DDoS Attack Trends for 2021 Q1Tendencias de los ataques DDoS en el primer trimestre de 2021
Cloudflare automatically detects and mitigates DDoS attacks across its global network using its autonomous edge DDoS detection and mitigation engine. This report includes the DDoS insights and trends as observed on our network.
Report metadata
DDoS Protection Team | |
19 abr 2021 | |
Related Reports
- DDoS Attack Trends for 2021 Q1
- DDoS Attack Trends for 2021 Q2
- DDoS Attack Trends for 2021 Q3
- DDoS Attack Trends for 2021 Q4
- DDoS Attack Trends for 2022 Q1
- DDoS Attack Trends for 2022 Q2
- DDoS Attack Trends for 2022 Q3
- DDoS Attack Trends for 2022 Q4
- DDoS Attack Trends for 2023 Q1
- DDoS Attack Trends for 2023 Q2
- DDoS Attack Trends for 2023 Q3
- DDoS Attack Trends for 2023 Q4
- DDoS Attack Trends for 2024 Q1
- DDoS threat report for 2024 Q2
- DDoS threat report for 2024 Q3
Table of contents
DDoS attack trends for 2021 Q1
The first quarter of 2021 was a busy one for attackers. Cloudflare automatically detected and mitigated DDoS attacks across its global network using its autonomous edge DDoS detection and mitigation engine. This report includes the DDoS insights and trends as observed on our network. For a deep dive analysis, check out our Q1 DDoS attack trends blog.
DDoS activity
When we analyze attacks, we calculate the 'DDoS activity' rate, which is the percent of attack traffic out of the total traffic (attack + clean). This allows us to normalize the data points and avoid biases towards, for example, a data center that sees more traffic and therefore also more attacks.
Highlights: Application-layer DDoS attacks
- In 2021 Q1, the country with the highest percentage of HTTP attack traffic was China. This was followed by the United States, Malaysia, and India.
- The telecommunication industry was the most attacked in Q1. Followed by Consumer Services, Security and Investigations, Internet and Cryptocurrency.
- The most attacked Internet properties were of companies based in China, the US, and Morocco.
Highlights: Network-layer DDoS attacks
- On the Cloudflare network, the highest DDoS activity was observed in data centers in Rwanda, China, and Brunei.
- Almost 44% of all of the attacks in Q1 occurred in January.
- Top emerging threats include attacks targeting Jenkins and TeamSpeak3 servers, which increased by 940% and 203% QoQ, respectively.
- Additional emerging threats include floods of QUIC version negotiation packets that may have been an attempt to disrupt Cloudflare's infrastructure.
Application-layer DDoS attacks
Application-layer DDoS attacks, or HTTP DDoS attacks, are attacks that aim to disrupt an HTTP server by making it unable to process requests. If a server is bombarded with more requests than it can process, the server will drop legitimate requests or even crash.
DDoS attack activity
Network-layer DDoS attacks
While application layer attacks strike the application (Layer 7 of the OSI model) running the service end users are trying to access, network layer attacks target exposed network infrastructure (such as in-line routers and other network servers) and the Internet link itself.
Number of attacks
On a monthly basis, January was Q1’s busiest month for attackers, constituting 42% of the total attacks observed in the quarter.
Size of attacks
There are different ways of measuring a L3/4 DDoS attack’s size. One is the volume of traffic it delivers, measured as the bit rate (specifically, gigabits-per-second). Another is the number of packets it delivers, measured as the packet rate (specifically, packets-per-second). Attacks with high bit rates attempt to saturate the Internet link, while attacks with high packet rates attempt to overwhelm the routers or other in-line hardware devices.
Duration of attacks
Attack vectors
An attack vector is the attack method that the attacker utilizes. In 2021 Q1, SYN flood attacks continued to remain the most popular attack vector used by attackers, followed by RST, UDP, and DNS amplification attacks.
Emerging threats
Emerging threats are attack vectors that have significantly increased compared to the previous quarter.
DDoS activity by Cloudflare data center country
Unlike application-layer DDoS attacks, attackers can (and typically do) spoof the source IP address to obfuscate the source location of the DDoS attack. For this reason, when analyzing L3/4 DDoS attacks, we bucket the traffic by the Cloudflare edge data center locations where the traffic was ingested, and not by the location of the source IP. Cloudflare is able to overcome the challenges of spoofed IPs by displaying the attack data by the location of Cloudflare's data center in which the attack was observed. We're able to achieve geographical accuracy in our report because we have data centers in over 200 cities around the world.