Cloudflare has announced its 2024 Q2 DDoS report. This report includes insights and trends about the DDoS threat landscape — as observed across the global Cloudflare network, which is one of the largest in the world. With a 280 terabit per second network located across over 230 cities worldwide, serving 19% of all websites, Cloudflare holds a unique vantage point, which enables the company to provide valuable insights and trends to the broader Internet community.
Key findings
- Cloudflare recorded a 20% year-over-year increase in DDoS attacks.
- 1 out of every 25 survey respondents said that DDoS attacks against them were carried out by state-level or state-sponsored threat actors.
- Threat actor capabilities reached an all time high as our automated defenses generated 10 times more fingerprints to counter and mitigate the ultra-sophisticated DDoS attacks.
Threat actor sophistication fuels the continued increase in DDoS attacks
In the first half of 2024, Cloudflare mitigated 8.5 million DDoS attacks: 4.5 million in Q1 and 4 million in Q2. Overall, the number of DDoS attacks in Q2 decreased by 11% quarter-over-quarter but increased 20% year-over-year.
For context, in the entire year of 2023, the company mitigated 14 million DDoS attacks, and half way through 2024, it has already mitigated 60% of last year’s figure.
Cloudflare successfully mitigated 57 petabytes of network-layer DDoS attack traffic, preventing it from reaching its customers’ origin servers. To put this in perspective, Netflix’s entire catalogue, which is estimated to be between 100 and 360 terabytes, could fit at least 162 times within the 57 petabytes of traffic Cloudflare mitigated.
When broken down further, those 4 million DDoS attacks were comprised of 2.2 million network-layer DDoS attacks and 1.8 million HTTP DDoS attacks. This number of 1.8 million HTTP DDoS attacks has been normalised to compensate for the explosion in sophisticated and randomised HTTP DDoS attacks. Cloudflare’s automated mitigation systems generate real-time fingerprints for DDoS attacks, and due to the random nature of these sophisticated attacks, it observed many fingerprints being generated for single attacks. The actual number of fingerprints that was generated was closer to 19 million – over ten times larger than the normalised figure of 1.8 million. The millions of fingerprints that were generated to deal with the randomisation stemmed from a few single rules. These rules did their job to stop attacks, but they inflated the numbers, so Cloudflare excluded them from the calculation.
This ten-fold difference underscores the dramatic change in the threat landscape. The tools and capabilities that allowed threat actors to carry out such randomised and sophisticated attacks were previously associated with capabilities reserved for state-level actors or state-sponsored actors. But, coinciding with the rise of generative AI and autopilot systems that can help actors write better code faster, these capabilities have made their way to the common cyber-criminal.
Ransom DDoS attacks
In May 2024, the percentage of attacked Cloudflare customers that reported being threatened by a DDoS attack threat actor or subjected to a Ransom DDoS attack reached 16% – the highest it’s been in the past 12 months. The quarter started relatively low, at 7% of customers reporting a threat or a ransom attack. That quickly jumped to 16% in May and slightly dipped in June to 14%.
Overall, ransom DDoS attacks have been increasing quarter over quarter throughout the past year. In 2024 Q2, the percentage was 12.3%, slightly higher than the previous quarter (10.2%) but similar to the percentage of the year before (also 12.0%).
Threat actors
75% of respondents reported that they did not know who attacked them or why. These respondents are Cloudflare customers that were targeted by HTTP DDoS attacks.
Of the respondents that claim they did know, 59% said it was a competitor who attacked them. Another 21% said the DDoS attack was carried out by a disgruntled customer or user, and another 17% said that the attacks were carried out by state-level or state-sponsored threat actors. The remaining 3% reported it being a self-inflicted DDoS attack.
Top attacked countries and regions
In the second quarter of 2024, China was ranked the most attacked country in the world. This ranking takes into consideration HTTP DDoS attacks, network-layer DDoS attacks, the total volume and the percentage of DDoS attack traffic out of the total traffic.
After China, Turkey came in second place, followed by Singapore, Hong Kong, Russia, Brazil, and Thailand.
Most attacked industries
The Information Technology & Services was ranked as the most targeted industry in the second quarter of 2024. In second, the Food & Beverages was the most attacked, following the Telecommunications, Services Providers and Carrier sector. Consumer Goods came in third place.
Largest sources of DDoS attacks
Libya was ranked as the largest source of DDoS attacks in the second quarter of 2024. Indonesia followed closely in second place, followed by Netherlands in third.
DDoS attack duration
The vast majority of DDoS attacks are short. Over 57% of HTTP DDoS attacks and 88% of network-layer DDoS attacks end within 10 minutes or less. This emphasizes the need for automated, in-line detection and mitigation systems. Ten minutes is hardly enough time for a human to respond to an alert, analyse the traffic, and apply manual mitigations. Approximately a quarter of HTTP DDoS attacks last over an hour and almost a fifth last more than a day. On the network layer, longer attacks are significantly less common. Only 1% of network-layer DDoS attacks last more than 3 hours.
DDoS attack size
Most DDoS attacks are relatively small. Over 95% of network-layer DDoS attacks stay below 500 megabits per second, and 86% stay below 50,000 packets per second. Similarly, 72% of HTTP DDoS attacks stay below 50,000 requests per second. Although these rates are small on Cloudflare’s scale, they can still be devastating for unprotected websites unaccustomed to such traffic levels. Despite the majority of attacks being small, the number of larger volumetric attacks has increased. One out of every 100 network-layer DDoS attacks exceed 1 million packets per second (pps), and two out of every 100 exceed 500 gigabits per second. On layer 7, four out of every 1,000 HTTP DDoS attacks exceed 1 million requests per second.
Commenting on the report, Bashar Bashaireh, Managing Director & Head of Sales – Middle East and Türkiye at Cloudflare, “The majority of DDoS attacks are small and quick. However, even these attacks can disrupt online services that do not follow best practices for DDoS defence. Threat actor sophistication is increasing, perhaps due to the availability of Generative AI and developer copilots, resulting in attack code that delivers DDoS attacks that are harder to defend against. Even before the rise in attack sophistication, many organisations struggled to defend against these threats on their own. But they don’t need to. Cloudflare is here to help. We invest significant resources – so you don’t have to – to ensure our automated defences, along with the entire portfolio of Cloudflare security products, can mitigate emerging threats.”