DDoS Attack Trends for Q1 2022: Cloudflare Report

DUBAI, UAE, 7^th July, 2022: Cloudflare, Inc., the security, performance, and reliability company helping to build a better Internet, has announced its DDoS report for the first quarter of 2022, and the ninth in total so far. This report includes new data points and insights both in the application-layer and network-layer sections — as observed across the global Cloudflare network between January and March 2022. The report is based on DDoS attacks that were automatically detected and mitigated by Cloudflare’s DDoS Protection systems.

The first quarter of 2022 saw a massive spike in application-layer DDoS attacks, but a decrease in the total number of network-layer DDoS attacks. Despite the decrease, Cloudflare has seen volumetric DDoS attacks surge by up to 645% QoQ, and the company mitigated a new zero-day reflection attack with an amplification factor of 220 billion percent.

In the Russian and Ukrainian cyberspace, the most targeted industries were Online Media and Broadcast Media. The Azerbaijan- and Palestine-based Cloudflare data centers has seen enormous spikes in DDoS activity — indicating the presence of botnets operating from within.

Highlights of the DDoS Report 

The Russian and Ukrainian cyberspace

• Russian Online Media companies were the most targeted industries within Russia in Q1. The next most targeted was the Internet industry, then Cryptocurrency, and then Retail. While many attacks that targeted Russian Cryptocurrency companies originated in Ukraine or the US, another major source of attacks was from within Russia itself.
• The majority of HTTP DDoS attacks that targeted Russian companies originated from Germany, the US, Singapore, Finland, India, the Netherlands, and Ukraine.
• HTTP DDoS attacks targeting Ukrainian companies focused on Broadcast Media, Media and Publishing, Internet, Online Media, Media Productions, and Computer Software companies.
• Attacks on Ukraine targeted Broadcast Media and Publishing websites and seem to have been more distributed, originating from more countries — which may indicate the use of global botnets. Still, most of the attack traffic originated from the US, Russia, Germany, China, the UK, and Thailand.

 Ransom DDoS attacks

In these kinds of attacks, the enterprise receives a threat or a ransom note demanding payment in exchange to stop the DDoS attack.

• January 2022 saw the largest number of respondents reporting receiving a ransom letter in Q1 – Almost one out of every five customers (17%).
• That figure drastically dropped to 6% in February, and then to 3% in March.
• When compared to previous quarters, we can see that in total, in Q1, only 10% of respondents reported a ransom DDoS attack; a 28% decrease YoY and 52% decrease QoQ.

Application-layer DDoS attacks

Application-layer DDoS attacks, specifically HTTP DDoS attacks, are attacks that usually aim to disrupt a web server by making it unable to process legitimate user requests. If a server is bombarded with more requests than it can process, the server will drop legitimate requests and – in some cases – crash, resulting in degraded performance or an outage for legitimate users.

• 2022 Q1 was the busiest quarter in the past 12 months for application-layer attacks. HTTP-layer DDoS attacks increased by 164% YoY and 135% QoQ.
• Diving deeper into the quarter, in March 2022 there were more HTTP DDoS attacks than in all of Q4 combined (and Q3, and Q1).
• After four consecutive quarters in a row with China as the top source of HTTP DDoS attacks, the US stepped into the lead this quarter. HTTP DDoS attacks originating from the US increased by a staggering 6,777% QoQ and 2,225% YoY.
• Globally, the Consumer Electronics industry was the most attacked with an increase of 5,086% QoQ. Second was the Online Media industry with a 2,131% increase in attacks QoQ. Third were Computer Software companies, with an increase of 76% QoQ. However, if we focus only on Ukraine and Russia, we can see that Broadcast Media, Online Media companies, and Internet companies were the most targeted. 

Network-layer DDoS attacks

While application-layer attacks target the application (Layer 7 of the OSI model) running the service that end users are trying to access (HTTP/S in our case), network-layer attacks aim to overwhelm network infrastructure (such as in-line routers and servers) and the Internet link itself.

• Network-layer attacks in Q1 increased by 71% YoY but decreased 58% QoQ.
• The amount of network-layer DDoS attacks remained mostly consistent throughout the quarter with about a third of attacks occurring every month.
• The Telecommunications industry was the most targeted by network-layer DDoS attacks, followed by Gaming and Gambling companies, and the Information Technology and Services industry.
• The US was targeted by the highest percentage of DDoS attacks traffic — over 10% of all attack packets and almost 8% of all attack bytes. Following the US is China, Canada, and Singapore.
• Volumetric attacks increased in Q1. Attacks above 10 Mpps (million packets per second) grew by over 300% QoQ, and attacks over 100 Gbps grew by 645% QoQ.
• SYN Floods remain the most popular DDoS attack vector, while use of generic UDP floods drops significantly in Q1. In Q1, SYN floods accounted for 57% of all network-layer DDoS attacks, representing a 69% increase QoQ and a 13% increase YoY. In second place, attacks over SSDP surged by over 1,100% QoQ. Following were RST floods and attacks over UDP. Last quarter, generic UDP floods took the second place, but this time, generic UDP DDoS attacks plummeted by 87% QoQ from 32% to a mere 3.9%.
• Most attacks remain under one hour in duration, reiterating the need for automated always-on DDoS mitigation solutions. It’s recommended that companies use automated, always-on DDoS protection services that analyse traffic and apply real-time fingerprinting fast enough to block short-lived attacks.

Commenting on the report, John Graham, Cumming, CTO, Cloudflare says, “As a provider of industry-leading DDoS mitigation solutions, our company is privy to cybersecurity insights that we share with organisations across the globe to help them understand the evolving security landscape. This in turn assists them in putting together systems and measures to combat these threats more effectively”.