To ensure continued business operations and continuity, organizations increasingly rely on their digital infrastructure. However, gaining insight into digital infrastructure security and the threats facing it continues to be a challenge for security teams. This monthly roundup of reports provides information to help defenders manage their cloud-based security.
Every month, Vercara reports on trends across three critical infrastructure domains:
- Distributed Denial of Service (DDoS) attacks
- Domain Name Service (DNS) traffic
- Web Application Firewall (WAF) attacks
DDoS: More of the same.
Overall, DDoS attacks saw a month-over-month increase, especially with regard to carpet bombing attacks.
- Vercara detected 10,157 DDoS attacks for August 2024, a 53% month-over-month increase compared to July 2024
- Vercara proactive prevented over 5,200 hours of potential downtime through monitoring and mitigation
- August also saw a 177% month-over-month increase in small-volume attacks (gbps)
For more details, see the Monthly DDoS Analysis Report.
Carpet bombing reclaims first place.
In carpet bombing DDoS attacks, malicious actors spread smaller-sized attacks over an entire target network block to evade detection, making mitigation more difficult. Carpet bombing attacks accounted for 53% of all August DDoS attacks, a substantial increase compared to July’s 40.46%.
Tracking with the rest of the DDoS data, while carpet bombing attacks saw an increase, mega attacks both experienced a month-over-month decrease:
- Small attacks (0-0.5 gbps): +68.93%
- Mega Attacks (100+ Gbps): -7.25%
Carpet bombing DDoS attacks create mitigation challenges for most organizations since they typically set alert triggers at higher gigabit levels. However, in a carpet-bombing DDoS attack, the threat actors:
- Remain under alerting thresholds
- Flood networks
- Rotate target IPs and destinations
- Rotate or changing attack vector
The longest carpet bombing attack occurred on August 13, lasting 6 hours and 8 minutes. The top 3 attack vectors remain consistent.
Total Traffic as an attack vector maintained its number one spot, with the second and third-place vectors also staying strong. The slight change in vectors was ICMP overtaking DNS Amplification by a less than 1% margin.
The top four attack vectors for August were:
- Total Traffic: 39.25%
- UDP: 12.70%
- IP Fragmentation: 11.51%.
- ICMP: 8.41%
Of note, only the Total Traffic vector saw an actual month-over-month increase from 32.14% to 39.25%. All other vectors saw at least a 2% decrease.
Top 3 industries.
Financial Services and Communication Service Providers once again swapped spots compared to July 2024, with August’s top three industries by percentage of events becoming:
- Financial Services: 33.68% (compared to July’s 30.45%)
- Communication service providers: 27.74% (compared to July’s 41.79%)
- Software/Web Services: 11.47% (compared to July’s 6.35%)
DNS: Small shifts offer larger insights.
As a shorter month compared to July, Vercara Managed DNS noted a 1.04% decrease in overall web traffic for August. However, the daily queries remain statistically unchanged.
Vercara’s UltraDNS observed 108 DDoS attacks targeted against the platform in August, statistically the same as July’s 110. The largest and longest DDoS attack against the platform for August 2024 was 271.69 Gigabits-per-Second (gbps), lasting over 46 days. Of note, these attacks do not include smaller ones that the platform automatically mitigated.
For more details, see the Monthly DNS Analysis Report.
IPv6 Trends.
Overall, August followed in July’s footsteps with the top 3 DNS Query types:
- A Record
- AAAA record (quad-A)
- Name Server (NS)
The consistent percentage of quad-A record queries indicates a continued shift toward IPv6 and its additional security benefits.
Notably, the Resource Record Signature (RRSIG) record, a part of DNS Security Extension (DNSSEC) and essential for DNS response verification and authenticity, experienced a 55% increase. This points to a significant shift toward DNSSEC’s adoption as a mitigation against DNS spoofing and cache poisoning attacks.
DNS response codes remain statistically stable.
The top two response codes remained the same month-over-month:
- “No Error”: most prevalent response code at 78.02%
- “NXDomain”: 21.54%
The NX Domain response code can indicate a misconfiguration or attackers using DNS enumeration tools that can cause a DDoS attack.
Industry sectors.
Industry sectors continue to work on and improve their DNS management, with August’s report showing both wins and areas for improvement.
Software/Web Services and IT/Technical Services.
These two industries received the most DNS queries, representing 79.09% of all DNS queries. The number indicates the sectors’ extensive reliance on robust DNS services for:
- Web hosting
- Cloud services
- Technical operations
Manufacturing.
This industry accounted for 13.12% of all DNS queries, noting the sector’s reliance on DNS for maintaining service availability. For this sector, DNS configurations across different record types indicate the focus on network management.
Web Application Firewall (WAF): Back to reality.
August broke the previous month-over-month trend for decreased web request volume, showing over 694,000 requests processed through Vercara UltraWAF. This was an increase of 14.02% compared to July. Aligned to this, Vercara UltraWAF found some additional increases in malicious traffic and bot traffic.
For more details, see the Monthly Web Application Firewall Report.
More traffic. More problems.
August’s data found:
- 197.26% increase in malicious activity compared to July
- 30.18%% increase in the amount of bot traffic compared to July
Up. Up. And away.
Along with these overall increases, August showed additional changes:
- Signature Match threat category regained its number on spot, accounting for 48% of malicious traffic
- Field Consistency and Field Format both had a 3,500% month-over-month increase, indicating that malicious actors continue to attempt web request field manipulation
Coming in second and third to the Signature Match threat category were:
- CMD threat accounting for 17.81% of observed malicious traffic
- Cookie threat accounting for 15.63% of observed malicious traffic (a slight decrease from July’s 18.9%)
The Invalid RFC threat only accounted for 8.32% compared to July’s 17.31%.
August Countermeasure of the Month.
This month, the HTTP RFC Profile countermeasure will be featured. It aggregates several discrete anomaly checks inside the HTTP request that are non-conformant to the protocol standard, including:
- Incorrect HTTP protocol version
- Incorrect HTTP method
- Duplicate HTTP headers
- Duplicate Cookie names
- 4xx responses from the back-end server
- 5xx responses from the back-end server
- Incorrect termination of the headers
- Incorrect termination of the request body
Turnkey cloud-based security with Vercara.
Vercara provides a turnkey, multilayered approach to security with UltraDNS, UltraDDoS, and UltraWAF. With Vercara’s comprehensive suite of solutions, organizations gain advanced security capabilities, insights for informed decision-making, and improved resilience against cyber threats.
Contact our sales team to learn how Vercara’s suite of solutions can help defend your organization.