The number of DDoS attacks spiked in the third quarter of 2024. Cloudflare mitigated nearly 6 million DDoS attacks, representing a 49% increase QoQ and 55% increase YoY
Cloudflare, Inc., has announced its 2024 Q3 DDoS Attacks report, that includes insights and trends about the DDoS threat landscape — as observed across the global Cloudflare network, one of the largest in the world.
Key findings
- The number of DDoS attacks spiked in the third quarter of 2024. Cloudflare mitigated nearly 6 million DDoS attacks, representing a 49% increase QoQ and 55% increase YoY.
- Out of those 6 million, Cloudflare’s autonomous DDoS defense systems detected and mitigated over 200 hyper-volumetric DDoS attacks exceeding rates of 3 terabits per second (Tbps) and 2 billion packets per second (Bpps). The largest attack peaked at 4.2 Tbps and lasted just a minute.
- The Banking & Financial Services industry was subjected to the most DDoS attacks. China was the country most targeted by DDoS attacks, and Indonesia was the largest source of DDoS attacks.
Hyper-volumetric campaign
In Q3, Cloudflare’s systems mitigated nearly 6 million DDoS attacks bringing it to a total of 14.5 million DDoS attacks year-to-date (4.5 million in Q1 and 4 million in Q2). That’s an average of around 2,200 DDoS attacks every hour. Of those attacks, Cloudflare mitigated over 200 hyper-volumetric network-layer DDoS attacks that exceeded 1 Tbps or 1 Bpps. The largest attacks peaked at 3.8 Tbps and 2.2 Bpps. At the time of writing the Q3 report, on October 21, 2024, Cloudflare’s systems autonomously detected and mitigated a 4.2 Tbps DDoS attack that lasted around a minute.
DDoS attack types and characteristics
Of the 6 million DDoS attacks, half were HTTP (application layer) DDoS attacks and half were network layer DDoS attacks. Network layer DDoS attacks increased by 51% QoQ and 45% YoY, and HTTP DDoS attacks increased by 61% QoQ and 68% YoY.
Attack duration
90% of DDoS attacks, including the largest of attacks, were very short-lived. The company did see, however, a slight increase (7%) in attacks lasting more than an hour. These longer attacks accounted for 3% of all attacks.
Attack vectors
In Q3, Cloudflare saw an even distribution in the number of network-layer DDoS attacks compared to HTTP DDoS attacks.
Of the network-layer DDoS attacks, SYN flood was the top attack vector followed by DNS flood attacks, UDP floods, SSDP reflection attacks, and ICMP reflection attacks.
On the application layer, 72% of HTTP DDoS attacks were launched by known botnets and automatically mitigated by our proprietary heuristics.
In Q3, the company observed a 4,000% increase in SSDP amplification attacks compared to the previous quarter. Disabling UPnP on unnecessary devices and using DDoS mitigation strategies can help defend against this attack.
User agents used in HTTP DDoS attacks
In Q3, 80% of HTTP DDoS attack traffic impersonated the Google Chrome browser, which was the most common user agent observed in attacks. More specifically, Chrome 118, 119, 120, and 121 were the most common versions.
In second place, no user agent was seen for 9% of HTTP DDoS attack traffic.
In third and fourth place, attacks were observed using the Go-http-client and fasthttp user agents. The former is the default HTTP client in Go’s standard library and the latter is a high-performance alternative. fasthttp is used to build fast web applications, but is often used for DDoS attacks and web scraping too.
Targets of DDoS attacks
Top attacked locations – China was the most attacked location in the third quarter of 2024. The United Arab Emirates was ranked second, with Hong Kong in third place, followed closely by Singapore, Germany, and Brazil.
Top attacked industries – In Q3, Banking & Financial Services was the most targeted by DDoS attacks. Information Technology & Services was ranked in second place, followed by the Telecommunications, Service Providers, and Carriers sector. Cryptocurrency, Internet, Gambling & Casinos, and Gaming followed closely behind as the next most targeted industries. Consumer Electronics, Construction & Civil Engineering, and the Retail industries rounded out the top ten most attacked industries.
Top source locations of DDoS attacks – Indonesia was the largest source of DDoS attacks in the third quarter of 2024. The Netherlands was the second-largest source, followed by Germany, Argentina, and Colombia. The next five largest sources included Singapore, Hong Kong, Russia, Finland, and Ukraine.
Key takeaways
The unprecedented surge in hyper-volumetric DDoS are capable of overwhelming Internet properties, particularly those relying on capacity-limited cloud services or on-premise solutions. The increasing use of powerful botnets, fueled by geopolitical tensions and global events, is expanding the range of organizations at risk — many of which were not traditionally considered prime targets for DDoS attacks. Unfortunately, too many organizations reactively deploy DDoS protections after an attack has already caused significant damage.
Commenting on the report, Bashar Bashaireh, VP – Middle East and Türkiye at Cloudflare, says: “Our observations confirm that businesses with well-prepared, comprehensive security strategies are far more resilient against these cyberthreats. At Cloudflare, we’re committed to safeguarding your Internet presence. Through significant investment in our automated defenses and a robust portfolio of security products, we ensure proactive protection against both current and emerging threats — so you don’t have to.”
Full report is available here.