Published in News

Cloudflare blocked 21.3 million DDoS attacks last year

by on23 January 2025
Cloudflare blocked 21.3 million DDoS attacks last year


Halloween 2024 was the worst ever

Cloudflare’s autonomous DDoS defence systems thwarted approximately 21.3 million DDoS attacks in 2024, a significant 53 per cent increase from 2023.

According to the company’s latest report, Cloudflare blocked 4,870 DDoS attacks every hour in 2024.

In the fourth quarter alone, more than 420 of those attacks were hyper-volumetric, exceeding rates of 1 billion packets per second (pps) and 1 Tbps. Additionally, the number of attacks surpassing 1 Tbps grew by 1,885 per cent quarter-over-quarter.

During the week of Halloween 2024, Cloudflare’s defence systems autonomously detected and blocked a record-breaking 5.6 Terabit per second (Tbps) DDoS attack — the largest ever reported.

In the fourth quarter of 2024 alone, Cloudflare mitigated 6.9 million DDoS attacks, a 16 per cent increase quarter-over-quarter (QoQ) and an 83 per cent year-over-year (YoY).

Of the 2024 Q4 DDoS attacks, 49 per cent (3.4 million) were Layer 3/Layer 4 DDoS attacks, while 51 per cent (3.5 million) were HTTP DDoS attacks.

Most HTTP DDoS attacks (73 percent) were launched by known botnets. A massive network's operation made rapid detection and blocking of these attacks possible, enabling security engineers and researchers to develop heuristics that increase mitigation efficacy against these attacks.

An additional 11 per cent of the attacks were HTTP DDoS attempts pretending to be legitimate browsers. Another 10 per cent involved suspicious or unusual HTTP attributes, while the remaining 8 per cent comprised generic HTTP floods, volumetric cache-busting attacks, and attacks targeting login endpoints.

On the plus side, the hackers are lagging in using the latest software. The report said that the current stable version of Chrome for Windows, Mac, iOS, and Android is 132. However, threat actors are using Chrome versions 118 to 129.

The HITV_ST_PLATFORM user agent had the highest share of DDoS requests (99.9 per cent), making it the predominant agent used in DDoS attacks. Traffic from this user agent has a mere 0.1 per cent chance of being legitimate.

Threat actors often favour more common user agents like Chrome to blend in with regular traffic. The HITV_ST_PLATFORM user agent, associated with smart TVs and set-top boxes, indicates compromised smart TVs or set-top boxes involved in cyberattacks. This highlights the importance of securing all Internet-connected devices.

The hackney user agent came second, with 93 per cent of requests linked to DDoS attacks. Hackney, an HTTP client library for Erlang, and other user agents like uTorrent, Go-http-client, and fasthttp were also commonly used in DDoS attacks.

HTTP methods, or verbs, define the action performed on a server resource. Get is the most common method (70 per cent) in legitimate HTTP traffic, followed by the Post method (27 per cent).

In DDoS attacks, however, 14 per cent of HTTP requests used the HEAD method, despite its minimal presence in legitimate traffic (0.75 per cent). The DELETE method came in second for DDoS attacks (7 per cent).

HTTP paths describe server resources. In 2024 Q4, 98 per cent of HTTP requests towards the /wp-admin/ path were part of DDoS attacks. This path is the default administrator dashboard for WordPress websites.

Last modified on 23 January 2025
Rate this item
(0 votes)
Tagged under
More in this category: « Google did evil with the IDF in Gaza Nova Lake spotted in the wild »
back to top

Most popular

Latest comments

Read more about: