SOCRadar® Cyber Intelligence Inc. | Overview of Cloudflare’s 2023 Q2 DDoS Threat Report
Home

Resources

Blog
Jul 19, 2023
8 Mins Read

Overview of Cloudflare’s 2023 Q2 DDoS Threat Report

Cloudflare, a renowned internet security company, has recently released a comprehensive report concerning DDoS attacks (Distributed Denial-of-Service), elucidating the evolving methodologies employed in these attacks and presenting the latest statistical data for the second quarter of 2023.

For those interested, we have previously provided an overview of the first quarter report. It is accessible at the following link: Change of Tactic in DDoS: Attackers Now Use VPS for Improved Botnet Attacks

Rise of Darknet Parliament: Killnet, Anonymous Sudan, REvil Launch DDoS Attacks

The Darknet Parliament, consisting of infamous pro-Russian threat actors KillNet, Anonymous Sudan, and REvil emerged as the most prominent DDoS activity in the second quarter.

On June 16, 2023, they initiated a targeted campaign primarily focusing on European banking systems. This marked the beginning of a series of DDoS attacks targeting entities such as the European Investment Bank (EIB), SWIFT, the US Federal Reserve System, SEPA, IBAN, Wire, Wise, and the International Finance Corporation.

To delve deeper into the alliance, explore the background of its members, and understand the motive behind its formation, we invite you to read our Darknet Parliament blog.

The report highlights an alarming number of 10,000 DDoS attacks by the Darknet Parliament trio, launched against Cloudflare-protected websites in recent weeks.

Darknet Parliament attacks (Source: Cloudflare), DDoS Q2
Darknet Parliament attacks (Source: Cloudflare)

Contrary to the alliance’s claims, the report reveals that Banking and Financial Services websites ranked only ninth among the most attacked industries. It was observed that the top three sectors targeted by the alliance were the Computer Software, Gambling, and Gaming industries.

Top 10 industries targeted in Darknet Parliament attack campaign (Source: Cloudflare), DDoS Q2
Top 10 industries targeted in Darknet Parliament attack campaign (Source: Cloudflare)

HTTP DDoS Attacks Have Increased in Q2

HTTP DDoS attacks have experienced a 15% increase in the quarter, even though there has been a significant 35% decrease year over year. These attacks specifically target HTTP Internet properties, such as websites and API gateways.

In recent months, there has been a concerning rise in highly randomized and sophisticated HTTP DDoS attacks. Notably, it seems that the threat actors orchestrating these attacks have intentionally tried to avoid mitigation systems by expertly mimicking browser behavior. Previously, this level of sophistication was primarily associated with state-sponsored threat actors. However, it is now apparent that cybercriminals have gained access to similar capabilities, showcasing the evolving landscape of security threats.

The Top DDoS Attack Vectors in Q2: DNS-based Attacks Are the Most Common

DNS-based DDoS attacks emerged as the predominant attack vector during the previous quarter, representing 32% of all DDoS attacks. In DNS-based DDoS attacks, malicious actors disrupt DNS servers, impeding the ability of machines to establish connections with targeted websites. Consequently, these websites become inaccessible to users.

Of particular concern is the increasing prevalence of DNS Laundering attacks. The DNS Laundering attack method disguises malicious traffic as legitimate traffic by channeling it through reputable recursive DNS resolvers, thereby evading detection and causing further complications. This type of attack presents significant challenges for organizations that run their own authoritative DNS servers.

Visualization of a DNS laundering attack (Source: Cloudflare), DDoS Q2
Visualization of a DNS laundering attack (Source: Cloudflare)

The report states that, from a security standpoint, DNS administrators cannot block the attack source because it includes reputable recursive DNS servers such as Google’s 8.8.8.8 and Cloudflare’s 1.1.1.1. It is also not possible to block all queries to the targeted domain because administrators would still want to access legitimate queries. These obstacles make it difficult to distinguish between legitimate and malicious queries.

Top 10 DDoS attack vectors in Q2 2023 (Source: Cloudflare)
Top 10 DDoS attack vectors in Q2 2023 (Source: Cloudflare)

Startblast DDoS Attacks on Mitel

In March 2023, a zero-day vulnerability (CVE-2022-26143) called TP240PhoneHome was disclosed in Mitel MiCollab. This flaw allows for UDP amplification DDoS attacks by reflecting and amplifying traffic off vulnerable servers. 

In the past quarter, emerging threats like DDoS attacks leveraging TeamSpeak3 protocol increased significantly by 403%. Attackers target TeamSpeak servers to disrupt real-time multiplayer gaming communication, impacting team performance. 

In this post, we mentioned the increasing occurrence of cyber attacks on the Entertainment Industry. Lately, prominent entities like RiotGames, Nickelodeon, and Razer, a gaming equipment company, have fallen victim to successful breaches carried out by threat actors. This suggests a noticeable rise in cyberattacks targeting organizations associated with the entertainment sector.

While HTTP DDoS attacks rose by 15%, network-layer DDoS attacks decreased by approximately 14% quarter-over-quarter (QoQ). The US was the primary source of HTTP DDoS attacks, followed by China and Germany. 

Top source countries targeted by application-layer DDoS attacks divided by worldwide overall traffic (Source: CloudFlare), DDoS Q2
Top source countries targeted by application-layer DDoS attacks divided by worldwide overall traffic in Q2 (Source: CloudFlare)

Countries with larger market sizes naturally attract more traffic and, as a consequence, face a higher risk of attacks. However, when normalized for traffic volume, Mozambique, Egypt, and Finland became the top three countries for the most relative HTTP DDoS attack traffic. Mozambique had nearly a fifth of its HTTP traffic involved in DDoS attacks.

Top source countries targeted by application-layer DDoS attacks divided by traffic of each country  (Source: CloudFlare), DDoS Q2
Top source countries targeted by application-layer DDoS attacks divided by traffic of each country in Q2 (Source: CloudFlare)

Vietnam continues to be the primary source of network-layer DDoS attacks for the second quarter in a row. The volume of attacks increased by 58% QoQ. More than 41% of all bytes received by Cloudflare’s Vietnam data centers were associated with L3/4 DDoS attacks.

DDoS Attack Trends by Industry and Region

In Q2, Cryptocurrency websites faced the largest amount of HTTP DDoS attack traffic, with a substantial 600% increase from the previous quarter. 

Non-profit organizations were the most attacked when considering the relative amount of attack traffic compared to all traffic. HTTP DDoS attacks accounted for 12% of the traffic directed towards Non-profits. These organizations have faced an average of 67.7 million cyber attacks per day in recent months.

The Management Consulting industry became the most targeted with 18.4% of its traffic being DDoS attacks. The Internet networks of the Information Technology and Services industry were the primary target for L3/4 DDoS attacks.

The top attacked industries varied by region, with Cryptocurrency websites being the most targeted worldwide, while different industries took the lead in specific regions. 

In Africa, Telecommunications faced a higher number of attacks, while Cryptocurrency was the main target in Asia. Europe experienced more attacks on Gaming and Gambling sectors, Latin America on Sporting Goods, the Middle East on Media and Newspaper, North America on Marketing and Advertising, and Oceania on Biotechnology. 

Top attacked industries by region (Source: CloudFlare), DDoS Q2
Top attacked industries by region (Source: CloudFlare)

The US was the most attacked country when looking at the total volume of attack traffic, but Palestine emerged as the most attacked country when normalized per total traffic. Chinese Internet networks saw the highest proportion of malicious traffic, followed by Switzerland and Turkey.

Top countries and regions targeted by network-layer DDoS attacks (Source: CloudFlare), DDoS Q2
Top countries and regions targeted by network-layer DDoS attacks in Q2 (Source: CloudFlare)

Ransom DDoS (RDDoS) Attacks

Ransom DDoS (RDDoS) attacks involve malicious parties extorting money from individuals or organizations by threatening to launch a Distributed Denial-of-Service (DDoS) attack. The attackers may execute a DDoS attack and then demand a ransom to stop it, or they may send a ransom note threatening a DDoS attack as a means of coercion.

Ransom DDoS attacks are simpler for threat actors to execute compared to traditional Ransomware attacks. Unlike Ransomware attacks that rely on deceptive tactics and network breaches, Ransom DDoS attacks bypass these requirements. Reports of Ransom DDoS attacks decreased in the past quarter, with one out of ten respondents reporting being threatened or targeted by such attacks.

Free Services by SOCRadar Labs: DoS Resilience and Country Threat Landscape Report

SOCRadar Labs offers the DoS Resilience service, which provides website owners and network administrators with valuable information to evaluate the resilience of their systems against DoS (Denial-of-Service) attacks.

By utilizing the DoS Resilience service, you gain the ability to effortlessly assess the resilience of your domain or subnet against prevalent DoS attack types, including slowloris, amplification, and reflection attacks. Such assessment empowers you to proactively implement preventive measures, safeguarding the security and functionality of your system.

SOCRadar Labs: DoS Resilience Service, DDoS Q2
SOCRadar Labs: DoS Resilience Service

Check out the Country Threat Landscape report on SOCRadar Labs and acquire valuable insights into the prevalent threats within your country. The page provides information regarding the number of Dark Web threats, stealer logs, ransomware and phishing threats, as well as active threat actors operating in the country. Additionally, it highlights the most targeted industry.

Download the report for free to learn more about your region’s threat landscape.

SOCRadar Labs: Country Threat Landscape Report, DDoS Q2
SOCRadar Labs: Country Threat Landscape Report