Cloudflare, Inc., the security, performance, and reliability company helping to build a better Internet, has announced its 2023 Q2 DDoS report. This report includes insights and trends about the DDoS threat landscape — observed across the global Cloudflare network.
The DDoS landscape: a look at global patterns
The second quarter of 2023 was characterised by thought-out, tailored and persistent waves of DDoS attack campaigns on various fronts, including:
- Multiple DDoS offensives orchestrated by pro-Russian hacktivist groups REvil, Killnet and Anonymous Sudan against Western interest websites.
- An increase in deliberately engineered and targeted DNS attacks alongside a 532% surge in DDoS attacks exploiting the Mitel vulnerability (CVE-2022-26143). Cloudflare contributed to disclosing this zero-day vulnerability last year.
- Attacks targeting Cryptocurrency companies increased by 600%, as a broader 15% increase in HTTP DDoS attacks was observed. Of these, there is an alarming escalation in attack sophistication.
Additionally, one of the largest attacks this quarter was an ACK flood DDoS attack from a Mirai-variant botnet comprising approximately 11K IP addresses. The attack targeted an American Internet Service Provider. It peaked at 1.4 terabits per second (Tbps) and was automatically detected and mitigated by Cloudflare’s systems.
Despite general figures indicating an increase in overall attack durations, most of the attacks are short-lived, and so is this one. This attack lasted only two minutes. However, more broadly, Cloudflare has seen that attacks exceeding 3 hours have increased by 103% QoQ.
Sophisticated HTTP DDoS attacks
An HTTP DDoS attack is a DDoS attack over the Hypertext Transfer Protocol (HTTP). It targets HTTP Internet properties such as websites and API gateways. Over the past quarter, HTTP DDoS attacks increased by 15% quarter-over-quarter (QoQ) despite a 35% decrease year-over-year (YoY). Additionally, there has been an alarming uptick in highly randomised and sophisticated HTTP DDoS attacks over the past few months.
Protecting websites against sophisticated HTTP DDoS attacks requires intelligent protection that is automated and fast and leverages threat intelligence, traffic profiling and Machine Learning/statistical analysis to differentiate between attack traffic and user traffic. Moreover, even increasing caching where applicable can help reduce the risk of attack traffic impacting your origin. Read more about DDoS protection best practices here.
DNS Laundering DDoS attacks
The Domain Name System, or DNS, serves as the Internet’s phone book. By disrupting DNS servers, attackers impact the machines’ ability to connect to a website and, by doing so make websites unavailable to users.
Over the past quarter, the most common attack vector was DNS-based DDoS attacks — 32% of all DDoS attacks were over the DNS protocol. Amongst these, one of the more concerning attack types we’ve seen increasing is the DNS Laundering attack which can pose severe challenges to organisations that operate their own authoritative DNS servers.
The term “Laundering” in the DNS Laundering attack name refers to the analogy of money laundering, the devious process of making illegally-gained proceeds, often referred to as “dirty money,” appear legal. Similarly, in the DDoS world, a DNS Laundering attack makes bad, malicious traffic appear as good, legitimate traffic by laundering it via reputable recursive DNS resolvers. A large Asian financial institution and a North American DNS provider are recent victims of such attacks.
Like the protection strategies outlined for HTTP applications, protecting DNS servers requires a precise, fast, and automated approach. Leveraging a managed DNS service or a DNS reverse proxy like Cloudflare’s can help absorb and mitigate the attack traffic. For those more sophisticated DNS attacks, a more intelligent solution is required that leverages statistical analysis of historical data to differentiate between legitimate and attack queries.
The rise of the Virtual Machine Botnets
The era of VM-based DDoS botnets has arrived with hyper-volumetric DDoS attacks. These botnets comprise Virtual Machines (VMs, or Virtual Private Servers, VPS) rather than Internet of Things (IoT) devices, making them much more powerful, up to 5,000 times stronger. These botnets have executed one of the largest recorded DDoS attacks, including the 71 million requests per second DDoS attack. Multiple organisations, including an industry-leading gaming platform provider, have already been targeted by this new generation of botnets.
Cloudflare has proactively collaborated with prominent cloud computing providers to combat these new botnets. Significant components of these botnets have been neutralised through these providers’ quick and dedicated actions. Since this intervention, Cloudflare has not observed any further hyper-volumetric attacks yet, a testament to the efficacy of the company’s collaboration.
“Startblast”: Exploiting Mitel vulnerabilities for DDoS attacks
In March 2022, we disclosed a zero-day vulnerability (CVE-2022-26143), TP240PhoneHome, identified in the Mitel MiCollab business phone system, exposing the system to UDP amplification DDoS attacks.
Over the past quarter, Cloudflare has seen additional emerging threats, such as DDoS attacks abusing the TeamSpeak3 protocol. This attack vector increased by a staggering 403% this quarter. TeamSpeak is a proprietary voice-over-Internet Protocol (VoIP) that runs over UDP to help gamers talk with others in real time. Rival groups may launch DDoS attacks that target TeamSpeak servers to disrupt their communication path during real-time multiplayer games and thus impact their team’s performance.
DDoS hotspots: the origins of attacks
Overall, HTTP DDoS attacks increased by 15% QoQ despite a 35% decrease YoY. Additionally, network-layer DDoS attacks decreased this quarter by approximately 14%. Regarding the total volume of attack traffic, the US was the largest source of HTTP DDoS attacks. Three out of every thousand requests we saw were from HTTP DDoS attacks originating from the US. China came in second place, and Germany in third place.
Industries under attack: examining DDoS attack targets
When examining HTTP DDoS attack activity in Q2, Cryptocurrency websites were targeted with the largest amount of HTTP DDoS attack traffic. Six of every ten thousand HTTP requests towards Cryptocurrency websites behind Cloudflare were part of these attacks. This represents a 600% increase compared to the previous quarter. After Crypto, Gaming, and Gambling, websites came in second place; their attack share increased by 19% QoQ. Marketing and Advertising websites are not far behind in third place, with little change in their share of attacks.
The Media & Newspaper industries were the most attacked in the Middle East. The vast majority of attack traffic originated from Europe (74%).
Countries and regions under attack: examining DDoS attack targets
When examining the total volume of attack traffic, Israel leapt to the front last quarter as the most attacked country. This quarter, attacks targeting Israeli websites decreased by 33%, bringing it to fourth place. The US takes the lead again as the most attacked country, followed by Canada and Singapore. We get a different picture if we normalise the data per country and region and divide the attack traffic by the total traffic. Palestine jumps to the first place as the most attacked country. Almost 12% of all traffic to Palestinian websites were HTTP DDoS attacks.
Ransom DDoS attacks
Occasionally, DDoS attacks are carried out to extort ransom payments. Unlike Ransomware attacks, where victims typically fall prey to downloading a malicious file or clicking on a compromised email link which locks, deletes or leaks their files until a ransom is paid, Ransom DDoS attacks can be much simpler for threat actors to execute. Ransom DDoS attacks bypass the need for deceptive tactics such as luring victims into opening dubious emails or clicking on fraudulent links, and they don’t necessitate a breach into the network or access to corporate resources.
Over the past quarter, reports of Ransom DDoS attacks decreased. One out of ten respondents reported being threatened or subject to Ransom DDoS attacks.
Commenting on the report, Bashar Bashaireh, Managing Director & Head of Sales – Middle East and Türkiye at Cloudflare, “In recent months, there’s been an alarming escalation in the sophistication of DDoS attacks. And even the largest and most sophisticated attacks we’ve seen may only last a few minutes or seconds — which doesn’t give a human sufficient time to respond.”
“Security is not one product or a click of a button, but rather a process involving multiple layers of defence to reduce the impact risk. Cloudflare’s automated DDoS defence systems consistently safeguard our clients from attacks, freeing them to focus on their core business operations. These systems are complemented by the vast breadth of Cloudflare capabilities such as firewall, bot detection, API protection, and caching, which can all reduce the impact risk. The DDoS threat landscape is evolving and increasingly complex, demanding more than quick fixes. Thankfully, our clients can navigate these challenges confidently with Cloudflare’s multi-layered defences and automatic DDoS protections. Our mission is to help build a better Internet, and so we continue to stand guard, ensuring a safer and more reliable digital realm for all.”