Layer 3/4 DDoS attacks continue to rise with shelter-in-place

Organizations are scrambling to respond to the ‘new normal’—shifting services online, weathering traffic surges, and supporting newly remote workers. Based on observed attack data, we have seen that this scramble—and the increasing importance of the Internet to our daily lives—presents attackers with an opportunity to increase their malicious activity.

This report shows the data behind this trend and offers suggestions on how to respond.

Global data shows increases in attack frequency and decreases in size

Based on attack data observed from April to June of 2020, Cloudflare has identified the following trends:

The number of global Layer 3/4 DDoS attacks doubled in Q2 2020

DDoS attacks that target Layer 3 and 4—also known as the Network and Transport layers of the OSI model—use functions in those two layers (e.g. server pings in Layer 3 and TCP SYN packets in Layer 4) to overwhelm a targeted server with junk traffic.

In analyzing Layer 3/4 DDoS attacks, we saw the number of attacks spike sharply in April, May, and June. May and June alone accounted for over 50% of all Layer 3/4 attacks this year:

This period also saw some of the largest attacks. The largest attack category Cloudflare evaluated was those delivering over 100 Gigabits-per-second (Gbps) in attack volume. Of all the 100+ Gbps attacks to have occurred in Q2 2020, 63% of them took place in May—a significant surge in large attacks compared to Q1.

Most attacks in Q2 2020 were smaller in size—but that’s not necessarily good news

There are different ways of measuring a DDoS attack’s size. One is the volume of traffic it delivers, measured in bit rate (specifically, Gigabits-per-second). Another is the number of packets it delivers, measured in packet rate (specifically, packets-per-second). Attacks with high bit rates attempt to saturate the Internet link, and attacks with high packet rates attempt to overwhelm the routers or other in-line hardware devices.

In April, May, and June, over half of attacks delivered under 1 Gbps in traffic, and nearly 90% delivered under 10 Gbps. (This trend is consistent with attacks in Q1 of 2020, of which 92% delivered under 10 Gbps.)

Similarly, approximately 76% of all attacks had packet rates of under one million pps - a comparatively low threshold.

The United States saw the most Layer 3/4 DDoS attacks

When we look at the L3/4 DDoS attack distribution by country, our data centers in the United States received the most number of attacks (22.6%), followed by Germany (4.4%), Canada (2.8%) and Great Britain (2.7%).

How organizations can respond to these trends

Based on these trends, we can draw the conclusions below. We also offer recommendations on how to respond:

A large cloud-based network is the only truly viable answer for all of these challenges. It puts DDoS protection on a single control plane at the network edge to stop attacks as close to their source as possible — so origin servers remain safe and secure whether they’re located on-premise or in the cloud. And its size allows it to distribute attack traffic across a large network surface, so no one data center bears the brunt and suffers from worse performance.

These findings were drawn from the Cloudflare network, which spans 250200+ cities in 100100+ countries while blocking over 72 billion cyber threats per day. Because of our unique 360-degree view across the DDoS threat landscape, Cloudflare is able to collect a wealth of data about these pervasive attacks as they evolve. The Cloudflare network learns continuously from every attack while automatically sharing intelligence to thwart the next attack. And it delivers robust DDoS security across your enterprise without slowing network and application performance.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Dive deeper on this topic

Explore more data on DDoS trends—including the prevalence of different attack vectors—and learn how certain companies have handled similar threats in the full data report.

Get the report