Cloudflare DDoS Report Finds Increase in Attack Volume and Duration

Published on Jan 16, 2023

The Cloudflare Distributed Denial of Service Threat Report for the fourth quarter of 2022 has been published. The purpose of this report is to describe the DDoS attack landscape as detected by the Cloudflare network. HTTP DDoS attacks have increased by 79% over the past year, as have ransom DDoS attacks. There has been an increase in longer attacks, especially with network-layer DDoS attacks, according to the report.

According to Cloudflare, attacks exceeding 100 gigabits per second increased by 67% quarter-over-quarter (QoQ). In addition, attacks lasting longer than three hours increased by 87% from one quarter to the next.

A DDoS attack that peaked at 46 million requests per second was claimed by Google in August of 2022. An overview of the scale of the attack was provided by Emil Kiner, Senior Product Manager at Google, and Satya Konduru, Engineering Lead at Google

Yoachimik reports that Cloudflare successfully defended a terabyte-per-second attack against a Korean hosting provider. The attack in question was an ACK flood lasting about one minute. An ACK flood is an attempt to overload a server with TCP ACK packets. As a result of processing the ACK packages, the server consumes resources, which prevents it from handling legitimate requests.

Cloudflare found that HTTP DDoS attacks accounted for 35% of all traffic to Aviation and Aerospace Internet sites. There were network-layer DDoS attacks that affected 92% of traffic for Education Management companies. According to Yoachimik, 93% of network-layer traffic to Chinese Internet properties is a result of DDoS attacks at the network layer.

16% of Cloudflare survey respondents reported receiving a threat or ransom request as part of a DDoS attack. During a ransom DDoS attack, the attackers demand a ransom payment in order to cease the attack. There was an increase of 14% QoQ but a decrease of 16% year-over-year (YoY).

Yoachimik reports a 1,338% increase in Memcached-based DDoS attacks QoQ in terms of new threats. An abuse of Memcached, a caching service, can be accomplished by using a spoofed IP address as the source IP in a UDP packet to request content from the system. As a result, Memcached will return the requested content flooding the spoofed IP address. Yoachimik claims that these responses can be amplified by a factor of 51,200 times.