Halloween 2024 recorded a dramatic increase in distributed denial of service (DDoS) attacks, with one attack reaching over 5 Terabits-per-second (Tbps) of fraudulent traffic.
In its quarterly analysis of DDoS attacks, Cloudflare reported an increase in hyper-volumetric attacks in the fourth quarter of 2024.
“In the fourth quarter, more than 420 of these attacks were hyper-volumetric, exceeding the rates of 1 billion packets per second (pps) and 1 Tbps,” Cloudflare researchers said in a blog post. “During the week of Halloween 2024, Cloudflare’s DDoS protection systems successfully and independently detected and blocked 5.6 Terabit attacks per second – the largest ever reported.”
These attacks, the researchers noted, grew by a staggering 1885% quarter-over-quarter (QoQ).
About seven million DDoS attacks per quarter
Cloudflare reportedly mitigated 6.9 million DDoS attacks in 2024 Q4, a 16% QoQ jump. This number also represents an 83% year-on-year (YoY) increase.
“Of the 2024 Q4 DDoS attacks, 49% (3.4 million) were Layer 3/Layer 4 DDoS attacks and 51% (3.5 million) were HTTP DDoS attacks,” the document said.
Six percent of L3/L4 attacks are attributed to Mirai botnets. The largest DDoS attack on record (5.6 Tbps) was launched by a separate Mirai botnet on October 29. The attack was directed at an Internet service provider (ISP) from Eastern Asia, Magic Transit. However, it only lasted 80 seconds.
Recently, a new variant of the Mirai botnet was discovered to be used for zero-day attacks on industrial routers. An even newer variant, called Murdoc_Botnet, was found to target AVTech cameras and Huawei routers, using a known first-access vulnerability.
Cloudflare analysis found that 73% of HTTP DDoS attacks in the quarter were launched by known botnets. Other types of attacks include those impersonating a legitimate browser (11%), and those containing suspicious or unusual HTTP attributes (10%).
Connected devices are the most targeted
HITV_ST_PLATFORM, an operating system tool for smart TVs and set-top boxes, was almost exclusively used (99.9%) in DDoS attacks in the quarter. “In other words, if you see traffic coming from the HITV_ST_PLATFORM user agent, there is a 0.1% chance that it is legitimate traffic,” the post notes.
Additionally, thirteen of the most used agents were versions of Chrome that were out of date between 118 and 129. The current version of Chrome for all operating systems is 132.
“Creepy actors tend to avoid using unusual users, preferring more common ones like Chrome to interact with normal traffic,” the researchers said. “The presence of the HITV_ST_PLATFORM user agent, which is associated with smart TVs and set-top boxes, suggests that the devices involved in cyberattacks are vulnerable smart TVs or set-top boxes.”
Among the most common HTTP methods, which describe the action to be performed on the server, were GET (70%) associated with retrieving data from the server, and POST (27%) used to send or push data. on the server. Other findings noted Indonesia as the leading source of DDoS attacks worldwide, followed closely by Hong Kong, Singapore, and Ukraine. A survey of Cloudflare customers revealed that 40% of DDoS attacks are launched by competitors, 17% by government-sponsored threat actors, and 14% by an attacker with a financial interest.
Source link