The internet is massive, and it only continues to grow as more businesses build their brand online. This growth also increases cyberattacks that can disrupt and even damage a businesses’ online presence. As a result, the first half of the year has seen record-breaking surges in website traffic and attacks meant to cause operational outages.
Domain Name System (DNS) requests surged in the first half of the year, highlighting the expansive sprawl of websites users visited. Along with DNS requests, Distributed Denial-of-Service (DDoS) attacks remained a nuisance for businesses, with stealthier “carpet bomb” attacks rising to prominence and making this the “Year of Carpet Bombs.”
To help security teams and businesses stay informed, Vercara’s Cyber Threat Intelligence Team publishes biannual reports summarizing trends and key findings gleaned from our UltraDNS and UltraDDoS solutions.
Our biannual reports explore how Vercara enhances DNS and DDoS protection capabilities and provides businesses with a comprehensive, defense-in-depth solution that ensures operational resilience— even in the face of record-breaking attacks.
DNS traffic and DDoS attacks surge to record-breaking highs.
For modern businesses, their online presence is their brand. This makes ensuring the availability and integrity of internet-facing services and infrastructure essential. Unfortunately, this can create challenges for IT and security teams if they lack a layered security posture that protects critical services from disruptive attacks. Our bi-annual reports found that as the internet continues to expand, more people are online accessing more websites—this translates to increases in traffic and threats.
DNS query statistics.
You can’t go anywhere online without the help of DNS. Every day, DNS handles a tremendous volume of requests to access websites, translating human-readable domain names into IP addresses and directing users to websites. This year saw a significant surge in DNS requests, pointing to the continued expanse of the internet as more users attempt to access more websites.
In the first six months of 2024, Ultra DNS processed 22.48 trillion requests or approximately 123.55 billion daily queries. This surge in DNS queries was a 12% increase compared to the same period in 2023.
We have also observed a slow but steady shift towards the IPv6 protocol, which offers advanced security measures compared to the IPv4 protocol. The IPv6 protocol saw a 13.12% increase compared to 2024 and accounted for 23.01% of all DNS queries utilizing this protocol.
Requests for the DNS “AAAA” or Quad-A record type used to map IPv6 addresses are also rising, showing that more browsers are defaulting to asking for IPv6 DNS records. Quad-A requests continue to steadily increase over time, with an increase of over 11% in the first half of 2024 compared to 2023.
While a full transition to IPv6 is likely years out, the slow and steady growth points toward IPv6 eventually overtaking IPv4. Notably, Internet Protocol Security (IPsec) is mandatory in IPv6. IPsec allows for encrypted communication and authentication at the IP layer, enhancing security and offering additional protection against the growing risk of cyber attacks.
DDoS attack sizes break records.
Most DDoS attacks (about 75%) are small-scale, likely executed by DDoS for hire gangs or utilizing open-source tools that don’t require significant infrastructure. Still, there have been several notable exceptions.
The largest DDoS attack observed in the first half of the year consisted of over 939.43 Gigabits per Second (Gbps) with over 283 million packets per second (Mpps). The first half of the year also saw a new record set in terms of packets –per second (pps), with one DDoS attack consisting of over 420 million pps, which beat the last record of ~350 million pps, a 20% increase.
Mega DDoS attacks, which consist of 100+ Gbps, also saw a steady monthly increase, rising 206 % in June. Several attacks were over 900Gbps, approaching 1 TeraBits per second (TBps). Considering the sharp increase in the rate and size of DDoS attacks, we may see a TBps attack in the future. Mitigating a DDoS attack of this scale requires a purpose-built mitigation service capable of absorbing high volumes of malicious traffic. Many organizations lack the infrastructure to handle the full force of an attack this size on their own.
Of course, large-scale DDoS attacks can be detected and prevented with the right resources. As a result, there has also been an increase in stealthier DDoS attacks meant to evade traditional detection methods.
Attackers shift to tactics to evade detection.
Attackers constantly rotate their tactics to avoid detection and mitigation. To stay one step ahead, security and IT teams must understand the latest attack patterns and trends that pose a risk to their network.
The year of carpet bombs.
There is an adage that cybersecurity is a game of cat and mouse between malicious actors and defenders—few attacks better fit this description than carpet bomb DDoS. These attacks constantly rotate between which block of addresses they target, potentially even switching attack vectors, trapping security and IT teams in a game of catch-up. This attack type is intended to evade detection and make mitigation harder.
In late 2023, Vercara first observed an uptick in carpet bomb attacks. At the time, we predicted 2024 would see even more carpet bomb attacks, and that prediction has rung true. So far in 2024, over 75% of all DDoS attacks were carpet bomb DDoS attacks, making 2024 “The Year of Carpet Bombs.” In June, carpet bomb attacks accounted for over 85% of all attacks, the most in a single month.
DNS Amplification: what’s old is new again.
DNS amplification attacks make large queries, sending spoofed DNS requests to open resolvers and creating a DDoS effect. This type of attack was widespread several years ago, but the trend died out, only to reemerge in mid-to-late 2023. Now, it’s back in full force, with a 4,446% increase compared to the start of the year.
DNS Amplification attacks resurged in 2024, with 26% of DDoS attacks utilizing this vector. It’s worth noting that DNS amplification is an attack vector commonly used in conjunction with carpet bomb DDoS Attacks. DNS Amplification can help spread a carpet bomb attack across multiple IP addresses within a target network by spoofing different IP addresses within the range in the DNS queries.
Since DNS Amplification’s return to prominence as a DDoS attack vector, it has consistently remained in the top five most common attack vectors.
Attacks increase against UltraDNS.
Domain Name System (DNS) is the backbone of internet navigation, and the user experience relies on DNS servers quickly and accurately directing them to the website they are trying to access. Imagine you want to navigate to a new coffee shop in your area; if you’ve never been there, you’ll likely rely on a GPS service to help you navigate. DNS performs the same function online, and the goal of attacking a DNS server is to prevent a user from reaching their destination.
Attackers understand the criticality of DNS and routinely look to prevent legitimate users from accessing the DNS records they need to navigate the internet. When an attacker fails to execute a successful attack against a DNS server, they may attempt to attack a business’s DNS protection service.
Attacks against Vercara’s UltraDNS have slowly but steadily increased. In the first half of 2024, 1,509 DDoS attacks targeted the UltraDNS platform, accounting for approximately 4.54% of all observed DDoS attacks. This is a 56.05% increase compared to the first six months of 2023. The largest DDoS attack against UltraDNS was over 38.28 Gbps with approximately 3.6 thousand pps and lasted slightly over eleven minutes.
Other DDoS attack vectors.
The threat landscape is volatile, and malicious actors constantly shift their attack patterns. As such, attack vectors, or the mechanism used to abuse a network protocol, are also prone to shifts.
The second most prominent attack vector for the first half of 2024 was the Total Traffic vector, followed by the IP Fragmentation vector in third place. In June 2024, 60.47% of all observed DDoS attacks consisted of one DDoS vector, and 39.53% of DDoS attacks were multi-vector attacks, consisting of two or more vectors per attack.
While the top attack vectors inevitably change, there is some consistency in the top five spots. Aside from DNS Application, UDP floods and a TCP-style attack generally round out the top five, although their positions may shift month-over-month.
Industry-specific trends.
The goal of a DDoS attack is primarily to cause downtime for a business. As such, the industries targeted tend to shift based on DDoS attack campaign trends. For example, DDoS attacks against governments are usually motivated by hacktivism or geopolitical tensions.
In the first half of 2024, the Communication Service Providers industry was the most targeted industry, with 38.23% of all DDoS attacks. Financial Services was the second most targeted industry, with 28.78% of attacks, although it saw steady monthly increases, ultimately becoming the most targeted industry for June.
While attack motivations can vary, downtime can create a financial burden for businesses of all industries. Whether from prolonged outages or having to call in staff to restore normal business operations after hours, DDoS attacks often equate to lost income.
Source countries of DDoS attacks.
In the first half of the year, the United States had the most observed DDoS attack traffic, with 24.12%, likely due to threat actors using US-based botnets and Virtual Private Servers (VPS). Russia came second with 10.56%, and Columbia was third at 6.22%.
As always, it’s important to note that DDoS source IPs can be spoofed, and it can be difficult to determine the true country of origin for a given DDoS attack.
Trends and patterns in DNS and DDoS attack prevention and mitigation.
Many businesses cannot effectively respond to a large-scale cyber attack; they lack the infrastructure to absorb that much attack volume, let alone mitigate it. Mitigating a large-scale DDoS attack or attempted disruption of a DNS server requires a dedicated, purpose-built third-party provider to take the brunt of that much malicious traffic for your business.
Seamless DNS operations.
DNS availability is essential for customers to navigate to your website. The UltraDNS platform maintains high availability and performance, handling a massive volume of queries with minimal errors. UltraDNS is built to withstand DDoS attacks meant to disrupt DNS availability, providing organizations with an added layer of protection.
Vercara’s UltraDNS2 platform offers organizations a purpose-built redundant DNS infrastructure, ensuring seamless DNS operations. UltraDNS2 is also protected by UltraDDoS, reducing the risk of targeted DDoS attacks.
DNS protection.
Imagine a soccer game. A goalie can block one or two balls at a time but cannot stop 10 or 20 balls kicked at once. DDoS attacks work similarly. When businesses partner with a vendor who can absorb the brunt of these attacks, it creates a wall protecting their goalie, so it doesn’t matter how many balls are kicked toward the net.
In the first half of 2024, Vercara prevented over 34,597 hours (or roughly four years) of customer downtime.
Cyberattacks are expensive. They can force businesses to pay overtime by calling in employees or engineering into contracts with third-party remediation firms. They can also directly impact sales through the reputational harm businesses suffer as a result. It’s important for businesses to ensure they have the protection and mitigation services they need to recover from a disruptive cyber incident and minimize downtime.
Stay ahead of cyber threats with Vercara UltraDNS and UltraDDoS.
The internet will only get bigger, and with growth will come increased efforts from malicious actors to disrupt DNS availability and execute DDoS attacks.
Your online presence is your brand. Don’t let threat actors disrupt your digital assets’ availability, integrity, and resilience. Whether threat actors are targeting your business with a carpet bomb attack or attempting to prevent DNS requests from directing users to your website, you need a way to stay protected. Vercara can help.
The best security controls layer together to create a defense-in-depth security posture that ensures businesses remain operational and spend less money on recovery efforts. By integrating Vercara’s DNS and DDoS solutions into their security stack, businesses gain advanced security capabilities, valuable insights for informed decision-making, and improved resilience against cyber threats, ensuring the continuity and reliability of their digital operations.
To learn how Vercara’s suite of solutions can help defend your organization, contact our sales team.
