The first quarter of 2021 was a busy one for attackers. Cloudflare automatically detected and mitigated DDoS attacks across its global network using its autonomous edge DDoS detection and mitigation engine. This report includes the DDoS insights and trends as observed on our network. For a deep dive analysis, check out our Q1 DDoS attack trends blog.

When we analyze attacks, we calculate the 'DDoS activity' rate, which is the percent of attack traffic out of the total traffic (attack + clean). This allows us to normalize the data points and avoid biases towards, for example, a data center that sees more traffic and therefore also more attacks.

• In 2021 Q1, the country with the highest percentage of HTTP attack traffic was China. This was followed by the United States, Malaysia, and India.
• The telecommunication industry was the most attacked in Q1. Followed by Consumer Services, Security and Investigations, Internet and Cryptocurrency.
• The most attacked Internet properties were of companies based in China, the US, and Morocco.

• On the Cloudflare network, the highest DDoS activity was observed in data centers in Rwanda, China, and Brunei.
• Almost 44% of all of the attacks in Q1 occurred in January.
• Top emerging threats include attacks targeting Jenkins and TeamSpeak3 servers, which increased by 940% and 203% QoQ, respectively.
• Additional emerging threats include floods of QUIC version negotiation packets that may have been an attempt to disrupt Cloudflare's infrastructure.

Application-layer DDoS attacks, or HTTP DDoS attacks, are attacks that aim to disrupt an HTTP server by making it unable to process requests. If a server is bombarded with more requests than it can process, the server will drop legitimate requests or even crash.

While application layer attacks strike the application (Layer 7 of the OSI model) running the service end users are trying to access, network layer attacks target exposed network infrastructure (such as in-line routers and other network servers) and the Internet link itself.

On a monthly basis, January was Q1’s busiest month for attackers, constituting 42% of the total attacks observed in the quarter.

There are different ways of measuring a L3/4 DDoS attack’s size. One is the volume of traffic it delivers, measured as the bit rate (specifically, gigabits-per-second). Another is the number of packets it delivers, measured as the packet rate (specifically, packets-per-second). Attacks with high bit rates attempt to saturate the Internet link, while attacks with high packet rates attempt to overwhelm the routers or other in-line hardware devices.

An attack vector is the attack method that the attacker utilizes. In 2021 Q1, SYN flood attacks continued to remain the most popular attack vector used by attackers, followed by RST, UDP, and DNS amplification attacks.

Emerging threats are attack vectors that have significantly increased compared to the previous quarter.

Unlike application-layer DDoS attacks, attackers can (and typically do) spoof the source IP address to obfuscate the source location of the DDoS attack. For this reason, when analyzing L3/4 DDoS attacks, we bucket the traffic by the Cloudflare edge data center locations where the traffic was ingested, and not by the location of the source IP. Cloudflare is able to overcome the challenges of spoofed IPs by displaying the attack data by the location of Cloudflare's data center in which the attack was observed. We're able to achieve geographical accuracy in our report because we have data centers in over 200 cities around the world.