Full Report
Gcore’s latest DDoS Radar report analyzes attack data from Q3–Q4 2024, revealing a 56% YoY rise in the total number of DDoS attacks with the largest attack peaking at a record 2 Tbps. The financial services sector saw the most dramatic increase, with a 117% rise in attacks, while gaming remained the most-targeted industry. This period’s findings emphasize the need for robust, adaptive DDoS
Analysis Summary
# Incident Report: Q3-Q4 2024 DDoS Attack Trends
## Executive Summary
Analysis of Gcore's DDoS Radar report for Q3–Q4 2024 reveals a significant 56% year-over-year increase in the total volume of DDoS attacks, headlined by a record peak attack measuring 2 Tbps. The financial services sector experienced an alarming 117% surge in incidents, although the gaming industry remained the overall most frequently targeted sector. The core takeaway for defenders is the necessity for robust, adaptive mitigation strategies to cope with shorter, high-intensity, and geopolitically influenced attacks.
## Incident Details
- **Discovery Date:** Analysis based on Q3–Q4 2024 data (Report published February 2025).
- **Incident Date:** Q3–Q4 2024 timeframe.
- **Affected Organization:** Industry-wide analysis, primarily focusing on Gaming and Financial Services sectors.
- **Sector:** Gaming (Most targeted), Financial Services (Fastest growing target), Media & Entertainment, Retail, Telecom, Technology.
- **Geography:** Global analysis; top attack source regions include the US, Netherlands, Brazil, China, and Indonesia.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout Q3–Q4 2024.
- **Vector:** DDoS amplification and stress testing tools, facilitated by accessible DDoS-for-hire services and botnets leveraging poorly secured IoT devices.
- **Details:** Attacks are characterized by extreme volume (peaking at 2 Tbps) and increasing sophistication, including multi-vector and application-layer methods.
### Lateral Movement
- *Not applicable for typical volumetric DDoS attacks, which focus on service disruption rather than network infiltration.*
### Data Exfiltration/Impact
- **What was stolen or damaged:** Service availability disruption, potential financial loss due to downtime, and reputational damage. Record attacks (2 Tbps) pose widespread outage risk.
### Detection & Response
- **How it was discovered:** Analysis compiled by Gcore using internal monitoring and global threat intelligence feeds.
- **Response actions taken:** Organizations are advised to implement 200+ Tbps filtering capacity for real-time neutralization, as demonstrated by advanced protection providers. Traditional approaches are increasingly insufficient against short, burst attacks.
## Attack Methodology
- **Initial Access:** DDoS attacks utilizing botnets fueled by insecure IoT devices and readily available DDoS-for-hire services.
- **Persistence:** N/A (Volumetric attack).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Increased use of complex, multi-vector, and application-layer attacks designed to circumvent conventional detection thresholds. Attacks are often shorter in duration ("high-intensity bursts").
- **Credential Access:** N/A.
- **Discovery:** N/A.
- **Lateral Movement:** N/A.
- **Collection:** N/A.
- **Exfiltration:** N/A.
- **Impact:** Service disruption, saturation of network bandwidth, and resource exhaustion against target servers.
## Impact Assessment
- **Financial:** High potential for operational costs and revenue loss, especially for the Gaming sector (high revenue impact from downtime) and Financial Services (due to regulatory exposure).
- **Data Breach:** Not a primary feature of these analyzed incidents (DDoS focus), but operational disruption affects availability.
- **Operational:** Significant service outages possible, particularly from terabit-level attacks. Shorter, high-intensity attacks test the speed of mitigation response.
- **Reputational:** Damage to service providers and targeted companies perceived as vulnerable.
## Indicators of Compromise
- **Network indicators - defanged:** Traffic spikes exceeding previous benchmarks (e.g., baseline exceeding 1.7 Tbps sustained activity).
- **File indicators:** N/A (Focus on network layer attacks).
- **Behavioral indicators:** Surge in unsolicited, high-volume SYN/ACK flows or application-layer requests overwhelming web infrastructure.
## Response Actions
- **Containment measures:** Deploying high-capacity scrubbing centers (e.g., 200+ Tbps filtering capacity) for real-time traffic diversion and cleaning.
- **Eradication steps:** N/A (System infection is not the primary threat model).
- **Recovery actions:** Rapid scaling of internet bandwidth capacity and implementation of geographically aware defense policies to counter regional attack sources.
## Lessons Learned
- DDoS attacks are increasing in volume (56% YoY) and intensity (2 Tbps peak).
- The Financial Services sector is rapidly becoming a premium target (117% attack rise), likely due to regulatory pressures or ransom motives.
- Attacks are trending towards shorter, high-intensity bursts, necessitating near-instantaneous edge mitigation rather than slower, L3/L4-focused defenses.
- Geopolitical tensions are directly influencing who is attacked and where attacks originate.
## Recommendations
- Implement adaptive DDoS mitigation services capable of handling multi-terabit-per-second volumetric attacks.
- Enhance protection specifically tuned for application-layer attacks which are becoming more prevalent alongside volumetric floods.
- Review and harden IoT device security across the supply chain to reduce the pool of potential botnet contributors.
- Develop and test playbooks tailored for rapid response to short-duration, high-intensity attacks targeting critical infrastructure and financial systems.