Full Report
Gcore reported a 56% year-over-year rise in DDoS attacks in H2 2024, highlighting a steep long-term growth tend for the attack technique
Analysis Summary
# Incident Report: Surge in DDoS Attack Volume and Magnitude (H2 2024)
## Executive Summary
The second half of 2024 saw a significant 56% surge in Distributed Denial of Service (DDoS) attack volume compared to the previous year, according to a report by Gcore. Attacks are becoming shorter but more intense, with the largest peak reaching 2Tbps. The technology and financial services sectors experienced notable targeting, with DDoS being increasingly used as an extortion method. This trend highlights growing geopolitical tensions and the massive scaling capability derived from large botnets comprised of insecure IoT devices.
## Incident Details
- **Discovery Date:** Reporting covers trends observed through the end of H2 2024 (through December 2024). Specific discovery dates for individual attacks are not provided.
- **Incident Date:** Trends observed primarily in the second half (H2) of 2024.
- **Affected Organization:** No single organization is the focus; highlights trends across multiple sectors.
- **Sector:** Technology (19% of attacks), Financial Services (26% of attacks), Gaming (led attack volume at 34%).
- **Geography:** Global (Implied by general threat report).
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout H2 2024.
- **Vector:** Exploitation of poorly secured Internet of Things (IoT) devices to form large botnets.
- **Details:** Botnets are leveraged to scale attacks, often driven by hacktivist or nation-state groups exploiting geopolitical tensions.
### Lateral Movement
* Not applicable for application layer/network-based DDoS attacks described in this context, as the primary goal is service disruption rather than internal compromise.
### Data Exfiltration/Impact
- **What was stolen or damaged:** The primary impact was operational disruption, service outages (e.g., Microsoft observed a 10-hour global outage), and potential financial extortion against financial institutions.
### Detection & Response
- **How it was discovered:** Findings derived from analysis of security trends reported by Gcore throughout H2 2024.
- **Response actions taken:** Improved cybersecurity defenses, such as advanced detection tools, likely contributed to attackers favoring shorter, "burst attacks" that are harder to detect amidst legitimate traffic spikes.
## Attack Methodology
- **Initial Access:** Botnets (leveraging unsecured IoT devices).
- **Persistence:** N/A (Focus on availability disruption, not system persistence).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Attackers favored shorter, high-intensity "burst attacks" (average longest duration dropped to 5 hours in H2 2024), potentially to blend with normal traffic or overwhelm defenses quickly.
- **Credential Access:** N/A.
- **Discovery:** N/A (Focus on availability saturation).
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** N/A.
- **Impact:** Service availability exhaustion, resulting in operational outages across critical services (banks, utilities, etc.).
## Impact Assessment
- **Financial:** High, particularly for financial services (which saw a 117% increase in attacks) due to downtime and potential extortion payments.
- **Data Breach:** Not the primary focus; the impact is availability and operational disruption, though DDoS may be used as a smokescreen for secondary breaches.
- **Operational:** Significant disruption; an example includes a 10-hour global outage affecting multiple organizations relying on a major technology platform.
- **Reputational:** Consequences for targeted service providers, especially where critical infrastructure reliance exists.
## Indicators of Compromise
* **Network indicators:** Volumetric traffic spikes peaking up to 2Tbps.
* **File indicators:** None specifically mentioned for the DDoS vector itself.
* **Behavioral indicators:** Short, highly intense (burst) attack patterns replacing longer, sustained attacks. Targeting of high-value sectors like Technology and Finance.
## Response Actions
- **Containment measures:** Improved detection tools allowing for rapid identification of burst attacks.
- **Eradication steps:** Not detailed in the context of sustained compromise, but mitigating botnet traffic is implied.
- **Recovery actions:** Restoration of service following outages (e.g., Microsoft recovery after the 10-hour incident).
## Lessons Learned
- **Key takeaways:** The threat landscape is shifting towards higher intensity/shorter duration attacks. Geopolitical events are directly fueling targeted disruptive attacks.
- **What could have been done better:** The report implies that defenses need to adapt rapidly to counter burst attacks that might be disguised as normal traffic fluctuations.
## Recommendations
- Organizations must enhance visibility and capacity to absorb extremely high-volume, short-duration traffic spikes.
- Critical infrastructure and financial institutions should specifically prepare for DDoS attacks leveraged specifically for extortion purposes.
- Continuous efforts are needed to secure IoT devices to prevent their enrollment into large-scale botnets.