Q4 2023 in Review: DDoS Attacks Report by StormWall
As we have done for the past several quarters, at StormWall, we’ve recently analyzed DDoS attack data targeting our clients.
All data used for the analysis comes from our worldwide network of strategically located scrubbing centers, which at peak loads filter up to 3500 Gbit/s. This data is what allows us to gain insights into the worldwide state of DDoS threats.
DDoS attacks: overview of the global trends
The fourth quarter is always a challenging period for DDoS attacks, particularly in the retail sector. The frenzy of Black Friday, Cyber Monday, and winter holiday shopping pushes competition to its peak, which causes some market players to resort to shady tactics — DDoS their competitors . The year 2023 was no exception. Looking a bit ahead, the retail industry ranked as the second most targeted sector this quarter, a significant jump from its seventh-place position in Q3 2023. If you want to learn about the state of DDoS attacks during the whole year, read our 2023 Year in Review report.
Other trends that influenced the DDoS threat landscape in the fourth quarter of 2023 included:
- Complex attacks becoming common. There was an increase in botnet deployment, DNS amplification attacks, and multi-vector attacks. One alarming trend we’ve been tracking is Hyper-Volumetric HTTP DDoS Attacks, which exploited the HTTP/2 Rapid Reset flaw and can top at hundreds of millions of requests per second — far more than what inadequately protected applications can handle.
- Cybercriminals adopted the “Hit and run” method. A majority of Q4 DDoS attacks were "hit and run" style, lasting 30 minutes or less. These attacks sometimes probe a target's defenses before a larger, sustained attack.
- Geopolitics continued to shape the DDoS landscape. Politically motivated hacktivists targeted multiple states involved in currently ongoing conflicts, especially in the Russia-Ukraine and Israel-Palestine clashes. They aimed at the critical infrastructure and public sector, including energy plants — attacks on energy infrastructure jumped 109% YoY.
- Market competition, particularly in retail, finance, and logistics Intensified. Retailers globally faced attacks during Black Friday, which were often instigated by competitors. Similar incidents spiked just before Christmas and New Year’s, coinciding with the holiday shopping spree.
The impact of Israel-Hamas conflict
In October, the Israel-Hamas conflict triggered a significant surge in DDoS attacks targeting Israeli digital services. The majority of these cyberattacks, 42%, focused on government websites. News and media sites experienced about 14% of the attacks, while travel-related websites faced 12%.
The scale of these network-level, volumetric DDoS attacks varied considerably, ranging from 1.2 Gbps to a massive 135 Gbps. On the application layer, Web DDoS attacks fluctuated between 9,000 HTTPS Requests per Second (RPS) and a peak of 2 million RPS.
While some DDoS attacks were brief, merely lasting a few minutes, many spanned several hours, with a few extending up to 24 hours. In prolonged attacks, assailants frequently altered their tactics, switching between different attack methods. This adaptability was in response to the target's ability to detect and counteract the initial attack vectors.
Attack share breakdown by industry
Industries with highest YoY growth in DDoS attacks in Q4 2023:
Here are the main trends to highlight this quarter:
- For the first time in our reports, the energy sector is among the top targeted industries, showing a massive 109% increase in attacks. Energy operators need to be on high alert.
- Attacks on government bodies are at the top and show no signs of decreasing. Most are conducted by well-organized, state-sponsored groups.
- Attacks in retail have surged, accounting for 17% of all incidents. This spike is linked to Black Friday, Cyber Monday, and winter holiday shopping — a recurring trend each year.
Government sector
The government sector faced 21% of all attacks, a 162% increase compared to last year. However, it's slightly less than the 26% seen in the previous quarter.
Attacks on government systems were the main trend in late 2023. These attacks, first focused mostly in Europe have now spread to the Middle East due to the Israel-Palestine conflict.
We’re seeing usage of advanced DDoS techniques. These include multi-vector attacks, DNS amplification, TCP direct-path, and application layer attacks.
Retail
The retail industry saw 17% of overall attacks, a 127% year-over-year increase. This is a big jump from just 6% last quarter, highlighting the holiday season's impact on DDoS activity in this sector.
In the MENA region, DDoS activity rose by over 45%. The Middle East's retail sector is rapidly going digital, but some infrastructure is still developing, making it more attack-prone. Cybercriminals, including professional hackers and unfair competitors, exploit these weaknesses.
Even brief attacks can disrupt network operations, causing downtime that lasts much longer than the attack itself. This can drive customers to rival websites, harming reputation and causing financial losses.
Telecommunications
The telecommunications sector experienced 15% of attacks, an 84% increase from last year. This is similar to last quarter's 14%.
This sector includes service providers and network operators, crucial for cell and internet services for businesses, governments, hospitals, and transport systems. Disrupting telecom services can cause widespread connectivity issues, making them prime targets for extortion and activism.
The threat to look out for is "Carpet bombing" or "Bits and Pieces" attacks. These DDoStechniques flood a network with small packets of junk traffic across many IP addresses, targeting multiple hosts. This helps attackers stay undetected by firewalls, load balancers, or thresholds.
Finance
The finance sector faced 12% of DDoS attacks, a 47% increase from last year. Despite a drop from last quarter's 21%, financial services still face a substantial number of attacks, especially in the Middle East, where Israeli banking infrastructure came under fire.
In the Middle Eastern finance vertical, we observed attackers favoring volumetric, network-level DDoS attacks ranging from 1.2Gbps to 135Gbps. They also used application web DDoS attacks, varying from 9,000 HTTPS RPS to 2 million RPS.
Energy sector
The energy sector, with 9% of this quarter's DDoS attacks, has seen a significant rise, marking a 109% year-over-year increase — almost on par with the retail sector.
Affected infrastructure includes power grids, which can leave large areas without electricity. Attackers are also targeting IoT devices used in energy plant operations to initiate further botnet attacks. This makes energy plants vulnerable not just as targets, but also as potential sources of DDoS attacks.
Other notable industries
- Entertainment: in this sector (8% of attacks, 36% YoY growth), the main targets were gaming and betting services. Attackers use cloud platforms to build powerful botnets and flood game and betting servers with traffic over the HTTP protocol. The aim is to make games unplayable, decrease player numbers, and use that as leverage to extort money.
- Transportation: Here, 7% of attacks were noted, up 28% from last year. Although transportation is still a target, the growth rate has dropped from last quarter's 86%, and the share decreased from 9% to 7%. This indicates a shift in focus to sectors like government and energy.
- Healthcare: this sector, with a 5% share of attacks and a 64% growth, experienced a significant rise in politically motivated attacks. Notably, there were widespread DDoS attacks against hospitals. For example, a DDoS attack against several hospitals in Singapore caused an internet outage that lasted for 7 hours.
- Education: this sector faced 4% of attacks with a 12% year-over-year growth, largely due to politically motivated actors.
DDoS attacks by country
Looking at where DDoS attacks happen shows how much the Israel-Palestine conflict affects the threat landscape. China (12.6%), the USA (12.2%), and India (11.7%) are still the top targets, but now Israel is fourth with 10.6% of attacks. As a reminder, last quarter, Israel was under 1% and not even on our list.
Also, Russia and Ukraine are now lower on the list, with 3.1% and 1.2% of attacks. In the EU, Belgium (7.6%) and Spain (6.8%) are seeing more attacks, getting close to the UK and France in how often they're targeted.
DDoS Attacks: breakdown by protocol
In the final quarter of 2023, HTTP attacks took center stage, accounting for 86% of all incidents. Attacks targeting TCP/UDP made up 9% of the total, and with DNS attacks — 4%, showing a steady increase compared to the previous quarter.
A standout method was the DNS Laundering attack. Attackers bombarded DNS servers with requests for random subdomains, causing major disruptions. Another growing threat was mDNS attacks. These exploited local network protocols to amplify attacks.
Here’s the breakdown of attacks by protocol:
Conclusions
As we wrap up our analysis of DDoS attack trends for this quarter, here are the factors that stand out the most:
- There's been an increase in botnet, DNS amplification, and multi-vector attacks. Notably, Hyper-Volumetric HTTP DDoS attacks exploited the HTTP/2 rapid reset flaw.
- The retail, finance, and logistics sectors saw a spike in attacks during key shopping periods like Black Friday and the Christmas-New Year season, often driven by competitors.
- Most Q4 DDoS attacks were short, lasting 30 minutes or less. These quick attacks often tested defenses before launching larger assaults.
- DDoS attacks were very heavily influenced by politics, particularly by the Israel-Palestine conflict. This led to energy infrastructure attacks jumping by 109% year-over-year, with critical sectors being primary targets.
An arms-race of sorts is happening between attackers and security experts to get the edge in attack power or defense capability. However, offensive tools tend to be adopted first. While the most advanced DDoS tools start as closed source tools, they eventually leak out and get used widely and indiscriminately. This means everyone on the internet eventually feels the impact.
That’s why protection against DDoS is so important for all resources, big or small.