Cloudflare, Inc., has announced its 2024 Q4 DDoS report, which includes insights and trends about the DDoS threat landscape — as observed across the global Cloudflare network, which is one of the largest in the world.
Key findings
- In 2024, Cloudflare’s autonomous DDoS defense systems blocked around 21.3 million DDoS attacks, representing a 53% increase compared to 2023. On average, in 2024, Cloudflare blocked 4,870 DDoS attacks every hour.
- In the fourth quarter, over 420 of those attacks were hyper-volumetric, exceeding rates of 1 billion packets per second (pps) and 1 Tbps. Moreover, the amount of attacks exceeding 1 Tbps grew by a staggering 1,885% quarter-over-quarter.
- During the week of Halloween 2024, Cloudflare’s DDoS defense systems successfully and autonomously detected and blocked a 5.6 Terabit per second (Tbps) DDoS attack — the largest attack ever reported.
HTTP DDoS attacks
The majority of the HTTP DDoS attacks (73%) were launched by known botnets. An additional 11% were HTTP DDoS attacks that were caught pretending to be a legitimate browser. Another 10% were attacks which contained suspicious or unusual HTTP attributes. The remaining 8% “Other” were generic HTTP floods, volumetric cache busting attacks, and volumetric attacks targeting login endpoints.
HTTP vs. HTTPS
In Q4, almost 94% of legitimate traffic was HTTPS. Only 6% was plaintext HTTP (not encrypted). Looking at DDoS attack traffic, around 92% of HTTP DDoS attack requests were over HTTPS and almost 8% were over plaintext HTTP.
Layer 3/Layer 4 DDoS attacks
The top three most common Layer 3/Layer 4 (network layer) attack vectors were SYN flood (38%), DNS flood attacks (16%), and UDP floods (14%). An additional common attack vector, or rather, botnet type, is Mirai. Mirai attacks accounted for 6% of all network layer DDoS attacks — a 131% increase QoQ. In 2024 Q4, a Mirai-variant botnet was responsible for the largest DDoS attack on record.
Hyper-volumetric DDoS attacks
In 2024 Q3, Cloudflare started seeing a rise in hyper-volumetric network layer DDoS attacks. In 2024 Q4, the amount of attacks exceeding 1 Tbps increased by 1,885% QoQ and attacks exceeding 100 Million pps (packets per second) increased by 175% QoQ. 16% of the attacks that exceeded 100 Million pps also exceeded 1 Billion pps.
Attack size
The majority of HTTP DDoS attacks (63%) did not exceed 50,000 requests per second. On the other side of the spectrum, 3% of HTTP DDoS attacks exceeded 100 million requests per second. Similarly, the majority of network layer DDoS attacks are also small. 93% did not exceed 500 Mbps and 87% did not exceed 50,000 packets per second.
Attack duration
The majority of HTTP DDoS attacks (72%) end in under ten minutes. Approximately 22% of HTTP DDoS attacks last over one hour, and 11% last over 24 hours. Similarly, 91% of network layer DDoS attacks also end within ten minutes. Only 2% last over an hour.
Attack sources
In the last quarter of 2024, Indonesia remained the largest source of DDoS attacks worldwide for the second consecutive quarter. Hong Kong came in second, having moved up five spots from the previous quarter. Singapore advanced three spots, coming in third place.
Target of attacks
In 2024 Q4, China maintained its position as the most attacked country. Philippines makes its first appearance as the second most attacked country in the top 10. Taiwan jumped to third place, up seven spots compared to last quarter.
Most attacked industries
In the fourth quarter of 2024, the Telecommunications, Service Provider and Carriers industry jumped from the third place (last quarter) to the first place as the industry that’s most targeted by DDoS attacks. The Internet industry came in second, followed by Marketing and Advertising in third.
Ransom DDoS attacks
In the final quarter of 2024, as anticipated, Cloudflare observed a surge in Ransom DDoS attacks. This spike was predictable, given that Q4 is a prime time for cybercriminals, with increased online shopping, travel arrangements, and holiday activities. In Q4, 12% of Cloudflare customers that were targeted by DDoS attacks reported being threatened or extorted for a ransom payment. This represents a 78% QoQ increase and 25% YoY growth compared to 2023 Q4.
Commenting on the report, Bashar Bashaireh, VP – Middle East, Türkiye & North Africa at Cloudflare, says: “Too many organizations only implement DDoS protection after suffering an attack. Our observations show that organizations with proactive security strategies are more resilient. At Cloudflare, we invest in automated defenses and a comprehensive security portfolio to provide proactive protection against both current and emerging threats. With our 321 Tbps network spanning 330 cities globally, we remain committed to providing unmetered and unlimited DDoS protection no matter the size, duration and quantity of the attacks.”
Note: Dive into the full report here.
