Layer 3/4 DDoS attacks continue to rise with shelter-in-place

Organizations are scrambling to respond to the ‘new normal’—shifting services online, weathering traffic surges, and supporting newly remote workers. Based on observed attack data, we have seen that this scramble—and the increasing importance of the Internet to our daily lives—presents attackers with an opportunity to increase their malicious activity.

This report shows the data behind this trend and offers suggestions on how to respond.

Global data shows increases in attack frequency and decreases in size

Based on attack data observed from April to June of 2020, Cloudflare has identified the following trends:

• The number of Layer 3/4 DDoS attacks observed over our network doubled from the first three months of the year.

• Most attacks in Q2 2020 were smaller in size—but that’s not necessarily good news

• The U.S. was the country with the most DDoS attacks

The number of global Layer 3/4 DDoS attacks doubled in Q2 2020

DDoS attacks that target Layer 3 and 4—also known as the Network and Transport layers of the OSI model—use functions in those two layers (e.g. server pings in Layer 3 and TCP SYN packets in Layer 4) to overwhelm a targeted server with junk traffic.

In analyzing Layer 3/4 DDoS attacks, we saw the number of attacks spike sharply in April, May, and June. May and June alone accounted for over 50% of all Layer 3/4 attacks this year:

This period also saw some of the largest attacks. The largest attack category Cloudflare evaluated was those delivering over 100 Gigabits-per-second (Gbps) in attack volume. Of all the 100+ Gbps attacks to have occurred in Q2 2020, 63% of them took place in May—a significant surge in large attacks compared to Q1.

Most attacks in Q2 2020 were smaller in size—but that’s not necessarily good news

There are different ways of measuring a DDoS attack’s size. One is the volume of traffic it delivers, measured in bit rate (specifically, Gigabits-per-second). Another is the number of packets it delivers, measured in packet rate (specifically, packets-per-second). Attacks with high bit rates attempt to saturate the Internet link, and attacks with high packet rates attempt to overwhelm the routers or other in-line hardware devices.

In April, May, and June, over half of attacks delivered under 1 Gbps in traffic, and nearly 90% delivered under 10 Gbps. (This trend is consistent with attacks in Q1 of 2020, of which 92% delivered under 10 Gbps.)

Similarly, approximately 76% of all attacks had packet rates of under one million pps - a comparatively low threshold.

The United States saw the most Layer 3/4 DDoS attacks

When we look at the L3/4 DDoS attack distribution by country, our data centers in the United States received the most number of attacks (22.6%), followed by Germany (4.4%), Canada (2.8%) and Great Britain (2.7%).

How organizations can respond to these trends

Based on these trends, we can draw the conclusions below. We also offer recommendations on how to respond:

• Attackers appear to have increased their Layer 3/4 DDoS activity when the Covid-19 pandemic began in earnest.

  With the pandemic projected to continue for some time, organizations should ensure their Layer 3 and 4 infrastructure is prepared to resist DDoS attacks for the long term.

• Smaller attacks can still be a problem.

  An attack with a bit rate below 10 Gbps is still capable of taking down a site without proper protection, as can attacks with lower packet rates. Organizations should invest in protection for attacks of many sizes.

• Smaller attacks can be the opening salvo of a broader strategy

  , in which attackers extort a ransom from companies in exchange for not disrupting their Internet property—or aim to distract security teams from a separate attack. Organizations should ensure they are able to monitor their infrastructure for attacks of all sizes, rather than just large attacks which take down entire servers.

• Attacks are coming from sources all across the world.

  Organizations should invest in the capability to inspect and scrub all traffic from many points across the globe at once.

A large cloud-based network is the only truly viable answer for all of these challenges. It puts DDoS protection on a single control plane at the network edge to stop attacks as close to their source as possible — so origin servers remain safe and secure whether they’re located on-premise or in the cloud. And its size allows it to distribute attack traffic across a large network surface, so no one data center bears the brunt and suffers from worse performance.

These findings were drawn from the Cloudflare network, which spans 200+ cities in 100+ countries while blocking over 72 billion cyber threats per day. Because of our unique 360-degree view across the DDoS threat landscape, Cloudflare is able to collect a wealth of data about these pervasive attacks as they evolve. The Cloudflare network learns continuously from every attack while automatically sharing intelligence to thwart the next attack. And it delivers robust DDoS security across your enterprise without slowing network and application performance.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.