Table of Contents
Introduction.
Vercara offers a Distributed Denial-of-Services (DDoS) mitigation service, named UltraDDoS Protect, to its customers. UltraDDoS Protect provides high-performance, flexible, and automated protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks. You can find out more information about UltraDDoS Protect on its product page at https://vercara.com/ddos-protection. Additionally, Vercara uses UltraDDoS Protect to defend its UltraDNS, UltraDNS2, UltraDDR, and UltraWAF platforms against DDoS attacks.
This report is a summary of Distributed Denial-of-Services (DDoS) attacks detected and mitigated by UltraDDoS Protect for the month of February 2024. It is a recurring report highlighting monthly trends observed by our platform and analysts. This report is released as TLP:CLEAR except where noted.
Overall themes in DDoS attack traffic:
- Smaller DDoS attacks of less than 1Gbps are incredibly common, increasing in quantity, and very effective if targeted against vulnerable assets or services.
- Mega-attacks larger than 100 Gbps are statistically rare but require that you defend against them with a service provider that has adequate capacity.
- Some attacks have a lower amount of bandwidth but millions of Packets-per-second (Mpps) that cause routers and firewalls to crash instead of filling circuits like high-Gbps attacks.
- Multi-vector DDoS attacks use different simultaneous attack techniques to make it harder to analyze their traffic and easier to evade DDoS mitigation.
- Attackers are using “carpet bombing” attacks launching near-simultaneous series of small-duration attacks against many IP addresses in a network block to evade sampling and blocking of individual attack vectors and to subvert per destination rate-limit-based thresholds.
Stats at a glance.
Total Number of Attacks: 7907 (73.32% increase from January 2024)
Number of Mega Attacks (100+ Gbps): 90 (1.13% of all observed attacks) (15.38% increase from January 2024)
Largest DDoS Attack (Gbps): 556.82 Gbps
Largest DDoS Attack (million packets-per-second): 68.21 Mpps
Longest DDoS Attack: 3.48 Days
Average DDoS Attack (Gbps): 5.96 Gbps
Average DDoS Attack (packets-per-second): 872,000 pps
Average Duration: 29.94 minutes
Unique vs Carpet Bombing: 47.05% Unique / 52.95% Carpet Bombing
Top Industry Targeted: Communication Service Providers (37.25%; a 13.59% increase from January 2024)
Attack statistics and trends.
February 2024 saw 7907 DDoS attacks detected by the Vercara UltraDDoS Protect platform, a 73.32% increase from January 2024 post-holidays lull. The largest DDoS attack observed during February 2024 consisted of over 556.82 Gigabits per Second (Gbps) with over 54 million packets-per-second (Mpps). Most of the observed DDoS attacks were between 0 Gbps and 0.5 Gbps, with 3407 (43.23%) of all observed attacks. Attacks between 1-5 Gbps in size were second in frequency with 2191 (27.80%), and attacks between 0.5-1 Gbps in size were third with 1050 (13.32%) of observed attacks. The largest packet attack observed consisted of over 68.21 million packets-per-second. The most frequent number of attacks were between 100-150K and 40-50K packets-per-second.
Gigabit-per-second | Packets-per-second (PPS) | ||||||||
Gbps | Total Count | % | PPS | Total Count | % | PPS | Total Count | % | |
0-0.5 | 3407 | 43.23% | 0-10K | 587 | 7.45% | 150-200K | 628 | 7.97% | |
0.5-1 | 1050 | 13.32% | 10-20K | 413 | 5.24% | 200-250K | 340 | 4.31% | |
1-5 | 2191 | 27.80% | 20-30K | 545 | 5.76% | 250-300K | 236 | 2.99% | |
5-10 | 422 | 5.35% | 30-40K | 503 | 6.38% | 300-400K | 367 | 4.66% | |
10-50 | 604 | 7.66% | 40-50K | 630 | 7.99% | 400-500K | 211 | 2.68% | |
50-100 | 118 | 1.50% | 50-60K | 376 | 4.77% | 500K-1M | 471 | 5.98% | |
100+ | 90 | 1.14% | 60-70K | 252 | 3.20% | 1-2M | 365 | 4.63% | |
70-80K | 213 | 2.70% | 2-3M | 131 | 1.66% | ||||
80-90K | 195 | 2.47% | 3-5M | 147 | 1.87% | ||||
90-100K | 243 | 3.08% | 5-10M | 181 | 2.30% | ||||
100-150K | 770 | 9.77% | 10+M | 169 | 2.14% | ||||
The chart below shows the percentage of change in both gigabit-per-second and packet-per-second observed from January 2024 to February 2024. The largest change was attacks consisting of between 5 and 10 Gbps with an increase of 162.11% compared to the prior month. Mega attacks of over 100 Gbps continue to rise and had an increase of 15.38% in February compared to January. Regarding packets-per-second (pps) the largest change was that attacks were observed consisting of 90-100K pps with an increase of 452.27% and 100-150K pps with an increase of 416.78%.
On February 27th, there were 2332 DDoS attacks observed, a 1,171% increase from the daily average. These attacks were primary against an online education provider and Vercara was able to mitigate all observed DDoS attacks with no degradation to not only to the targeted customer but to any other Vercara customer.
The chart below shows the correlation between Gbps and pps observed during February 2024.
The chart below shows the correlation between Gbps and the duration of DDoS attacks observed during February 2024.
DDoS attacks by day of the week and by hour.
Looking at what days of the week saw the most DDoS attacks, for the month of February 2024 Tuesday was the most prolific day with 36.66% of all DDoS attacks occurring on that day. Thursday was the second day of the week with the most DDoS attacks with 12.93% and Wednesday was third with 12.19%.
Regarding what time of day DDoS attacks were observed, for February 2024, the time between 2200-2300UTC saw the most attacks with 14.18%. The time between 2100-2200UTC was second with 10.45% and the time between 2300-000UTC with 9.81%.
Unique vs carpet bombing DDoS attacks.
For February 2024, carpet bombing DDoS attacks accounted for 52.95% of all observed attacks, a 101.59% increase from January 2024. This has been a continuing trend.
Below are some notable Carpet-Bombing attacks observed during February 2024.
Date | DDoS Attacks | Duration |
February 1st | 40 | 3 Hours and 10 Minutes |
February 4th | 109 | 3 Hours and 10 Minutes |
February 9th | 156 | 4 Hours and 40 Minutes |
February 13th | 22 | 17 Minutes |
February 14th | 129 | 4 Hours and 35 Minutes |
February 19th | 122 | 4 Hours and 25 Minutes |
February 24th | 120 | 5 Hours and 25 Minutes |
February 27th | 2115 | 2 Hours and 45 Minutes |
February 29th | 115 | 4 Hours and 25 Minutes |
Below is the visual representation of the carpet-bombing attack that occurred on February 29th, 2024. This carpet-bombing attack consisted of 115 different DDoS waves that averaged between five and six minutes with the longest attack lasting approximately four hours and thirty minutes.
Attack vectors.
For February 2024, the most prevalent attack vector observed was the Total Traffic vector with 33.74% of all attacks utilizing this method. The Total Traffic vector compromises most carpet-bombing attacks. The UDP vector was second with 14.48%. TCP/ACK vector was third with 10.26%. Additionally, 64.86% of DDoS attacks consisted of only one attack vector and 35.14% of DDoS attacks consisted of two or more vectors per attack. This prevalence of single vector attacks in February seems to be somewhat of an anomaly but could be tied to Total Traffic being an attack vector that can encompass several low-level attack methods.
Events by targeted industry.
The most prevalent target for malicious traffic was against the Communication Services Providers industry with 37.25% of observed attacks. CSP attacks entail a high level of collateral damage to downstream customers. The Financial Services industry was second with 29.64%. The Wholesale Distribution industry was third with 12.38% of observed malicious traffic.
Attacks by source country.
During this reporting period, the United States was observed to have the most originating DDoS traffic with 23.28%, this is due to malicious actors using United States based botnets as well as Virtual Private Servers (VPS) located in the United States to hide their true locations. US-based cloud services and botnets comprise of many compromised IoT devices provide easy access to high quality bandwidth that is very attractive for bad actors to leverage. China was second for this reporting period with 15.21% of DDoS traffic observed. 13.67% of all DDoS traffic were classified as “Unknown” due to being unable to identify the source location of the DDoS traffic. It is important to note that DDoS source IPs can be spoofed (depending on the attack vector and tool) so the true source origin of all the attack traffic may vary. High numbers of compromised IoT devices, access to very high bandwidth VPS on major cloud providers, and concentration of spoof-able allocated IP blocks may contribute to the source country distribution.
The Asian continent was the source continent for 37.99% of all observed DDoS attacks. The North American continent was second with 26.05% and the European continent was third with 14.69%.
This document is released as TLP: CLEAR. Traffic Light Protocol definitions and usage is maintained by the Forum of Incident Response and Security Teams at https://www.first.org/tlp/.
About Vercara.
The world’s top brands depend on Vercara to safeguard their digital infrastructure and online presence. Vercara offers a suite of cloud-delivered services that are always secure, reliable, and available and enable global businesses to thrive online. UltraSecure protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional and uninterrupted interactions all day, every day. Delivering the industry’s best performance and always-on service, Vercara’s mission-critical security portfolio provides best-in-class DNS, application, and network security, including DDoS, WAF, and Bot management services to its global 5000 customers and beyond.
To learn more about Vercara solutions, please visit our solutions overview page or contact us.
