The mantra for distributed denial of service (DDoS) attack methods this year seems to be ‘bigger and more' – or at least that's what research from Cloudflare's attack trends report for Q2 2020 seems to suggest.
Cloudflare detected double the amount of global L3/4 DDoS attacks compared to Q1, some of which were dubbed the biggest attacks ever recorded over its network.
The Q2 2020 quarter covered the period from 1 April to 1 June, when much of the world went into lockdown procedures to prevent further COVID-19 outbreaks.
In this quarter, Cloudflare's DDoS protection Gatebot detected more attack vectors across more geographies – however its data centers in the United States were hit hardest, followed by Germany, Canada, Great Britain, Australia, Brazil, Thailand, France, Japan, and Russia. Cloudflare has data centers in more than 200 cities worldwide.
Cloudflare states it also recorded the ‘biggest ever' attacks – 88% of all large (100 Gbps) attacks this year were launched after the lockdown period in March. Most of these large attacks sent around 200 million packets per second (pps).
Further, 51.5% of all attacks remained under 1 Gbps, while 38.3% hit between 1-10 Gbps,7.8% hit between 10-100 Gbps, and 2.4% went over 100 Gbps.
In June, Cloudflare detected a four-day DDoS campaign that leveraged 316,000 IP addresses against a single Cloudflare IP address. At its peak, the attack sent 754 million pps to the IP address. Cloudflare was able to detect and block the attack, with no effect on performance.
A statement from the company says, “A global interconnected network is crucial when mitigating large attacks in order to be able to absorb the attack traffic and mitigate it close to the source, whilst also continuing serving legitimate customer traffic without inducing latency or service interruptions.
DDoS attack vectors commonly used SYN floods formed the majority with over 57% in share, followed by RST (13%), UDP (7%), CLDAP (6%) and SSDP (3%).
Cloudflare explains that SYN floors work by exploiting the ‘handshake' process of TCP connections.
“By repeatedly sending initial connection request packets with a synchronize flag (SYN), the attacker attempts to overwhelm the router's connection table that tracks the state of TCP connections. The router replies with a packet that contains a synchronized acknowledgement flag (SYN-ACK), allocates a certain amount of memory for each given connection and falsely waits for the client to respond with a final acknowledgement (ACK). Given a sufficient number of SYNs that occupy the router's memory, the router is unable to allocate further memory for legitimate clients causing a denial of service.