Auto-translation used

4.2 Tbps of malicious packages and more: Cloudflare DDoS Attacks Report in Q3 2024

Cloudflare provides Internet security services, including protection against DDoS attacks, website acceleration, and Internet traffic optimization. Its solutions help organizations protect their Internet resources and ensure the stability and speed of websites, services, and applications. 

Meet Cloudflare's 19th DDoS threat report. The company's quarterly publications provide a detailed overview of DDoS threats detected on its infrastructure. Now, we will discuss the third quarter of 2024. 

With a network speed of 296 Tbps deployed in more than 330 cities worldwide, Cloudflare functions as a reverse proxy for at least 20% of all the world's websites. It provides a unique opportunity to analyze and detect significant threats on the web. 

BAKOTECH reviewed the report's main points and presented it with comments by Maxim Bormotov, Senior Partner Solutions Engineer, EMEA at Cloudflare.

Key insights 

  • During the third quarter of 2024, the number of DDoS attacks increased dramatically, with Cloudflare neutralizing about 6 million attacks, a 49% increase compared to the previous quarter and a 55% increase compared to the same period last year.  
  • More than 200 were hyper-volumetric attacks, exceeding 3 Tbps or 2 billion packets per second (Bpps). The maximum value reached 4.2 Tbps in one minute. 
  • The banking sector and financial services are the most attacked. China was the main target for attacks, while Indonesia became the largest source of DDoS activity. 

What are the goals of cybercriminals when they attack businesses and users? 

It depends on the specific case, but the main goal is to make the infrastructure unavailable to authorized users or visitors by spamming many requests to the target. Sometimes, DDoS can be behind more complex attacks (for example, network intrusion or installation of trojan/spyware).  
Every minute of downtime is money lost. Imagine an unavailable e-commerce website—all customers will try to find goods or services elsewhere.   

Types and characteristics of attacks 

Half of the 6 million DDoS attacks fell on the HTTP layer, and the rest on the network layer. The number of attacks at the network level increased by 51% compared to the previous quarter and by 45% compared to a year ago. HTTP attacks increased by 61% in the prior quarter and by 68% compared to the 3rd quarter of last year. Most attacks were short-lived, but some lasted over an hour (about 3% of the total). 

Targets of DDoS attacks 

Regions that have suffered the most attacks 

In the third quarter of 2024, China became the most popular target of DDoS attacks. The United Arab Emirates came in second, and Hong Kong took third. Next on the list are Singapore, Germany, and Brazil. 

Canada came in seventh place, followed by South Korea, the United States, and Taiwan, which came in tenth. 

Most often attacked industries 

In the third quarter of 2024, most DDoS attacks targeted the banking and financial services sector. The information technology and services sector came in second, followed by the telecommunications industry, including providers and communications operators. 

Cryptocurrency, Internet, gambling, and casino sectors, as well as gambling, are the next most attacked. Consumer electronics, construction, and retail ranked as the top ten most frequently attacked industries. 

Hyper-volumetric attacks 

In the first half of 2024, Cloudflare automatically blocked 8.5 million DDoS attacks, of which 4.5 million occurred in the first quarter and 4 million in the second. Another 6 million attacks were added in the third quarter, bringing the total to 14.5 million, or an average of 2,200 attacks per hour. More than 200 were hyper-volumetric, with peaks of 3.8 Tbps and 2.2 billion packets per second.

Attack vectors 

The third quarter saw an even distribution of attacks at the network and application levels. The most popular were SYN floods, DNS floods, UDP floods, and attacks using SSDP and ICMP reflection. 

Known botnets carried out 72% of HTTP DDoS attacks and were automatically blocked by Cloudflare's proprietary heuristics. Another 13% of attacks were repelled by analyzing suspicious HTTP attributes, and 9% of attacks occurred through fake browsers. 6% of “other” attacks targeted endpoints and caches. 

The number of attacks using SSDP amplifiers (Simple Service Discovery Protocol) increased by 4000% compared to last quarter. Attackers have actively used the UPnP (Universal Plug and Play) protocol to launch DDoS attacks. They send SSDP requests to vulnerable UPnP-enabled devices and change the source IP address to the victim IP address.  

The devices send significant traffic to the victim's IP address, overloading the infrastructure. The amplification effect allows attackers to generate massive traffic from small requests, which takes the victim's service offline. 

Disabling UPnP on unused devices helps protect against this type of attack. 

What are the consequences for businesses whose networks are unprotected from DDoS attacks? How much do they lose per hour of downtime? 

Consequences include loss of revenue, compliance issues (e.g., GDPR, PCI DSS 4.0), poor brand reputation, and additional regulatory scrutiny. Gartner estimates that one minute of downtime costs most companies $5,600, or more than $300,000 per hour. 

User agents used in HTTP DDoS attacks 

When launching HTTP DDoS attacks, cybercriminals try to blend in with normal traffic to remain undetected. One strategy is to spoof the user agent, which allows traffic to appear as a legitimate browser or other client application. 

In the third quarter, 80% of HTTP DDoS attack traffic masquerading as the Google Chrome browser became the most common user agent in these attacks. Attackers most often used versions of Chrome 118, 119, 120, and 121. 

In second place, 9% of HTTP traffic was DDoS attacks without a specified user agent. 

Attacks using the Go-http client and the fastttp agent were detected in the third and fourth places. Go-http is the default HTTP client in the Go library, and fastttp is a high-performance alternative. It’s used to build fast web applications but often in DDoS attacks and web scraping. 

Fifth place is the hackney agent, an HTTP client library for the Erlang language. It sends HTTP requests in the Erlang/Elixir ecosystems. 

HITV_ST_PLATFORM was ranked sixth among user agents spotted in DDoS attacks. This agent is associated with smart TVs or set-top boxes. Attackers typically avoid uncommon user agents in favor of popular ones like Chrome. Therefore, HITV_ST_PLATFORM indicates that some smart TVs or set-top boxes have been compromised. 

The uTorrent user agent, which is part of the popular BitTorrent client for file sharing, was ranked seventh. 

The okhttp closes the list of user agents in DDoS attacks. Although okhttp is a well-known HTTP client for Java and Android applications, its use in DDoS attacks has been minimal. 

HTTP attack attributes 

Although 89% of HTTP DDoS attack traffic used the GET method, it is the most common HTTP method overall. So, the picture changes when we normalize the attack traffic by dividing the number of requests by the total number of requests for each HTTP method. 

About 12% of all requests using the DELETE method are used in HTTP DDoS attacks. After DELETE, the HEAD, PATCH, and GET methods are often used in attacks. 

Notably, 80% of requests for DDoS attacks came via HTTP/2 and 19% via HTTP/1.1. However, after normalizing the total traffic by version, the share of these requests in the total mass decreases significantly. When looking at the attack in the context of the normalized traffic for each version, the majority, due to the non-standard or wrongly specified version of “HTTP/1.2” turned out to be malicious and belonged to DDoS attacks. At the same time, it should be emphasized that “HTTP/1.2” is not an official protocol version. 

What is the benefit of Cloudflare's DDoS protection solutions explained by Maxim Bormotov: 

  • Modern distributed architecture. Cloudflare has a global network with a bandwidth of 296 Tbps. It is present everywhere and has no scrubbing centers, which reduces the time to eliminate incidents to 0–3 seconds. 
  • Large-scale threat analytics. Over 20% of web traffic passes through Cloudflare's proxy servers, preventing 206 billion cyberattacks daily. Vendor-engaged machine learning models help create new rules in cybersecurity. 
  • Easy-to-use and cost-effective solutions. You can get unlimited and limitless DDoS protection that is easy to deploy. Traffic protection does not incur additional costs. 

Sources of DDoS attacks 

Subjects of the threat 

80% of respondents said they did not know who attacked them, while 20% knew who was behind the attacks. Among those who know their abusers, 32% indicated that they were extortionists. Another 25% said that competitors initiated the attacks, and 21% said that the attack was from disgruntled customers or users. In addition, 14% of respondents pointed to state or state-funded organizations, and 7% admitted to being victims of their actions. One example is when IoT devices simultaneously start transmitting data due to a firmware update, creating a high load on the network. 

While ransomware remains the most common threat actor, the total number of ransomware DDoS attacks decreased by 42% compared to the previous quarter. Still, it increased by 17% compared to the same period last year. A total of 7% of respondents said they had experienced ransom attacks or threats of harm. In August, this indicator rose to 10%; every tenth respondent received threats. 

The central source countries of DDoS attacks 

In the third quarter of 2024, Indonesia generated the most DDoS attacks. The Netherlands came in second, followed by Germany, Argentina, and Colombia. The next five included Singapore, Hong Kong, Russia, Finland, and Ukraine. 

The main source networks of DDoS attacks 

German IT provider Hetzner (AS24940) was among the top sources of HTTP DDoS attacks in the third quarter of 2024. Linode (AS63949), a cloud platform owned by Akamai since 2022, came in second. Vultr (AS64515), a provider from Florida, came in third. 

Netcup (AS197540), another German ISP, came in fourth, while Google Cloud Platform (AS15169) came in fifth. DigitalOcean (AS14061) took sixth place, followed by France's OVH (AS16276), Stark Industries (AS44477), Amazon Web Services (AS16509), and Microsoft (AS8075). 

How does integrating AI technology into Cloudflare's solution improve the effectiveness of protection against DDoS attacks? 

Machine learning models continuously learn from the latest attacks, deploying defenses without manually creating rules. ML is trained on attack traffic detected on the Cloudflare network. The resulting classifier allows you to find variations and workarounds of existing threats and extend protection to new and undetected attacks. 
Combining AI/ML with traditional signature-based rules exemplifies how intelligent systems can support people's work. AI detects new malware that analysts can use to optimize rules. This provides better training data for AI models and improves the WAF's overall protection and response time.  
Cloudflare uses an artificial intelligence model to account for the specific characteristics of a customer's traffic and better detect deviations from normal and safe traffic. 

Conclusions 

In Q3 2024, Cloudflare recorded a significant increase in hyper-volumetric DDoS attacks, with peak values reaching 3.8 Tbps and 2.2 Tbps. It reflects a similar trend to last year when application-layer attacks in the HTTP/2 Rapid Reset campaign exceeded 200 million requests per second (Mrps). Such large-scale attacks can seriously affect Internet resources, especially cloud services with limited bandwidth or local solutions. 

Due to geopolitical tensions and global events, the use of powerful botnets is increasing, and the number of organizations at risk of DDoS attacks is increasing. Unfortunately, many businesses only implement DDoS defenses after the attack has caused severe damage. 

Observations confirm that companies with well-designed and comprehensive security strategies are much more resilient to such cyber threats. With significant investments in automated defenses and a robust suite of security products, Cloudflare ensures proactive protection against current and emerging threats — so you don't have to worry about it. 

Cloudflare's connectivity cloud protects entire enterprise networks, helps customers efficiently develop web-scale applications, improves the speed of websites and online applications, protects against DDoS attacks, deters hackers, and supports you on the path to zero trust.