2024 DDoS Attack Trends

Introduction

The OWASP Top 10 has not called out denial of service (DoS) attacks as a top threat to web applications for over twenty years. Published way back in 2004, the second OWASP Top 10 list awarded the number nine spot (known as A9) to “Application Denial of Service” attacks. Since the 2004 edition, however, threats posed by DoS attacks have been rolled up into other categories such as Broken Access Control.

We think it may be time for DoS to make a reappearance in the forthcoming 2024 OWASP Top 10.

Through a combination of geopolitical unrest, trivially exploited vulnerabilities, and the emergence of new botnets, denial of service incidents have exploded since our 2023 DDoS Attack Trends report in February 2023. With the seemingly unstoppable growth in denial-of-service attack frequency and sizes, it begs the question: are we as an industry doing enough to thwart the risk and impact of DDoS?

By combining analysis of the DoS incidents encountered by the F5 Distributed Cloud service with insights from security engineers in the Security Incident Response Team (SIRT) and the Threat Analytics and Reporting (TAR) teams, we have been able to paint a detailed and insightful picture into the current state of DoS attacks being used by threat actors all over the world. This report focuses on the attacks and trends seen during 2023 but includes a brief insight into new attacks and trends observed in the first half of 2024.

[back to top]

Executive Summary

Distributed denial of service attacks have seen enormous growth regardless of which way you measure them. Frequency of incidents, average peak bandwidth, and complexity of attacks are all increasing, and it appears that no organization is safe.

Organizations are being attacked in almost equal measure, regardless of their geographic location, the size of the company, or the industry to which they are most closely aligned, though there are some exceptions to this. Notably America, France, and the UK, saw significant spikes in DDoS activity which align closely to geopolitical events playing out on the global stage. This reinforces the understanding that unskilled but politically motivated individuals are increasingly making use of DDoS servers (stressors) and botnets in an attempt to make their voice heard.

The Software and Computer Services industry saw the most activity throughout 2023, with Telecommunications also suffering persistent attacks. Virtually all sectors saw significant growth in attacks in 2023 compared with the previous year. Software and Computer services attacks doubled, but the Telecommunications and Banking industries saw explosive growth with each seeing an approximate fivefold increase in incidents.

Other notable findings from this report include:

• Attacks more than doubled in 2023 compared with 2022, growing almost 112%.
• The biggest attack of 2023 was in March and peaked at 1Tbps, targeting an organization in the Support Services¹ sector.
• That same organization also suffered the most attacks across the year, 187 in total.
• The mean number of attacks withstood was 11, meaning each organization dealt with a denial-of-service incident almost once month.
• Overall, DNS QUERY attacks were responsible for the vast majority of overall DDoS attacks being seen in 26% of events through 2023.
• Individual industries saw some differences, with BFSI in particular seeing more TCP SYN floods that anything else.
• Software and Computer Services was the most attacked industry in 2023 comprising 36% of all attacks. Telecommunications took second place, followed up Support Services, BFSI, and Media.
• Telecoms saw the biggest jump in the number of attacks it faced.
• Attack sizes remained high throughout the year with attacks consistently above 100Gbps, and many over 500Gbps. February was the outlier with the biggest attack of that month reaching less than 10Gbps.
• Recent activity seen in the first half of 2024 points to continued growth with threat actors increasing their efforts to compromise IoT devices and subsume them into their botnets.

[back to top]

DDoS is Dead! Long Live DDoS!

Denial of Service attacks are approaching their middle age. It is almost 30 years since the first recorded attack which targeted the internet service provider Panix in September 1996. Almost three decades later we continue to see DoS evolve with emerging attack vectors affecting new protocols (HTTP/2) and old ones (DNS), alike.

Although the latter half of 2022 and the start of 2023 saw law enforcement making significant progress in the battle against DDoS-as-a-Service providers, the rapid recovery of organized crime and the announcement of new DoS attack vectors means that the relative calm was short lived.

[back to top]

One Step Forward: Global Takedowns

A large proportion of global denial of service traffic originates from malicious DDoS-as-a-Service platforms, hosted and run by organized crime gangs. It makes sense, therefore, that law enforcement agencies invest significant effort in to bringing down these so-called “booters” or “stressors”. This is exactly what happened in December 2022. Europol, working with agencies from the United States, the United Kingdom, the Netherlands, Poland, and Germany, took down around fifty of the world’s biggest stressors (Figure 1).²

The effect of this operation can’t be overstated. The decline in DDoS traffic in the months after the takedowns was profound, as we’ll uncover as we dive in the numbers later in this report. February 2023 was, in particular, a very quiet month. Attack frequency was down considerably, as were the size of attacks. The largest attack seen in February measured only 7 Gbps.

Threat actors recovered quickly, however, with March witnessing the largest attack of the year coming in at 1 Tbps.

International take-down operations, such as those led by Europol, continue to be an important part of combatting organized cybercrime. One stressor taken down in the December 2022 operation was believed to have been responsible for 30 million attacks. For the most part, however, the focus of law enforcement is on the individuals who break the law, not the devices used to carry out the attacks. Websites and domains are also seized, but until the compromised devices which make up a DDoS botnet are taken care of, they remain in place just waiting for a new crime gang to co-opt them for their own purposes.

[back to top]

One Step Back: The Mozi DDoS Botnet

This report focuses on DDoS attacks which took place over the course of 2023. We would be remiss, however, to not address the huge rise in DDoS activity seen at the start of 2024. As recently covered in the April 2024 edition of the Sensor Intel Series, threat actors have been using new vulnerabilities to build DDoS botnets from TP-Link and Netgear routers, among others.

CVE-2023-1389, a command injection vulnerability in the firmware for the TP-Link Archer AX21 Wi-Fi routers accounts for 40% of malicious scanning activity during April 2024 (see Figure 2). Exploit code for this CVE indicates that attackers are using it to take over vulnerable devices and subsume them into the Mozi botnet.

The Mozi botnet has been documented as able to conduct HTTP, TCP, UDP, and other attacks. More information can be found in the April 2024 Sensor Intel Series article.

[back to top]

And Another Step Back: Emerging DDoS Attack Vectors

HTTP/2 Abuse

The relatively new HTTP/2 protocol (new in internet terms, since the protocol is now almost ten years old) recently came under the spotlight of security researchers. The latter half of 2024 and start of 2024 saw not one, but two, new vulnerabilities which could create denial-of-service conditions even when HTTP/2 implementations followed the RFC to the letter. This is a big deal. Oftentimes it is a specific implementation of an RFC which is found to be vulnerable. In both following cases involving HTTP/2, however, all implementations are potentially vulnerable since the RFC itself did not consider all potential vectors of abuse.

HTTP/2 Rapid Reset Attack

The first HTTP/2 denial-of-service vulnerability, eventually published under CVE-2023-44487, was first discovered by Google after mitigating the largest application layer attacks ever seen. It is well defined by the CERT-EU security advisory:¹

The vulnerability exploits a weakness in the HTTP/2 protocol, allowing attackers to generate hyper-volumetric DDoS attacks. The attack involves sending a large number of HTTP/2 streams and immediately cancelling them, creating a cost asymmetry between the client and server. The attacker exploits the RST_STREAM and GOAWAY frames of the HTTP/2 protocol to manipulate the connection. This leaves the server doing significant work for cancelled requests while the client pays almost no costs.

HTTP/2 Continuation Frame Attack

The second HTTP/2 DoS vulnerability was announced in May 2024 and, for anyone that remembers it, shares a theme with the Slow Post denial of service attack method.²

The binary HTTP/2 protocol features multiple types of ‘frames’. Some are used as Headers, others contain Data to be sent between the client and server. Other frame types also exist and one of them is known as a Continuation frame. This is used to signal to the server that the client has more data to send so the connection should be left open. A malicious HTTP/2 client is able to send an arbitrary number of Continuation frames to the server and exhaust its available memory. The F5 DevCentral community has a great write up on HTTP/2 Continuation Frame Attacks.

The CERT Coordination Center details Vulnerability Note VU#421644 and it is this article that should be used to look for CVEs against specific HTTP/2 implementations.³

Loop DoS

Attackers making use of UDP floods often benefit from the ability to spoof the source IP address which results in ineffectual IP based blocking. UDP packets, however, still require that traffic is generated from a malicious or compromised clients (zombies) in a botnet. Loop DoS, by contrast, needs no such botnet. A single malicious request to Alice results in a flood of traffic to Bob. Bob then responds to Alice, generating yet more unwanted traffic.⁴ Essentially, Alice and Bob are tricked into  attacking each. Despite this potential attack vector being known since 1996, it was only revealed as a practical attack method in March 2024 with protocols such TFTP, DNS, NTP, Echo and Chargen open to exploit.⁵ A reported 300,000 servers were potentially vulnerable to this attack.⁶

DNSbomb

As if DNS hasn’t already been exploited enough for denial of service attack vectors (such as NXDOMAIN attacks as well as DNS reflection floods) yet another exploit was revealed for this much beleaguered protocol. Just as with the HTTP/2 based attacks, this method exploits not a vulnerability, but deliberate mechanisms defined within the RFC 1035 specification.

Researchers determined that by making use of availability, security, and reliability features of DNS, it is possible to accumulate DNS queries such that all responses are let loose at once in “pulsing bursts”, which could result in a potential denial of service situation. Individual DNS vendors have issued their own CVEs but an industry-wide CVE was also published under CVE-2024-33655.⁷

[back to top]

2023 DDoS Attack Trends

After slow but marked decline in DoS attacks over recent years, 2023 saw a staggering increase compared with 2022. DDoS attacks have not only become more prevalent, in part due to their commoditisation and ease of use, but also due to rising global tensions and the ease with which hacktivists can launch an attack.

[back to top]

DDoS Attacks Explode in 2023

The global map shown in Figure 3 provides a glanceable view of the attacks seen by F5 Distributed Cloud over the course of 2023. While the number of attacks encountered by each region appears to vary drastically, the frequency of incidents is directly proportional to the number of customers in any given region. What does mean? Regardless of the postal address of an organization’s headquarters, or the virtual address of its IPv4 space, attackers care not for geographical boundaries. While individual counties do see more incidents than others, no one continent is worse than any other when averaging out countries in that region. We dive in to regional and country-level comparisons later in this report.

Looking at total incidents, we found that DDoS attacks more than doubled over 2023, exploding from just over 1,000 in 2022 to more than 2,100 a year later (see Figure 4).

The mean number of attacks each organization faced was just over 11 across 2023, almost one a month. Needless to say, some businesses faced more attacks than others. One unfortunate Software & Computer Services firm withstood a staggering 127 attacks over the course of the year. However, this was far from the most attacked organization. One company stole the unenviable crown for most targeted, suffering a whopping 187 individual DDoS incidents in 2023. This company, found in the Support Services industry, was also unlucky enough to be the victim of the largest attack we saw in the year.

[back to top]

Average Peak Attack Sizes Grow

Although the F5 Distributed Cloud service hasn’t seen an incident as large as the 1.4Tbps attack which it mitigated in 2021, it came close in March 2023 when it blocked an attack reaching 1Tbps (as Figure 5). Threat actors attempted to take down the aforementioned Support Services organization with a deluge of TCP SYN packets. Most months in 2023 saw peak attack sizes of 100-200 Gbps or greater, with February being the only significant outlier, seeing only a relatively tiny 5Gbps attack.

While Figure 5 is useful to visualise largest and smallest of all attacks, the box-whisker plot is perhaps more useful to determine the most frequent attack sizes. The lower quartile of peak attack sizes varied very little throughout 2023 with the lowest 25% of attacks reaching only 30-50Mbps. However (noting the logarithmic scale on the y-axis of Figure 5) the upper quartile saw steady and significant growth, indicating the steady rise in average attack bandwidth. January’s upper quartile reached only 100Mbps with the year ending at 900Mbps attacks in December.

Let’s change the view to dive in to attack sizes further. The histogram in Figure 6 uses logarithmic binning on the x-axis in order visualize how often certain attack sizes occur, but what can we learn from this? Well, we can see that attacks peaking at 50-200Mbps in size are by far the most common.

Attack sizes of 50-200 Mbps would suggest that they are trivial to mitigate, especially considering the widespread adoption of fibre broadband and many home users enjoying connections well up to 1Gbps. As we examine later in this report, however, saturation of a network connection is rarely the sole objective of DoS attackers.

[back to top]

Preferred Attacker Techniques

As we’ve seen so far DDoS attacks are, on average, getting larger and more common but what techniques and attack vectors are being favoured by threat actors? Previous F5 Labs DDoS Attack Trends reports have shown a slow increase in attacks which relied on the TCP.¹ This made sense considering we also saw an increase in application-based attacks which, at least for HTTP(S) applications, required a TCP connection. That trend is slowly reversing, however, with UDP being used to deliver 4x more attacks than TCP, and 8x more than ICMP (Figure 7). With the web slowly moving from HTTP/2 (a TCP based protocol) to QUIC and HTTP/3 (which uses UDP) we expect to see this trend grow at an increasing rate over the coming years.

Note: Since many attacks are multi-vector and will attack many apps across different protocols, the values for UDP, TCP, and ICMP combined will add up to more than the years’ total individual attacks.

Peak attack size, as showcased in Figure 5 and Figure 6, tells only part of the story. What ports, protocols, and applications are being attacked can be more important to understand since some DDoS attack vectors are significantly harder to protect against than others. Take, for example, what might appear to be a surge in web traffic. Is a sudden increase in HTTP GET requests sign of a successful marketing campaign, the result of a reseller bot attempting to purchase all inventory, or a layer 7 DDoS attack? Ultimately, if the webserver is overwhelmed and unable to serve pages to genuine customers, does it matter what the original intent was? The result is the same. Denial of service.

When is a DDoS Attack Not a DDoS Attack?

In May, June, July, and August of 2023 a major online retailer suffered a number of denial-of-service incidents. The July DDoS incident peaked at approximately 16,000 transactions per second (TPS), and was a simple HTTP GET flood targeting the home page of the retailer. Two attempts were made, each lasting approximately thirty minutes. Over 61,000 unique IP addresses were observed participating, from more than 4,000 different ASNs, suggesting a distributed botnet as the origin of the attack.

The DDoS events coincided with the retailer opening early access to new products. The goal of the attacker is believed to have been an attempt to disrupt access to the retailer during an important product release. Upon closer inspection of the malicious activity, however, it was noted that while some incidents were indeed directed DDoS attacks, many were the result of web scraping bots attempting to obtain product and pricing information. This web scraping was so intense that, on multiple occasions, it created denial of service conditions for genuine customers. The bot was easily identified since its traffic was all directed at product pages and was not found to follow common human flows.

By removing the DDoS traffic we can see that while this one incident dwarfed all other traffic observed during this timeframe. Positively identified malicious automation is in red, suspicious and flagged traffic is in yellow.

Distributed denial of service attacks are commonly grouped in to three layers, depending on their intent. Volumetric (also called ‘network’) attacks attempt to consume network bandwidth, protocol attacks try to overwhelm networking devices, while application attacks target the application stack itself and attempt to consume all available memory or CPU cycles. The MITRE ATT&CK framework takes a different approach. Our mapping of DDoS layers to those found in the ATT&CK model can be found in Table 1 (Appendix).

By Layer

Using the standard model of DDoS attack layers (volumetric, protocol, application) we see a consistent 50% of attacks at focusing on the network layer (see Figure 9). These volumetric attacks combine direct network floods with reflection attacks in an attempt to saturate the networks delivering the application to users. Back in 2022 we saw a steady increase in application layer attacks (including HTTP(S) floods and DNS queries) and this growth peaked at just under 40% of all attacks by quarter 1 of 2023. Over the remainder of 2023 application focused attacks decreased to around 25% with protocol layer attacks picking up some of the slack.

Using the MITRE ATT&CK framework to categorise denial of service attacks paints much the same picture, if only in slightly more detail (Figure 10). Limitations in data collection prevent us from categorizing attacks under T1499.003 (Application Exhaustion Flood) and T1499.004 (Application or System Exploitation), though our case studies provide clear indication that these attack vectors are indeed under widespread use (see When is a DDoS Attack Not a DDoS Attack?). Figure 10 also implies a fairly consistent spread of attack types over the year, save for the marked decrease in T1499.002 (Service Exhaustion Flood attacks).

Having considered attack frequency, attack size, and attack layer, what if we combine all three metrics? It is not until peeling back the layers, so to speak, that we can begin to understand the importance of attack frequency and the tiers at which they are attacked. Figure 11 shows individual histograms for application, protocol, and volumetric (network) attacks (note the logarithmic binning on the x-axis).

At casual glance, it is already apparent of the vast discrepancy of peak attack size frequency based on the layer targeted by the attacker.

While volumetric attacks see a steady decline in frequency as we move from the small 100Mbps attacks through to the largest ones at 1Tbps, a very different story can be seen for attacks targeting the application tier. The overwhelming majority of application-focused DoS incidents are micro-DDoS attacks, ranging from 50Mbps to 200Mbps. Application focused attacks rarely result in large amounts of network bandwidth. While 50-200Mbps attacks sound trivial in nature, the complexity of mitigating these application focused attacks is anything but.

By Vector

Digging down one more layer, let’s look at which application or protocol is being focused on. Previous reports have shown that generic UDP floods or DNS reflection attacks were most popular attack vector of the past few years. This year we see a notable change.

Over 2023, DNS QUERY (also known as NXDOMAIN attacks) were by far the most common, at least when evaluating all industries together (see Figure 12). As we will examine later, some industries are being targeted in different ways. While DNS reflection (T1498.002 Reflection Amplification, as categorised by MITRE) is actually a form of volumetric/reflection attacks, NXDOMAIN attacks send genuine queries to a DNS server for domains that don’t exist. By sending queries for spurious non-existent domains the DNS server is compelled to perform a lookup and then return an NXDOMAIN error. The quantity of requests consumes the resources of the DNS server, preventing genuine users from resolving a domain into the IP address their device needs in order to find and connect to the service they require. Attacking DNS servers allow attackers to take down multiple sites and services at once. In 2016, a DDoS attack targeting DynDNS and the resulting outage took down dozens of the world leading sites, including the BBC, Netflix, and Paypal.

[back to top]

2023 DDoS Attacks by Industry

How do attacks differ by industry? Do threat actors focus more on some sectors than others, and do their tactics vary between them? We dove deep in to the data to try and answer these questions. For those interested, see how we classified organizations in the Methodology section.

[back to top]

Industry Trends

For each industry, we examined the frequency of attacks, peak bandwidth, and the most commonly targeted layer (network/volumetric, protocol, and application). While there is some correlation between frequency and attack sizes, that relationship is not always present.

Software and Computer Services was the most attacked sector in 2022 and remains so in 2023, having suffered double the number of attacks compared with the previous year (see Figure 13). This industry includes organizations which create applications, and also cloud hosting services such as infrastructure-as-a-service (IaaS) and software-as-a-service (SaaS). Just as with DNS NXDOMAIN attacks, if a threat actor is able to affect a cloud service they have the potential to take out multiple organizations, not just a single one.

The second most attacked industry was telecommunications, but it takes the top spot for biggest increase in attacks. These organizations suffered a staggering five fold increase in attacks in 2023 compared with the previous year. Banks and Media also saw significant increases in attacks, well above the average for all industries combined.

A small number of industries were fortunate to encounter a small decline in the number of attacks they faced. Government, Government Agencies, Food & Drug Retailers, Real Estate, and Technology Hardware organizations, all saw a small drop in the number of incidents targeting them.

Those industries with the most incidents are not always the same ones defending from the largest of attacks. Figure 14 shows that the Support Services industry withstood the largest attack of 2023, weighing in at 1Tbps. The Support Services industry is defined as organizations offering HR, Payroll, and related services to other businesses. It is possible that organizations in this industry were directly targeted, but it is equally possible that they were hit due to the businesses they provided services to.

The Software and Computer Services industry, despite being the most attacked, only encountered DDoS incidents of 200Gbps or smaller.

As we examined previously, volumetric attacks account for, on average, 50% of all DDoS incidents over the course of 2023. Diving in to individual industries, however, shows considerable variation in attacker focus.

Over 60% of attacks against the Support Services industry were targeting the application layer (Figure 15). Contrast this with Banks who saw relatively few attacks at this layer and, instead, faced more protocol attacks than any other type.

[back to top]

By Website Rank

Does a high website ranking attract more DDoS attacks? Are small organizations (typically found toward the bottom of the world’s 1 million most popular sites) out of sight and, therefore, out of mind? (See Methodology in the Appendix to understand how we rank sites).

These are the questions we attempted to answer in Figure 16 (note that F5 Distributed Cloud has customers found at the very top of the top 1M sites, but only as far down as 100,000 in the rankings). In this histogram we can see that sites towards the top of the 1M list do indeed face more attacks, but a considerable number of incidents can still be found targeting sites regardless of their ranking. This plot is a useful reminder that all organizations, regardless of their size or ranking, are possible targets for DDoS attacks.

[back to top]

Industry Breakdown

To what extent do threat actors modify and customize their DDoS attacks for each sector? Well, Figure 15 showed that attackers do indeed, coincidentally or otherwise, tend to prefer different attack methods for different types of organizations. We pick the five most attacked industries and dive deeper to see what else is hiding within the data.

Banking and Financial Services

Taken separately, Banks and the closely related industry of Financial Services rank 5^th and 6^th, respectively, when considering the total number of DDoS attacks. When combined, however, they place joint 3^rd accounting for 11% of all incidents. Together, they witnessed a 140% increase in attacks compared with 2022.

Attacks throughout 2023 saw a good deal of fluctuation with regard to the frequency and size of attacks. The largest, measuring 400Gbps at it’s peak, arrived in June – the quietest month for this combined industry. Only two other months, March and July, saw similarly large attacks with five months in 2023 having attacks peaking at only 5-6Gbps (Figure 17).

As hinted at in Figure 15, there appears to be a definite preference towards application layer attacks when targeting DDoS attacks at the Banks and Financial Services industries. Figure 18 has a more detailed breakdown of most attacked layers using the MITRE ATT&CK framework for additional detail. The increase in volumetric attacks (reflection attacks, to be specific) in Q4 of 2023 doesn’t detract from the fact that the vast majority of attempted DDoS attacks focus on the protocol tier (“OS” in ATT&CK parlance). This suggests that attackers know the majority of financial institutions are generally well protected from large volumetric attacks and their best chance is to target another layer in the stack.

Digging a little deeper, we find that both the Bank and Financial Services industries are the only two for which the most common attack vector is not DNS QUERY (at least for those industries for which we have a large enough sample size to draw accurate and safe conclusions). Figure 19 and Figure 20 reveal that TCP SYN floods were most common attack vectors.

Telecommunications

The telecoms industry saw an unenviable 655% growth in attacks and accounted for 23% of all DDoS incidents in 2023. January and February were the quiet months before the storm of the rest of the year. The largest attack didn’t arrive until December and peaked at 583 Gbps.

The first quarter of 2023 saw a definite focus towards application layer (service) attacks, though this preference appeared to dissipate over the rest of the year as volumetric and protocol attacks increased (Figure 22).

As with the majority of other industries, DNS QUERY (NXDOMAIN) attacks were most common, but DNS reflections and UDP floods were also heavily used as can be seen in Figure 23. Unlike the Banking and Financial Services industries, TCP SYN attacks occurred relatively infrequently.

Software & Computer Services

This industry saw a relatively modest growth in attack frequency, growing 113% from the previous year. Although Software and Computer Services firms accounted for 37% of all incidents in 2023, the attacks themselves were far smaller that other industries. Using Figure 24 we can identify that the largest attack came in November and peaked at just 200Gbps.

The industry saw attacks spread quite evenly across application, protocol, and volumetric layers. The ATT&CK perspective of DDoS incidents show some small variation from quarter to quarter (Figure 25). Attacks against the ‘service’ tier (application layer) remained slightly more common than others throughout 2023.

As with other industries, DNS QUERY (NXDOMAIN) attacks were the most common vector by a significant margin (see Figure 26).

Support Services

The Support Services sector is described as including firms which offer general management, human resources, administration, payroll, and facilities management to other organizations. While the number of incidents focused on this sector remained fairly flat compared with 2022, Support Services takes a podium finish in 2023. It was the third most attacked sector with 11% of all incidents and also suffered the largest attack of the year which came in March, and measured an impressive 1 Tbps (Figure 27).

As Figure 27 also highlights, massive fluctuations in attack frequency and peak attack sizes were seen throughout the year. The vast majority of incidents were mini-DDoS attacks (sub 1 Gbps) and micro-DDoS (sub 200 Mbps) which makes the 1 Tbps attack in March and the 500Gbps in incident in November really stand out.

This industry also stands apart from the crowd when considering the most commonly targeted ‘layer’. As Figure 28 shows, for most of the year, more than 60% of all DDoS attacks against Support Services business were targeting the application, or ‘service’ as defined by ATT&CK.

Attacks in this sector almost exclusively used DNS QUERY (NXDOMAIN) floods as evidenced in Figure 29.

Media

With increased global tension comes increased reporting from the world’s press. It is perhaps no surprise, then, that attacks targeting Media grew by over 155% in 2023. The Mapping Media Freedom service shows similar growth with the number of reports of cyber attacks against media outlets jumping from only three in 2022, to 36 in 2023 (17 incidents targeting Hungarian media, and 6 focused on those in Ukraine).¹

Data from F5’s Distributed Cloud service shows a very quiet start to 2023, in part due to the takedown of DDoS stressors in December 2022. Incidents grew rapidly from April onwards, however, with attacks typically reaching 20-90 Gbps (Figure 30).

January through March, and October through December were comparatively quite months for the Media industry with respect to DDoS attacks. It is therefore interesting that quarters 1 and 4 had relatively high proportions of application layer attacks (Figure 31). This implies that the additional in attacks, seen in April through September, were predominantly volumetric.

As with most other industries, incidents against Media were conducting primarily using DNS QUERY (NXDOMAIN) attacks (see Figure 32).

[back to top]

2023 DDoS Attacks by Region

We kicked off this report with a high level look at attacks by global regions but what of individual countries? And, when it comes to the internet with global routing and the ability to forge IP addressed in UDP packets, how can we accurately attribute attacks to any one country? We explain more in Methodology (Appendix) but, simply put, when classifying organizations by industry we also looked up the location of their global headquarters. Since threat actors predominantly target organizations, and not countries as a whole, it is important to not attribute the wrong motivations to attacks. It is more likely for a business to be attacked due to it’s business activity or political affiliations, rather than the country in which it operates.

With all of those caveats out of the way, let’s dig in to the details to see what patterns emerge.

[back to top]

Top Attacked Countries

While Figure 3 showed that Europe, the Middle East, and Africa (EMEA) encountered almost 60% of all attacks for 2023, that is likely explained by the sheer number of countries in this region. North America (NAMER) accounted for 38% of all attacks but the United States of America took top spot for most attacked country. The USA had more than double the number of incidents compared to France, number two in the list of most attacked countries (Figure 33).

In fact, the old 80/20 rule holds mostly true here: just six countries account for 80% of all attacks. Figure 34 tracks the number of incidents over the past two years for the USA, France, Saudi Arabia, Italy, Belgium, and the UK. From it we can see a number of standout periods.

December 2022

The end of 2022 saw an unusual and significant spike in DDoS attacks against UK organizations, dropping off in January and February 2023 almost as quickly as they grew. In November 2022 the Killnet group, long affiliated to Russian state interests, claimed responsibility for targeting multiple UK sites making reference the UK’s supply of missiles to Ukraine.¹ It is believed that the continued attacks in December 2022 were similarly related to the UK’s support of Ukraine in their ongoing conflict. This period also saw considerable political activity in the UK with industrial strikes carried out in the rail, postal, and healthcare services.

February – March 2023

France saw relatively few DDoS incidents in 2022 which makes the sharp and sustained increase in 2023 most notable. Attacks exploded in February and March and this increase in activity was, at least in part, claimed by NoName057(16), another Russia-linked threat group. They claim to have targeted French sites due to announced pension reform.²

The United States of America continued to take a leading role on the world stage during these months. Increasing tension with China, responses to North Korean missile tests, and its continued support for Ukraine, all provided ample incentives for politically motivated hacktivists.

August – September 2023

France and Belgium continued to take prominent roles in diplomatic negotiations in the Middle East, but France, in particular, drew ire from both sides of the debate all saw increased activity in this period.

[back to top]

Regional Breakdown

While many individual countries don’t contain enough data for us to draw accurate conclusions, taking a higher-level look at the continents within which they reside does allow us to tease out how attacks might different from region to region.

Europe, Middle East, and African (EMEA)

The EMEA region suffered 57% of all incidents in 2023 and witnessed a significant surge in DDoS attacks, with incidents more than tripling compared to 2022. Throughout the year, there was a marked and consistent increase in both the quantity of attacks and their peak bandwidth. The mean peak-bandwidth saw a dramatic rise from 50 Mbps in January to 5 Gbps by December. The largest attack occurred in June, measuring just under 500 Gbps (see Figure 35). The Software and Computer Services industry was the most frequently targeted, mirroring trends seen in North America (Figure 36). Additionally, the EMEA region experienced a substantial number of attacks against Telecommunications organizations, a stark contrast to the patterns observed in North America. At the beginning of 2023, 50% of all attacks in the EMEA region targeted the application layer; however, this proportion decreased significantly from the second quarter onwards (Figure 37).

North America (NAMER)

North America, the second most attacked region, experienced 37% of all DDoS incidents in 2023. A notable characteristic of this region is the relatively low proportion of volumetric (network) attacks, with 60% of all incidents targeting the protocol and application layers (see Figure 40). Despite a 140% growth in attacks, this increase was significantly less than in other regions. The Software and Computer Services sector was the most targeted, similar to the trend in EMEA. The second most attacked industry was Support Services, with one organization bearing the majority of these incidents (Figure 39). Attack frequency and peak bandwidth in North America fluctuated more throughout the year compared to EMEA. The largest attack occurred in March, peaking at 1 Tbps (Figure 38).

Latin America (LATAM) and Asia Pacific (APCJ)

Our sample sizes for these regions are small enough that we don’t feel it is fair to try to draw strong conclusions. We recommend basing your assessment for these regions on the global averages or digging in to industry based conclusions.

[back to top]

Conclusion

The majority of industries and regions a saw significant growth in DDoS attacks over 2023 with many attacks directly attributable to geopolitical events throughout the year. In particular, Banking, Software and Computer Services, and the Telecommunications industries all saw dramatic increases in malicious activity compared with the previous year. Attacks grew so much in fact that, on average, businesses can be expected to deal with a DDoS attack around eleven times a year, almost once a month.

Attacker focus no longer seems to be on generating the largest possible amount of bandwidth. While large volumetric attacks are still an easy way for bad actors to cause disruption, very small micro and mini DDoS attacks are a far more common problem for businesses. On face value, small attacks appear to be trivial to cope with, yet their small size masks the true complexity of mitigation. For the majority of industries DNS NXDOMAIN attacks is the attacker tool of choice.

In addition, the non-human (bot) traffic scanning, scraping, and interacting with most websites will make it difficult for application owners to understand the cause of a degradation in service. Is it due to a well planned marketing campaign, an inability to identify and block automation, or a denial of service using the infamous SlowLoris attack, or perhaps a newer vector such as HTTP/2 Rapid Reset.