Cloudflare released its Distributed Denial of Service (DDoS) Threat Report for the fourth quarter of 2022. The report covers the DDoS attack landscape as detected by the Cloudflare network. HTTP DDoS attacks increased 79% year-over-year with ransom DDoS attacks seeing an increase as well. The report found that longer attacks are increasing especially with network-layer DDoS attacks.
Cloudflare found that attacks exceeding 100 gigabits per second increased by 67% quarter-over-quarter (QoQ). Attacks that lasted longer than three hours also increased by 87% QoQ. Omer Yoachimik, product manager at Cloudflare, notes that for HTTP DDoS attacks:
While most of these attacks were small, Cloudflare constantly saw terabit-strong attacks, DDoS attacks in the hundreds of millions of packets per second, and HTTP DDoS attacks peaking in the tens of millions of requests per second launched by sophisticated botnets.
In August of 2022, Google claimed that they fended off a DDoS attack that peaked at 46 million requests per second. Emil Kiner, senior product manager at Google, and Satya Konduru, engineering lead at Google, put the scale of the attack into perspective:
To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.
Yoachimik shares that Cloudflare defended an attack against a Korean-based hosting provider that reached one terabyte per second. The attack in question was an ACK flood and was about one minute in duration. An ACK flood attempts to overload a server with TCP ACK packets. The server consumes resources processing the ACK packages, preventing it from handling legitimate requests.
Cloudflare found that HTTP DDoS attacks made up 35% of all traffic to Aviation and Aerospace Internet sites. For Education Management companies 92% of traffic was part of network-layer DDoS attacks. Yoachimik also shared that 93% of network-layer traffic to Chinese Internet properties was part of network-layer DDoS attacks.
Ransom DDoS attacks also increased with 16% of Cloudflare survey respondents reporting they received a threat or ransom request as part of a DDoS attack. In a ransom DDoS attack, the attackers demand a ransom payment in order to stop the ongoing attack. This was a 14% increase QoQ, but a 16% decrease year-over-year (YoY).
In terms of new threats, Yoachimik reports that Memcached-based DDoS attacks saw a 1,338% increase QoQ. Memcached, a caching service, can be abused by requesting content from the system with a spoofed IP as the source IP in the UDP packet. Memcached will then return the requested content flooding the spoofed IP. According to Yoachimik, these responses "can be amplified by a factor of up to 51,200x".
More findings from the report can be found on the Cloudflare blog.