April 9 blog - we take a more extended snapshot of the effects of COVID-19 pandemic on the internet with focus on the US networks. It’s been ten weeks since March 19 lockdowns – when “shelter-in-place” orders were declared in the state of California and New York City; fourteen weeks since the first lockdown in Italy (February 21), and 18 weeks since the city of Wuhan, China was closed to incoming and outgoing traffic (January 23).

We start with where we left off: with questions about whether internet traffic is returning to normal levels, what are the changes to internet topology and traffic patterns, and will they be permanent or long-lasting?

The network of all networks

The internet, as we know it today, seems to be *one* network - constructed of all networks that interconnect us and bringing us much-needed services and content.

We have already discussed the immense growth of the internet and high concentration and consolidation of content-originating and distributing domains before: more than 90% of all internet content originates from content delivery networks (CDNs), and the majority of that content originates from a small number of internet domains.

By following what happens in the largest ISP networks, we can also track the impact of the pandemic on the internet. We looked at several large providers that provide internet connectivity (residential and mobile) to a significant portion of the US population. We also examined the internet service delivery chain - from originating domains, across peering/transit nodes, through IP cores/backbones and on to aggregation and access networks.

Here’s our update.

Traffic levels

There are two ways to look at network traffic:

  • Traffic peaks (e.g., recording these peak levels in 5-minute intervals in 24/7 monitoring)
  • Aggregate traffic (total volume)

Traffic peaks help us understand how the network is handling the most demanding usage times and how to dimension network capacity appropriately. For wireline networks, which are dominated by video traffic, peak usage hours are the weekend evenings’ viewing times (“prime time”).

Aggregate traffic represents overall traffic volumes exchanged over the network (upstream and downstream). Aggregate volume levels – recorded over time intervals – help us better understand long-term societal shifts in internet usage.

In the graph below, we notice peak traffic levels exceeding their pre-pandemic levels by 30% or more during the weekend of March 22. However, more recently, they stabilized in the range of 20-30% above the levels recorded in the first week of February 2020 (depending on the week measured).

peak traffic

Figure 1. Peak traffic changes from the first week of February 2020 (shown in percentage points)

When we look at the aggregate traffic volumes (Fig. 2), we notice that they have stayed above 25% since the lockdowns started. Unlike peak traffic, there is no downward trend here. This stabilization indicates prolonged network use throughout the day - both during weekdays and on weekends.

Aggregate weekly

Figure 2. Aggregate weekly volume traffic changes from the first week of February 2020 (shown in percentage points)

Video streaming rates for subscription video on demand (SVOD) and streaming video services remained remarkably consistent. Temporary measures introduced by Netflix and YouTube in certain EU countries related to their policy and video streaming bandwidth reduction seem now to be waning, as average bitrates for these services return to their pre-pandemic levels.

We notice the “return to normal” as more traffic for some of these video services becomes sourced from on-net network caches - as opposed to being delivered from external CDNs, across peering and transit links.

Many Tier-1 service providers stated that their quarterly or yearly capacity upgrades happened in a matter of a few weeks.  Customer experience and continued ability to enjoy online services for work and entertainment - without interruption or service degradation – served as a great testimony to service providers’ ability to address these peak traffic demands and overall traffic volumes.

Distributed Denial of Service (DDoS) traffic

In our April 9 blog, we noticed a significant increase in DDoS traffic volumes during March. That trend continued through April and May. The aggregate volume of DDoS traffic is now 40-50% above the pre-pandemic levels (February), as shown in Figure 3.

Aggregate DDoS traffic

Figure 3. Aggregate DDoS traffic (shown in terabytes per week)

As a contributor to the overall traffic volumes, DDoS traffic is growing faster than most other network applications (unfortunately).

So far, we see two reasons for this:

  1. Significant increase in gaming traffic (and gaming-related DDoS)
  2. Increase of use (and abuse) of North American and European DDoS reflectors and amplifiers to attack systems in other parts of the world.

Online gaming and gambling have long been accompanied by DDoS traffic. DDoS attacks and “taking down” your opponents, and even the creation of a term - “to boot someone” reflects some “competitive” activity that is going on in some gaming circles. Denying your opponents the access to the service or to “booting your adversaries” has grown to the extent that there is a significant number of “commercial” web sites that offer DDoS services for hire and many more (on the darknet) where DDoS toolkits can be found and downloaded. For about US$30 per month (mostly in Bitcoin), a malicious player can get unlimited 5-minute DDoS attacks aimed at single victim IPs. Most of these usually employ the technique of simple amplification using pre-defined lists of amplifiers. There is a good reason why these services are short-lived: 5 minutes is all you need to win a game round, and the market seems to have evolved around 5 minutes as the standard for “booter-for hire” services which compete on pricing and quality for 5-minute increments.

Additionally, short attacks are handy in order not to be caught by DDoS protection solutions, as DDoS perpetrators can be criminally and civilly prosecuted in many jurisdictions worldwide.

The additional DDoS growth seems to be related to the increased abuse of North American and Europe-based amplifiers/reflectors.

A DDoS amplifier is any misconfigured server (NTP, DNS, LDAP, Memcache, etc.) that can be used to reflect and amplify a spoofed request to the victim’s IP address.  

Historically, almost all DDoS traffic in the US was inbound from other regions. However, since the start of the pandemic, we have also observed a significant increase in outbound DDoS traffic, which targets US-based enterprise and IoT hosts acting as reflectors and amplifiers to create a significant level of attacks destined to hosts located in other countries.

Anatomy of an amplified/reflector attack

Figure 4. Anatomy of an amplified/reflector attack

On a daily and weekly basis, DDoS traffic represents a small portion of the overall traffic. Should we ignore it then (with all the threats that come along with it)?

Absolutely not!

For service providers, it is becoming critically important to be able to detect both outbound and inbound DDoS threats and attacks, and even those that last shortly but which can still bring significant damage onto network infrastructure and services.

DDoS traffic is bursty, and individual attacks, when looked at individually, may represent significantly larger percentages of traffic volumes at that moment in time. These individual and orchestrated DDOS attacks may be harmful enough to degrade or take out of service network hosts or parts of the network and leave many end-users and subscribers without connectivity or access to critical network services.

Closing thoughts

At the risk of repeating ourselves, let’s say it again, “The networks were made for this.”  They weathered an unprecedented rise of traffic and services and showed us the importance of all our networks – even residential ones – as a vital infrastructure for a society.

We have also seen that the need for precise, real-time, analytical insights about the network, services, and consumption patterns is more significant than ever. Also, now that communication networks are recognized as essential infrastructure, the need for robust, 360-degree network security DDoS protection is also critical.

Nokia Deepfield solutions go well beyond legacy network analytics tools. With the ability to scale with cloud, IoT and 5G-era applications, these solutions are a foundation for the new networking paradigm where it is imperative to ensure network performance, security, and premium customer experiences.

Share your thoughts on this topic by joining the Twitter discussion with @nokianetworks or @nokia using #bigdata

Craig Labovitz

About Craig Labovitz

Craig (Dr. Craig Labovitz) co-founded Deepfield in 2011, which was acquired by Nokia in January 2017, and became a part of Nokia’s IP and Optical Networks. Currently, Dr. Labovitz has a role of Chief Technology Officer for Nokia Deepfield portfolio of Network Intelligence, Analytics and DDoS Security products.

Tweet us at @nokianetworks

Article tags