Cloudflare says African telcos were most targeted as global denial of service attacks surge
In its latest quarterly threat report, CDN Cloudflare – whose network spans 300 cities in more than – 100 countries has warned that distributed denial-of-service (DDoS) attacks are back on the rise with criminals now showing state-threat-actor levels of sophistication.
Overall, HTTP DDoS attacks increased by 15% QoQ despite a 35% decrease YoY. Additionally, network-layer DDoS attacks decreased this quarter by approximately 14%.
“We’ve observed an alarming uptick in highly-randomised and sophisticated HTTP DDoS attacks over the past few months,” wrote London-based Cloudflare senior product manager Omer Yoachimik in a blog.
“It appears as though the threat actors behind these attacks have deliberately engineered the attacks to try and overcome mitigation systems by adeptly imitating browser behaviour very accurately, in some cases, by introducing a high degree of randomization on various properties such as user agents and JA3 fingerprints to name a few,” he added.
In many of these attacks, it seems that the threat actors try to keep their attack rates-per-second relatively low to try and avoid detection and hide amongst the legitimate traffic. “This level of sophistication has previously been associated with state-level and state-sponsored threat actors, and it seems these capabilities are now at the disposal of cyber criminals,” he warned.
Despite general figures indicating an increase in overall attack durations, most of the attacks are short-lived. However, Cloudflare found that attacks exceeding three hours have increased by 103% QoQ.
Geographic spread
In terms of total volume of attack traffic, the US was the largest source of HTTP DDoS attacks. Three out of every thousand requests we saw were part of HTTP DDoS attacks originating from the US. China came in second place and Germany in third place.
As these results are skewed by things like market size, Cloudflare normalises the attack traffic by all traffic to a given country. When doing so, the US drops out of the top ten. Instead, Mozambique, Egypt and Finland take the lead as the source countries of the most HTTP DDoS attack traffic relative to all their traffic. Almost a fifth of all HTTP traffic originating from Mozambique IP addresses were part of DDoS attacks.
“Using the same calculation methodology but for bytes, Vietnam remains the largest source of network-layer DDoS attacks (aka L3/4 DDoS attacks) for the second consecutive quarter — and the amount even increased by 58% QoQ,” said Yoachimik. “Over 41% of all bytes that were ingested in Cloudflare’s Vietnam data centres were part of L3/4 DDoS attacks.”
Network layer attacks move on from Finland
When descending the layers of the OSI model, the Internet networks that were most targeted belonged to the Information Technology and Services industry. Almost every third byte routed to them were part of L3/4 DDoS attacks.
“Last quarter, we observed a striking deviation at the network layer, with Finnish networks under Cloudflare’s shield emerging as the primary target,” said Yoachimik. “This surge was likely correlated with the diplomatic talks that precipitated Finland’s formal integration into NATO. Roughly 83% of all incoming traffic to Finland comprised cyberattacks, with China a close second at 68% attack traffic.”
This quarter, however, Finland plungers from the top ten and Chinese internet networks behind Cloudflare have ascended to the first place. “Almost two-thirds of the byte streams towards Chinese networks protected by Cloudflare were malicious,” he said. “Following China, Switzerland saw half of its inbound traffic constituting attacks, and Turkey came third, with a quarter of its incoming traffic identified as hostile.”
African telcos most targeted sector
The telecommunications industry remains the most attacked industry in Africa for the second consecutive quarter. The banking, financial services and insurance industry follows as the second most attacked. Most of the attack traffic originated from Asia (35%) and Europe (25%).
For the third consecutive quarter, the gaming and gambling industry remains the most attacked industry in Europe. The hospitality and broadcast media industries follow not too far behind as the second and third most attacked. Most of the attack traffic came from within Europe itself (40%) and from Asia (20%).
The media and newspaper industries were the most attacked in the Middle East. Most of the attack traffic originated from Europe (74%).
The rise of the virtual machine botnets
Yoachimik said the era of VM-based DDoS botnets has arrived and with it, hyper-volumetric DDoS attacks. These botnets comprised of virtual machines or virtual private servers rather than IoT devices which makes them so much more powerful – up to 5,000 times stronger.
“Because of the computational and bandwidth resources that are at the disposal of these VM-based botnets, they’re able to generate hyper-volumetric attacks with a much smaller fleet size compared to IoT-based botnets,” he said.
These botnets have executed one largest recorded DDoS attacks including the 71 million request per second DDoS attack.