Halloween 2024 made history with a massive spike in distributed denial of service (DDoS) attacks, with one particular assault reaching over 5 Terabits-per-second (Tbps) worth of phony traffic.
In its quarterly analysis of DDoS attacks, Cloudflare reported a surge in hyper-volumetric attacks in the fourth quarter of 2024.
“In the fourth quarter, over 420 of those attacks were hyper-volumetric, exceeding rates of 1 billion packets per second (pps) and 1 Tbps,” Cloudflare researchers said in a blog post. “During the week of Halloween 2024, Cloudflare’s DDoS defense systems successfully and autonomously detected and blocked a 5.6 Terabit per second attack–the largest ever reported.”
These attacks, researchers noted, grew by a staggering 1885% quarter-over-quarter (QoQ).
Almost seven million DDoS attacks in the quarter
Cloudflare reportedly mitigated 6.9 million DDoS attacks in 2024 Q4, a 16% QoQ jump. The number also represented an 83% year-over-year (YoY) increase.
“Of the 2024 Q4 DDoS attacks, 49% (3.4 million) were Layer 3/Layer 4 DDoS attacks and 51% (3.5 million) were HTTP DDoS attacks,” the post added.
Six percent of the L3/L4 attacks were attributed to Mirai botnets. The largest DDoS attack on record (5.6 Tbps) was launched by a Mirai-variant botnet on October 29. The attack targeted an internet service provider (ISP) from Eastern Asia, Magic Transit. It, however, lasted only 80 seconds.
Recently, a new Mirai botnet variant was found to be used for zero-day attacks on industrial routers. An even newer variant, dubbed Murdoc_Botnet, has been found targeting AVTech Cameras and Huawei routers, using known vulnerabilities for initial access.
Cloudflare analysis found that 73% of HTTP DDoS attacks in the quarter were launched by known botnets. Other attack types included those pretending to be a legitimate browser (11%), and the ones containing suspicious or unusual HTTP attributes (10%).
Connected devices were the most targeted
HITV_ST_PLATFORM, the operating system tool for smart TVs and set-top boxes, was almost exclusively (99.9%) used in DDoS attacks for the quarter. “In other words, if you see traffic coming from the HITV_ST_PLATFORM user agent, there is a 0.1% chance that it is legitimate traffic,” the post noted.
Additionally, thirteen of the most commonly used user agents were outdated Chrome versions between 118 and 129. The current version of Chrome for all operating systems is 132.
“Threat actors often avoid using uncommon user agents, favoring more common ones like Chrome to blend in with regular traffic,” the researchers said. “The presence of the HITV_ST_PLATFORM user agent, which is associated with smart TVs and set-top boxes, suggests that the devices involved in certain cyberattacks are compromised smart TVs or set-top boxes.”
Among the most common HTTP methods, which define the action to be performed on a resource on a server, was GET (70%) which corresponds to retrieving data from a server, and POST (27%) which is used for posting or pushing data to a server. Another finding noted Indonesia leading the source of DDoS attacks worldwide, followed closely by Hong Kong, Singapore, and Ukraine. Cloudflare customer survey revealed that 40% of DDoS attacks were launched by competitors, 17% by state-sponsored threat actors, and 14% by a financially motivated attacker.