The scale of distributed denial of service (DDoS) attacks continues to grow, with new attacks piling the pressure on those attempting to protect networks.
A DDoS attack aims to disrupt websites or apps by overwhelming their servers with more junk traffic than they can handle, stopping legitimate traffic from getting through – like stuffing a letterbox with junk mail.
Network and security company CloudFlare said it had mitigated 4.5 million DDoS attacks for customers in the first quarter of 2024, equivalent to 32% of all the DDoS attacks it saw the previous year.
In its latest quarterly update, the company said HTTP DDoS attacks increased by 93% year-over-year and 51% quarter-over-quarter, which amounts to 10.5 trillion DDoS-based HTTP requests.
Network-layer DDoS attacks, also known as L3/4 DDoS attacks, increased by 28% year-over-year and but just 5% quarter-on-quarter to around 59 petabytes of DDoS traffic.
Many of the network-layer DDoS attacks topped 1Tbps rate on an almost weekly basis. Cloudflare said the largest attack that it had seen so far this year was launched by a Mirai-variant botnet, which reached 2Tbps.
Mirai-based botnets are mostly made up of internet of things (IoT) devices like routers or web cameras; while variants of Mirai have been around for years now DDoS attacks using them are still common. Cloudflare said 4% of HTTP DDoS attacks, and 2% of L3/4 DDoS attacks are launched by a Mirai-variant botnet.
DNS-based DDoS attacks have become the most common attack vector when it comes to network-layer attacks. In the first quarter of 2024, the share of DNS-based DDoS attacks accounted for over half (54%) of all L3/4 attacks.
In aggregate, HTTP DDoS attacks remain (just about) the leading form of attacks, accounting for 37% of all DDoS attacks. DNS DDoS attacks make up 33%, and the remaining 30% is left for all other types of L3/4 attacks, such as SYN Flood and UDP Floods.
In terms of emerging threats, the company said Jenkins Flood is rising rapidly. This is a DDoS attack that exploits vulnerabilities in the Jenkins automation server: Attackers can send small, specially crafted requests to a publicly facing UDP port on Jenkins servers, causing them to respond with what Cloudflare called “disproportionately large amounts of data”. This can amplify the traffic volume and overwhelm the target's network. Even though the vulnerability was fixed years ago, it is still being abused in the wild to launch DDoS attacks.
Cloudflare also highlighted the recently discovered HTTP/2 Continuation Flood. This potentially allows even a single machine to disrupt websites and APIs using HTTP/2, and is hard to detect because there are no visible requests in HTTP access logs.
Cloudflare said this new vulnerability poses a potentially severe threat – potentially more more damaging than the HTTP/2 Rapid Reset, which resulted in some of the largest HTTP/2 DDoS attack campaigns so far. However, the company said it was not currently aware of anyone exploiting this vulnerability in the wild.
In the first quarter of 2024, the top attacked industry by HTTP DDoS attacks in North America was marketing and advertising; globally, the gaming and gambling industry was the number one most targeted. And while the ‘IT and internet’ industry was the most targeted by network-layer DDoS attacks, this is possibly because these companies are acting as what Cloudflare described as “super aggregators” of attacks and receive DDoS attacks that are really targeting their end customers.
However, Cloudflare said when normalizing the data by dividing the attack traffic by the total traffic for an industry, law firms and legal services are the most attacked industry, as over 40% of their traffic was HTTP DDoS attack traffic, followed by the biotechnology industry. Even when normalized in the same way, internet companies were still the most targeted industry by L3/4 DDoS attacks, with almost a third of their traffic were attacks.
