Distributed denial of service attacks hit an all-time high in 2023, more than doubling year over year in the fourth quarter, Cloudflare said Tuesday in a threat report.

The record high year for DDoS attacks coincided with mass exploits of the novel zero-day vulnerability HTTP/2 Rapid Reset, which threat actors used to launch DDoS attacks that broke records during the third quarter of 2023.

Cloudflare said it was mitigating about 201 million requests per second at the peak of the series of HTTP/2 vulnerability attacks.

Massive DDoS attacks require significantly fewer capabilities, resources and time, according to Omer Yoachimik, senior product manager of DDoS protection and security reporting at Cloudflare.

“In 2019, to launch an attack that reaches 3 million requests per second, you’d need at least a million IoT bots,” Yoachimik said via email. “Today, in 2024, to launch attacks that easily exceed 100 million requests per second, you only need 5,000 to 20,000 virtual machines.”

“Generative AI tools also help to improve scripts and execute more sophisticated attacks,” he said.

Some DDoS attacks are causing more significant damage, such as a series of DDoS attacks against Microsoft in  June that led to disruptions across multiple services including Azure, OneDrive and Outlook.

Prime targets

DDoS attacks were more prevalent in retail, shipment and public relations sites around the holiday shopping season, the company said.

Cloudflare said it mitigated more than 5.2 million HTTP DDoS attacks consisting of more than 26 trillion requests in 2023. While that’s a 20% decline compared to 2022 levels, mitigated network-layer DDoS attacks surged 85% to 8.7 million incidents in 2023, the company said.

“On average, our systems auto-mitigated 996 network-layer DDoS attacks and 27 terabytes every hour,” Cloudflare said in the report. “The number of network-layer DDoS attacks in 2023 Q4 increased by 175% year over year and 25% quarter over quarter.”

Malicious actors can use cloud infrastructure to create botnets that are up to 5,000 times stronger than IoT-based botnets, according to Yaochimik.

The decline in HTTP DDoS attack traffic and increase in network-layer DDoS attacks follows a similar trend, as the former requires significantly less computation and bandwidth but has the potential to yield similar results.

“While attack methods have evolved, the outcome has the potential to be the same. Over the past year, we’ve seen an increase in sophisticated DNS-based DDoS attacks — both DNS floods and DNS amplification/reflection attacks,” Yoachimik said.

More attack traffic is blending in with legitimate traffic and defenders need to understand their organization’s capacity and weak links to reduce overall risk, Yoachimik said.

Cloudflare recommends companies: 

• Automate in-line in-line detection and mitigation, machine learning-based anomaly and bot detection and traffic profiling.
• Limit rates based on specific criteria. 
• Implement threat intelligence.
• Use web application firewalls.

“DDoS attacks remain one of the oldest cyberattack types, and one of the easiest to execute,” Yoachimik said. “For an unprotected organization, even one minute of downtime or latency can lead to significant impact.”