Infrastructure Trends and Traffic Insights

An organization’s digital infrastructure is the foundation of business operations and service availability. As the cyber threat landscape changes from day to day, organizations rely on threat intelligence to keep pace with malicious actors.   

However, security teams face challenges when trying to gain insights from real-world activities. For example, mitigating Distributed Denial of Service (DDoS) attack risks can feel overwhelming as threat actors deploy evasion techniques, like carpet bombing attacks. To protect business reputation and customer trust, organizations need to monitor for and protect against damaging service disruptions.  

This monthly roundup of reports provides information to help defenders manage their cloud-based security.   

Every month, Vercara reports on trends across three critical infrastructure domains: 

• Distributed Denial of Service (DDoS) attacks 
• Domain Name Service (DNS) traffic 
• Web Application Firewall (WAF) attacks 

DDoS: Decreased attacks may indicate shifting attacker focus  

November went back to normal levels after a massive surge throughout 2024, which could be attributed to malicious actors undergoing a period of refit and reconstitution of their infrastructure. This may also indicate a strategic pause as they reassess their operational priorities and refine their capabilities to better align with emerging targets or objectives. Overall, DDoS attacks saw a substantial 67.23% month-over-month decrease. Of the data gathered, the following highlights offer insights:  

• 4,860 DDoS attacks detected, with Vercara’s monitoring and mitigation preventing approximately 1,805 hours of downtime 
• Decrease in attack across all Gbps while increase in packets per second (PPS) categories may indicate malicious actors shifting behaviors 
• First time in 2024 the Travel and Tourism industry was in the top three targeted sectors, possibly seeking to disrupt the holiday season 
• Carpet bombing attacks accounted for 61% of all observed DDoS attacks in November 2024 

 For more details, check out the DDoS Analysis Report. 

Three factors drive these large-scale DDoS attacks: 

• Proliferation of botnets  
• Increasing reliance on Internet of Things (IoT) devices 
• Cloud-based virtual private servers (VPS) 

Carpet bombing continues to prevail 

In carpet bombing DDoS attacks, malicious actors target numerous IP addresses with smaller-sized attacks to evade detection, making mitigation more difficult. Small attacks between 0-0.5 GBPS accounted for 75.93% of November DDoS attacks.   

The 208.77% month-over-month increase in observed attacks for the 100-150K packets per second (PPS) category aligns with other trends, indicating that malicious actors are targeting high packet rates to overwhelm the network infrastructure even when overall bandwidth decreases.    

Carpet bombing attacks remain the primary threat despite both small and mega attacks seeing a month-over-month decrease. However, mega attacks still had the highest month-over-month decrease:  

• Small attacks (0-0.5 gbps): -69.73% 
• Mega Attacks (100+ Gbps): -78.95%

Since most organizations typically set alert triggers at higher gigabit levels, carpet bombing DDoS attacks create mitigation challenges because the threat actors: 

• Remain under alerting thresholds 
• Flood networks 
• Rotate target IPs and destinations 
• Rotate targeting method 

Top three attack vectors show little surprise  

Total Traffic as an attack vector maintained its number one spot. The usual suspects regained their positions after NTP’s brief rise to prominence last month.   

The top four attack vectors for November were: 

1. Total Traffic: 47.76% (compared to October’s 37.11%) 
2. UDP: 16.86% (compared to October’s 12.23%)  
3. TCP ACK: 11.44% 
4. TCP SYN: 10.21% 

The number of observed DDoS attacks consisting of one DDoS vector increased from 70.89% in October to 78.81% in November.  

Top three industries 

For the first time in 2024, the Travel and Tourism industry was a top-targeted industry. Financial Services remained the most targeted industry, with Communication Service Providers falling out of the top three for the first time in a while. November’s top three industries by percentage of events were: 

1. Financial Services: 60.27% (compared to October’s 56%) 
2. Communication service providers: 28.16% (compared to October’s 23.69%) 
3. Travel and Tourism: 4.93% 

DNS: Small shifts offer larger insights 

Despite being a shorter month compared to October, Vercara Managed DNS noted a 1.1% increase in overall web traffic for November. However, the daily queries remain statistically unchanged.   

Vercara’s UltraDNS observed 54 DDoS attacks targeted against the platform in November, a decrease compared to October’s 101.  

 For more details, check out the DNS Analysis report. 

IPv4 and IPv6 trends 

Overall, November followed in October’s footsteps with the Top three DNS Query types: 

1. A Record 
2. AAAA record (quad-A) 
3. Name Server (NS) 

The consistent percentage of quad-A record queries indicates a continued shift toward IPv6 and its additional security benefits.   

Notably, HTTPS record queries surged to 143.60% of October’s quantity, highlighting the growing importance of secure communication protocols.  

DNS response codes remain statistically stable 

The top two response codes remained the same month-over-month: 

1. “No Error”: most prevalent response code at 76.69%, a 0.20% month-over-month increase 
2. “NXDomain”: 22.75%, a 4.14% month-over-month increase 

The NX Domain response code can indicate a misconfiguration or attackers using DNS enumeration tools that can cause a DDoS attack.   

Industry sectors 

Industry sectors continue to work on and improve their DNS management, with November’s report showing both wins and areas for improvement.   

Generally, the DNS record-type queries provide insight into how the industry uses digital infrastructure. Some highlights include: 

• Widespread requests for HTTPS records indicate an emphasis on secure web communications. 
• Gaming and Gambling focus on MS records indicates the importance of reliable email communications.  

Software/Web Services and IT/Technical Services 

These two industries received the most DNS queries, representing 81.34% of all DNS queries. Software/Web Services accounted for 45.33%, while IT/Technical Services accounted for 36.01%. The number indicates the sectors’ extensive reliance on robust DNS services for: 

• Web hosting 
• Cloud services 
• Technical operations 

Additionally, the Software/Web Services industry had a significant presence of ‘No Error’ responses, indicating effective DNS management. 

Financial Services and Government sectors 

These two industries show a strong emphasis on DNS security by their adoption of DNSSEC to prevent spoofing and ensure data integrity.    

Web Application Firewall (WAF): Increased malicious and bot traffic 

During November, Vercara UltraWAF processed over 590 million web requests, a 0.87% decrease compared to October. Of these requests, 18.83% were malicious, and 2.78% were identified as bot traffic.  

Notable payloads targeted vulnerabilities in frameworks like Sympfony, Jenkins, and Spring Boot. These payloads aimed to: 

• Exfiltrate sensitive files 
• Execute arbitrary code 
• Exploit database errors 

 For more details, check out the WAF Analysis report. 

On the up and up again  

November’s data found: 

• 9.96% increase in malicious activity compared to October 
•  20.72% increase in the amount of bot traffic compared to October

Top three: the more things change, the more they stay the same 

Along with these overall increases, November showed additional changes: 

1. Cookie threat category remained most prevalent, accounting for 40.80% of malicious traffic  
2. Command Injection came in second, accounting for 30.22% of malicious traffic 
3. Invalid RFC threat came in third, account for 13.47% of malicious traffic 

November countermeasure of the month 

This month features vulnerability signatures that allow WAF administrators to perform virtual patching against a point vulnerability in w: 

• Web server 
• Web application 
• Content management system 
• Middleware 
• Application framework 

Each signature correlated to a vulnerability, usually using an application name or Common Vulnerability Enumeration (CVE) identifier. Administrators can:  

• Search the pool of available signatures for an identifier  
• Enable a signature 
• Put it into “log” or “block and log” mode 

Turnkey Cloud-based Security with Vercara 

Vercara provides a turnkey, multilayered approach to security with UltraDNS, UltraDDoS, and UltraWAF. With Vercara’s comprehensive suite of solutions, organizations gain advanced security capabilities, insights for informed decision-making, and improved resilience against cyber threats.   

To learn how Vercara’s suite of solutions can help defend your organization, contact our sales team.