DDoS threat report for 2023 Q3

Created on November 12, 2023 at 10:32 am

15 min TIME read

This blog post is also available in 简体中文, 繁體中文 ORG , 日本語, 한국어, Deutsch ORG , Italiano NORP , Français ORG , Español GPE , Português NORP and Nederlands GPE .

Welcome to the third ORDINAL DDoS threat report of 2023 DATE . DDoS attacks, or distributed denial-of-service attacks, are a type of cyber attack that aims to disrupt websites (and other types of Internet properties) to make them unavailable for legitimate users by overwhelming them with more traffic than they can handle — similar to a driver stuck in a traffic jam on the way to the grocery store.

We see a lot of DDoS attacks of all types and sizes, and our network is one of the largest in the world spanning more than 300 CARDINAL cities in over 100 CARDINAL countries. Through this network we serve over 64 million HTTP requests per second ORDINAL at peak and about 2.3 billion DNS QUANTITY queries every day DATE . On average, we mitigate 140 billion MONEY cyber threats each day DATE . This colossal amount of data gives us a unique vantage point to understand the threat landscape and provide the community access to insightful and actionable DDoS trends.

In recent weeks DATE , we’ve also observed a surge in DDoS attacks and other cyber attacks against Israeli NORP newspaper and media websites, as well as financial institutions and government websites. Palestinian NORP websites have also seen a significant increase in DDoS attacks. View the full coverage here.

HTTP DDoS attacks against Israeli NORP websites using Cloudflare ORG

The global DDoS threat landscape

In the third quarter of 2023 DATE , Cloudflare ORG faced one CARDINAL of the most sophisticated and persistent DDoS attack campaigns in recorded history.

Cloudflare mitigated thousands CARDINAL of hyper-volumetric HTTP DDoS attacks, 89 CARDINAL of which exceeded 100 million CARDINAL requests per second ORDINAL (rps) and with the largest peaking at 201 million CARDINAL rps — a figure three CARDINAL times higher than the previous largest attack on record ( 71 CARDINAL M rps). The campaign contributed to an overall increase of 65% PERCENT in HTTP DDoS attack traffic in Q3 ORG compared to the previous quarter DATE . Similarly, L3/4 DDoS attacks also increased by 14% PERCENT alongside numerous attacks in the terabit-per- second ORDINAL range — the largest attack targeted Cloudflare ORG ’s free DNS ORG resolver 1.1.1.1 and peaked at 2.6 Tbps QUANTITY . Gaming and Gambling companies were bombarded with the largest volume of HTTP DDoS attack traffic, overtaking the Cryptocurrency industry from last quarter DATE .

Reminder: an interactive version of this report is also available as a Cloudflare Radar Report. On Radar PRODUCT , you can also dive deeper and explore traffic trends, attacks, outages and many more insights for your specific industry, network and country.

HTTP DDoS attacks and hyper-volumetric attacks

An HTTP DDoS attack is a DDoS attack over the Hypertext Transfer Protocol LAW (HTTP). It targets HTTP Internet properties such as mobile application servers, ecommerce websites, and API gateways.

Illustration of an HTTP DDoS attack

HTTP/2, which accounts for 62% PERCENT of HTTP traffic, is a version of the protocol that’s meant to improve application performance. The downside is that HTTP/2 can also help improve a botnet’s performance.

Distribution of HTTP versions by Radar

Campaign PRODUCT of hyper-volumetric DDoS attacks exploiting HTTP/2 Rapid Resets

Starting in late August 2023 DATE , Cloudflare ORG and various other vendors were subject to a sophisticated and persistent DDoS attack campaign that exploited the HTTP/2 Rapid ORG Reset vulnerability ( CVE-2023-44487 ORG ).

Illustration of an HTTP/2 Rapid Reset DDoS attack

The DDoS campaign included thousands CARDINAL of hyper-volumetric DDoS attacks over HTTP/2 that peaked in the range of millions CARDINAL of requests per second ORDINAL . The average attack rate was 30 CARDINAL M rps. Approximately 89 CARDINAL of the attacks peaked above 100 CARDINAL M rps and the largest one we saw hit 201M MONEY rps.

HTTP/2 Rapid Reset campaign of hyper-volumetric DDoS attacks

Cloudflare ORG ’s systems automatically detected and mitigated the vast majority of attacks. We deployed emergency countermeasures and improved our mitigation systems’ efficacy and efficiency to ensure the availability of our network and of our customers’.

Check out our engineering blog that dives deep into the land of HTTP/2, what we learned and what actions we took to make the Internet safer.

Hyper-volumetric DDoS attacks enabled by VM-based botnets

As we’ve seen in this campaign and previous ones, botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to x5,000 more force per botnet node. This allowed them to launch hyper-volumetric DDoS attacks with a small botnet ranging 5-20 thousand CARDINAL nodes alone. To put that into perspective, in the past, IoT based botnets consisted of fleets of millions CARDINAL of nodes and barely managed to reach a few million CARDINAL requests per second ORDINAL .

Comparison of an Internet of Things (IoT) based botnet and a Virtual Machine ORG (VM) based botnet

When analyzing the two-month-long DATE DDoS campaign, we can see that Cloudflare ORG infrastructure was the main target of the attacks. More specifically, 19% PERCENT of all attacks targeted Cloudflare ORG websites and infrastructure. Another 18% PERCENT targeted Gaming companies, and 10% PERCENT targeted well known VoIP providers.

Top industries targeted by the HTTP/2 Rapid Reset DDoS ORG attacks

HTTP DDoS attack traffic increased by 65% PERCENT

The attack campaign contributed to an overall increase in the amount of attack traffic. Last quarter DATE , the volume of HTTP DDoS attacks increased by 15% PERCENT QoQ. This quarter DATE , it grew even more. Attacks volume increased by 65% PERCENT

QoQ DATE to a total staggering figure of 8.9 trillion CARDINAL HTTP DDoS requests that Cloudflare ORG systems automatically detected and mitigated.

Aggregated volume of HTTP DDoS attack requests by quarter CARDINAL

Alongside the 65% PERCENT increase in HTTP DDoS attacks, we also saw a minor increase of 14% PERCENT in L3/4 DDoS attacks — similar to the figures we saw in the first quarter of this year DATE .

L3/4 DDoS attack by quarter

CARDINAL A rise in large volumetric DDoS attacks contributing to this increase. In Q3 ORG , our DDoS defenses automatically detected and mitigated numerous DDoS attacks in the terabit-per-second range. The largest attacks we saw peaked at 2.6 Tbps QUANTITY . This attack was part of a broader campaign that targeted Cloudflare ORG ’s free DNS ORG resolver 1.1.1.1. It was a UDP flood that was launched by a Mirai ORG -variant botnet.

Top sources of HTTP DDoS attacks

When comparing the global and country-specific HTTP DDoS attack request volume, we see that the US GPE remains the largest source of HTTP DDoS attacks. One CARDINAL out of every 25 CARDINAL HTTP DDoS requests originated from the US GPE . China GPE remains in second ORDINAL place. Brazil GPE replaced Germany GPE as the third ORDINAL -largest source of HTTP DDoS attacks, as Germany GPE fell to fourth ORDINAL place.

HTTP DDoS attacks: Top sources compared to all attack traffic

Some countries naturally receive more traffic due to various factors such as the population and Internet usage, and therefore also receive/generate more attacks. So while it’s interesting to understand the total amount of attack traffic originating from or targeting a given country, it is also helpful to remove that bias by normalizing the attack traffic by all traffic to a given country.

When doing so, we see a different pattern. The US GPE doesn’t even make it into the top ten CARDINAL . Instead, Mozambique ORG is in first ORDINAL place (again). One CARDINAL out of every five CARDINAL HTTP requests that originated from Mozambique ORG was part of an HTTP DDoS attack traffic.

Egypt GPE remains in second ORDINAL place — approximately 13% PERCENT of requests originating from Egypt GPE were part of an HTTP DDoS attack. Libya GPE and China GPE follow as the third ORDINAL and fourth ORDINAL -largest source of HTTP DDoS attacks.

HTTP DDoS attacks: Top sources compared to their own traffic

Top sources of L3/4 NORP DDoS attacks

When we look at the origins of L3/4 NORP DDoS attacks, we ignore the source IP address because it can be spoofed. Instead, we rely on the location of Cloudflare ORG ’s data center where the traffic was ingested. Thanks to our large network and global coverage, we’re able to achieve geographical accuracy to understand where attacks come from.

In Q3 ORG , approximately 36% PERCENT of all L3/4 DDoS attack traffic that we saw originated from the US GPE . Far behind, Germany GPE came in second ORDINAL place with 8% PERCENT and the UK GPE followed in third ORDINAL place with almost 5% PERCENT .

L3/4 DDoS attacks: Top sources compared to all attack traffic

When normalizing the data, we see that Vietnam GPE dropped to the second ORDINAL -largest source of L3/4 NORP DDoS attacks after being first ORDINAL for two consecutive quarters DATE . New Caledonia GPE , a French NORP territory comprising dozens CARDINAL of islands in the South Pacific LOC , grabbed the first ORDINAL place. Two CARDINAL out of every four CARDINAL bytes ingested in Cloudflare ORG ’s data centers in New Caledonia GPE were attacks.

L3/4 DDoS attacks: Top sources compared to their own traffic

Top attacked industries by HTTP DDoS attacks

In terms of absolute volume of HTTP DDoS attack traffic, the Gaming and Gambling industry jumps to first ORDINAL place overtaking the Cryptocurrency industry. Over 5% PERCENT of all HTTP DDoS attack traffic that Cloudflare ORG saw targeted the Gaming and Gambling industry.

HTTP DDoS attacks: Top attacked industries compared to all attack traffic

The Gaming and Gambling WORK_OF_ART industry has long been one of the most attacked industries compared to others. But when we look at the HTTP DDoS attack traffic relative to each specific industry, we see a different picture. The Gaming and Gambling industry has so much user traffic that, despite being the most attacked industry by volume, it doesn’t even make it into the top ten CARDINAL when we put it into the per-industry context.

Instead, what we see is that the Mining and Metals ORG industry was targeted by the most attacks compared to its total traffic — 17.46% PERCENT of all traffic to Mining and Metals ORG companies were DDoS attack traffic.

Following closely in second ORDINAL place, 17.41% PERCENT of all traffic to Non-profits were HTTP DDoS attacks. Many of these attacks are directed at more than 2,400 CARDINAL Non-profit and independent media organizations in 111 CARDINAL countries that Cloudflare ORG protects for free as part of Project Galileo ORG , which celebrated its ninth ORDINAL anniversary this year DATE . Over the past quarter DATE alone, Cloudflare ORG mitigated an average of 180.5 million CARDINAL cyber threats against Galileo PRODUCT -protected websites every day.

HTTP DDoS attacks: Top attacked industries compared to their own traffic

Pharmaceuticals, Biotechnology and Health ORG companies came in third ORDINAL , and US Federal Government ORG websites in fourth ORDINAL place. Almost one out of every 10 CARDINAL HTTP requests to US GPE Federal Government Internet properties were part of an attack. In fifth ORDINAL place, Cryptocurrency and then Farming and Fishery not far behind.

Top attacked industries by region

Now let’s dive deeper to understand which industries were targeted the most in each region.

HTTP DDoS attacks: Top industries targeted by HTTP DDoS attacks by region

Regional deepdives

Africa LOC

After two consecutive quarters DATE as the most attacked industry, the Telecommunications ORG industry dropped from first ORDINAL place to fourth ORDINAL . Media Production companies were the most attacked industry in Africa LOC . The Banking, Financial Services and Insurance ORG (BFSI) industry follows as the second ORDINAL most attacked. Gaming and Gambling companies in third ORDINAL .

Asia LOC

The Cryptocurrency industry remains the most attacked in APAC ORG for the second consecutive quarter DATE . Gaming and Gambling came in second ORDINAL place. Information Technology and Services ORG companies in third ORDINAL .

Europe LOC

For the fourth consecutive quarter DATE , the Gaming and Gambling industry remains the most attacked industry in Europe LOC . Retail companies came in second ORDINAL , and Computer Software ORG companies in third ORDINAL .

Latin America

LOC Farming was the most targeted industry in Latin America LOC in Q3 ORG . It accounted for a whopping 53% PERCENT of all attacks towards Latin America LOC . Far behind, Gaming and Gambling companies were the second ORDINAL most targeted. Civic and Social Organizations ORG were in third ORDINAL .

Middle East

Retail LOC companies were the most targeted in the Middle East LOC in Q3 ORG . Computer Software ORG companies came in second ORDINAL and the Gaming and Gambling industry in third ORDINAL .

North America LOC

After two consecutive quarters DATE , the Marketing and Advertising ORG industry dropped from the first ORDINAL place to the second ORDINAL . Computer Software ORG took the lead. In third ORDINAL place, Telecommunications companies.

Oceania LOC

The Telecommunications industry was, by far, the most targeted in Oceania LOC in Q3 ORG over 45% PERCENT of all attacks to Oceania LOC . Cryptocurrency and Computer Software ORG companies came in second ORDINAL and third ORDINAL places respectively.

Top attacked industries by L3/4 DDoS attacks

When descending the layers of the OSI ORG model, the Internet networks and services that were most targeted belonged to the Information Technology and Services ORG industry. Almost 35% PERCENT of all L3/4 DDoS attack traffic (in bytes) targeted the Information Technology ORG and Internet industry.

Far behind, Telecommunication ORG companies came in second ORDINAL with a mere share of 3% PERCENT . Gaming and Gambling came in third ORDINAL , Banking, Financial Services and Insurance ORG companies (BFSI) in fourth ORDINAL .

L3/4 DDoS attacks: Top attacked industries compared to all attack traffic

When comparing the attacks on industries to all traffic for that specific industry, we see that the Music ORG industry jumps to the first ORDINAL place, followed by Computer and Network Security ORG companies, Information Technology ORG and Internet companies and Aviation and Aerospace ORG .

L3/4 DDoS attacks: Top attacked industries compared to their own traffic

Top attacked countries by HTTP DDoS attacks

When examining the total volume of attack traffic, the US GPE remains the main target of HTTP DDoS attacks. Almost 5% PERCENT of all HTTP DDoS attack traffic targeted the US GPE . Singapore GPE came in second ORDINAL and China GPE in third ORDINAL .

HTTP DDoS attacks: Top attacked countries compared to all traffic

If we normalize the data per country and region and divide the attack traffic by the total traffic, we get a different picture. The top three CARDINAL most attacked countries are Island LOC nations.

Anguilla GPE , a small set of islands east of Puerto Rico GPE , jumps to the first ORDINAL place as the most attacked country. Over 75% PERCENT of all traffic to Anguilla GPE websites were HTTP DDoS attacks. In second ORDINAL place, American Samoa ORG , a group of islands east of Fiji GPE . In third ORDINAL , the British NORP Virgin Islands.

In fourth ORDINAL place, Algeria GPE , and then Kenya GPE , Russia GPE , Vietnam GPE , Singapore GPE , Belize GPE , and Japan GPE .

HTTP DDoS attacks: Top attacked countries compared to their own traffic

Top attacked countries by L3/4 DDoS attacks

For the second consecutive quarter DATE , Chinese NORP Internet networks and services remain the most targeted by L3/4 DDoS attacks. These China GPE -bound attacks account for 29% PERCENT of all attacks we saw in Q3 ORG .

Far, far behind, the US GPE came in second ORDINAL place ( 3.5% PERCENT ) and Taiwan GPE in third ORDINAL place ( 3% PERCENT ).

L3/4 DDoS attacks: Top attacked countries compared to all traffic

When normalizing the amount of attack traffic compared to all traffic to a country, China GPE remains in first ORDINAL place and the US GPE disappears from the top ten CARDINAL . Cloudflare saw that 73% PERCENT of traffic to China GPE Internet networks were attacks. However, the normalized ranking changes from second ORDINAL place on, with the Netherlands GPE receiving the second ORDINAL -highest proportion of attack traffic (representing 35% PERCENT of the country’s overall traffic), closely followed by Thailand GPE , Taiwan GPE and Brazil GPE .

L3/4 DDoS attacks: Top attacked countries compared to their own traffic

Top attack vectors

The Domain Name System ORG , or DNS ORG , serves as the phone book of the Internet. DNS ORG helps translate the human-friendly website address (e.g., www.cloudflare.com ORG ) to a machine-friendly IP address (e.g., 104.16.124.96 CARDINAL ). By disrupting DNS ORG servers, attackers impact the machines’ ability to connect to a website, and by doing so making websites unavailable to users.

For the second consecutive quarter DATE , DNS ORG -based DDoS attacks were the most common. Almost 47% PERCENT of all attacks were DNS ORG -based. This represents a 44% PERCENT increase compared to the previous quarter DATE . SYN floods remain in second ORDINAL place, followed by RST floods, UDP floods, and Mirai ORG attacks.

Top attack vectors

Emerging threats – reduced, reused and recycled

Aside from the most common attack vectors, we also saw significant increases in lesser known attack vectors. These tend to be very volatile as threat actors try to “reduce, reuse and recycle” older attack vectors. These tend to be UDP-based protocols that can be exploited to launch amplification and reflection DDoS attacks.

One CARDINAL well-known tactic that we continue to see is the use of amplification/reflection attacks. In this attack method, the attacker bounces traffic off of servers, and aims the responses towards their victim. Attackers are able to aim the bounced traffic to their victim by various methods such as IP spoofing.

Another form of reflection can be achieved differently in an attack named ‘DNS Laundering attack’. In a DNS Laundering ORG attack, the attacker will query subdomains of a domain that is managed by the victim’s DNS ORG server. The prefix that defines the subdomain is randomized and is never used more than once or twice in such an attack. Due to the randomization element, recursive DNS ORG servers will never have a cached response and will need to forward the query to the victim’s authoritative DNS ORG server. The authoritative DNS ORG server is then bombarded by so many queries until it cannot serve legitimate queries or even crashes all together.

Illustration of a reflection and amplification attack

Overall in Q3, Multicast DNS ORG ( mDNS ORG ) based DDoS attacks was the attack method that increased the most. In second ORDINAL place were attacks that exploit the Constrained Application Protocol LAW (CoAP), and in third ORDINAL , the Encapsulating Security Payload ORG (ESP). Let’s get to know those attack vectors a little better.

Main emerging threats

mDNS DDoS attacks increased by 456% PERCENT

Multicast DNS ( mDNS ORG ) is a UDP ORG -based protocol that is used in local networks for service/device discovery. Vulnerable mDNS PERSON servers respond to unicast queries originating outside the local network, which are ‘spoofed’ (altered) with the victim’s source address. This results in amplification attacks. In Q3 ORG , we noticed a large increase of mDNS ORG attacks; a 456% PERCENT increase compared to the previous quarter DATE .

CoAP ORG DDoS attacks increased by 387% PERCENT

The Constrained Application Protocol LAW (CoAP) is designed for use in simple electronics and enables communication between devices in a low-power and lightweight manner. However, it can be abused for DDoS attacks via IP spoofing or amplification, as malicious actors exploit its multicast support or leverage poorly configured CoAP ORG devices to generate large amounts of unwanted network traffic. This can lead to service disruption or overloading of the targeted systems, making them unavailable to legitimate users.

ESP DDoS attacks increased by 303% PERCENT

The Encapsulating Security Payload ORG (ESP) protocol is part of IPsec ORG and provides confidentiality, authentication, and integrity to network communications. However, it could potentially be abused in DDoS attacks if malicious actors exploit misconfigured or vulnerable systems to reflect or amplify traffic towards a target, leading to service disruption. Like with other protocols, securing and properly configuring the systems using ESP is crucial to mitigate the risks of DDoS attacks.

Ransom DDoS ORG attacks

Occasionally, DDoS attacks are carried out to extort ransom payments. We’ve been surveying Cloudflare ORG customers over three years DATE now, and have been tracking the occurrence of Ransom DDoS ORG attack events.

Comparison of Ransomware ORG and Ransom DDoS ORG attacks

Unlike Ransomware PRODUCT attacks, where victims typically fall prey to downloading a malicious file or clicking on a compromised email link which locks, deletes, or leaks their files until a ransom is paid, Ransom DDoS ORG attacks can be much simpler for threat actors to execute. Ransom DDoS ORG attacks bypass the need for deceptive tactics such as luring victims into opening dubious emails or clicking on fraudulent links, and they don’t necessitate a breach into the network or access to corporate resources.

Over the past quarter DATE , reports of Ransom DDoS ORG attacks continue to decrease. Approximately 8% PERCENT of respondents reported being threatened or subject to Random DDoS attacks, which continues a decline we’ve been tracking throughout the year DATE . Hopefully it is because threat actors have realized that organizations will not pay them (which is our recommendation).

Ransom DDoS ORG attacks by quarter CARDINAL

However, keep in mind that this is also very seasonal, and we can expect an increase in ransom DDoS attacks during the months of November and December DATE . If we look at Q4 DATE numbers from the past three years DATE , we can see that Ransom DDoS ORG attacks have been significantly increasing YoY CARDINAL in November DATE . In previous Q4s, it reached a point where one out of every four CARDINAL respondents reported being subject to Ransom DDoS ORG attacks.

Improving your defenses in the era of hyper-volumetric DDoS attacks

In the past quarter DATE , we saw an unprecedented surge in DDoS attack traffic. This surge was largely driven by the hyper-volumetric HTTP/2 DDoS attack campaign.

Cloudflare ORG customers using our HTTP reverse proxy, i.e. our CDN ORG /WAF services, are already protected from these and other HTTP DDoS attacks. Cloudflare customers that are using non-HTTP services and organizations that are not using Cloudflare ORG at all are strongly encouraged to use an automated, always-on HTTP DDoS Protection service for their HTTP applications.

It’s important to remember that security is a process, not a single product or flip of a switch. Atop of our automated DDoS protection systems, we offer comprehensive bundled features such as firewall, bot detection, API protection, and caching to bolster your defenses. Our multi-layered approach optimizes your security posture and minimizes potential impact. We’ve also put together a list of recommendations to help you optimize your defenses against DDoS attacks, and you can follow our step-by-step wizards to secure your applications and prevent DDoS attacks.

Connecting to blog.lzomedia.com... Connected... Page load complete