The report also finds a troubling rise in ransomware tactics used alongside DDoS attacks. In May 2024, 16% of Cloudflare’s customers reported experiencing extortion attempts alongside DDoS attacks. The report sheds light on the nature of these attacks:

• Targets: China was the most attacked country, followed by Turkey, Singapore, and Hong Kong. The Information Technology & Services industry was the primary target, followed by Food & Beverages and Consumer Goods.
• Attackers: While most victims couldn’t identify their attackers, those who did point to competitors, disgruntled users, and even state actors.
• Attack Duration: Most attacks are short-lived, with over half ending within 10 minutes, emphasizing the need for automated defences.
• Attack Size: While most attacks are relatively small, there has been an increase in larger attacks, with a significant number exceeding 1 million packets or requests per second.

Cloudflare’s report paints a picture of a rapidly evolving threat landscape. The rise of sophisticated attacks and an increase in ransomware tactics underscores the need for robust security solutions for businesses of all sizes.

Commenting on the report, Bashar Bashaireh, Managing Director & Head of Sales – Middle East and Türkiye at Cloudflare, “The majority of DDoS attacks are small and quick. However, even these attacks can disrupt online services that do not follow best practices for DDoS defense. Threat actor sophistication is increasing, perhaps due to the availability of Generative AI and developer copilots, resulting in attack code that delivers DDoS attacks that are harder to defend against. Even before the rise in attack sophistication, many organizations struggled to defend against these threats on their own. But they don’t need to. Cloudflare is here to help. We invest significant resources – so you don’t have to – to ensure our automated defenses, along with the entire portfolio of Cloudflare security products, can mitigate emerging threats.”

There is an increasing incidence of cyber threats posed to telecommunications providers. There is a definite need for telcos to strengthen their overall security posture and improve resilience against service-impacting attacks, such as DDoS attacks. The good news is that we have seen communication service providers (CSPs) responding to these higher threats and tighter compliance requirements. Our 2023 research, which surveyed 2,750 senior IT professionals in CSPs, suggests that they are investing in enhancing their network security to counter increasingly sophisticated cyber threats such as DDoS attacks.

Adopting a defence-in-depth approach
Over the last two years, CSPs have made significant progress in upgrading their cyber defences. In our inaugural CSP 2021 study, we found the highest priority security investments were for more basic security upgrades such as firewalls. This year, however, while firewall upgrades were still the highest priority, we found respondents aiming for a more mature, multi-layered, and defence-in-depth approach to security.

With 68% of all 2023 respondents expecting network traffic volumes to increase by over 50% in the next two to three years, firewalls and other security appliances must be routinely upgraded just to handle the increased traffic volume. Despite this, the percentage prioritising firewalls dropped from 48% in 2021 to 28% in 2023.

The growing importance of DDoS detection and monitoring
Other investments deemed nearly as important as firewalls were DDoS detection and monitoring, automation of security policies, investment in ransomware and malware protection services, and threat intelligence. Respondents also indicated interest in simplifying and integrating disparate point solutions.

This all points to a higher focus on security investments overall and a greater focus on capabilities that enable a more proactive approach rather than reactive response, such as DDoS detection (now the second highest priority) versus reactive DDoS attack mitigation (the least important priority) in the 2023 survey.

Additionally, with telecommunications considered a critical infrastructure, telecommunications organisations have a unique responsibility to protect the availability of their networks, data, and services. With two-thirds of respondents planning to extend their networks to unserved and underserved communities, protection of network availability and subscriber privacy is critical to their ongoing success.

This is an increasingly complex task as traffic volumes surge, and they build out to more remote and vulnerable communities. To achieve this, we recommend telecommunications providers should follow the below key steps:

• Prioritise security investments to protect all domains. This includes the network itself, customer databases, customer-facing services such as websites, and internal IT systems. Many DDoS attacks and security breaches in CSPs are targeting customer proprietary data.
• Replace legacy DDoS defence systems and deploy new technologies that enable more granular detection using AI, machine learning, threat intelligence, and other capabilities that match the increasing sophistication of attacks.
• Leverage automation to simplify management, improve control over network resources, and guarantee uptime.

Intelligent and automated DDoS protection solutions
DDoS protection is a critical part of CSPs’ infrastructure but, while they need to stop malicious traffic, they need to do this without disrupting legitimate traffic. This is where intelligent and automated DDoS protection solutions that provide scalable, economical, precise and intelligent capabilities are important to help CSPs ensure optimal user and subscriber experiences. CSPs should be using solutions that efficiently identify abnormal traffic, automatically and intelligently mitigate the identified inbound DDoS attack, and provide a centralised point of control for seamless DDoS defence execution.​

So, what should telecommunications companies look out for to prevent a DDoS attack?

• A sudden and/or unexpected increase in traffic. Though there are legitimate reasons to receive more traffic, a sudden increase should be checked.
• System slowness or non-response. Websites can load slowly, or not at all, for many reasons—this doesn’t mean a DDoS attack is in progress, but it should be investigated.
• Unusual traffic patterns.For example, when current traffic deviates from normal traffic patterns, such as inconsistent traffic with a typical user base, and receiving traffic at unusual hours.
• Increase in traffic to a single endpoint. This is when part of your system, such as a specific URL, suddenly receives a high amount of traffic compared to others.
• A high volume of traffic from a single IP or a small range of IPs. This indicates that these addresses could be part of a larger botnet.

A market expected to reach $7.45 billion by 2030
Recent research emphasises the significant impact of DDoS attacks, with the latest data indicating a 200% increase in DDoS attacks in the first half of 2023. The research showed telecommunications companies experienced the most attacks, accounting for roughly half the overall attack volume. This is one reason why the global DDoS protection and mitigation market is expected to reach $7.45 billion by 2030.

In 2024, the telecommunications industry will continue to focus on technologies such as cloud computing, standalone 5G, AI, and the Internet of Things (IoT) to offer better speed, scalability, and innovation. To support those new technologies, telecommunications providers will also need to continue to shore up their cybersecurity architectures and, while our research shows that progress has been made, there needs to be more of a focus on a layered and defence-in-depth approach, particularly where DDoS attacks are concerned.

“Cyber Attacks are at an all-time high; cyber security threats cost the African GDP almost a whopping US$4.1 billion in 2021. And, DDoS are on top of the cyber security attacks; the staggering cost to our GDP is proof enough that no business can afford to be without a layer of protection against them. While DDoS attacks have evolved over the years, our offering is equally sophisticated. With traffic scrubbed at one of our four scrubbing centres, customers can focus on their core business requirements while keeping them safe from DDoS attacks,” says Ahmad Mokhles, CEO of Liquid Networks.

The service is being offered to all potential Internet & IP transit clients and provided to all existing customers in regions where Liquid has operations across Africa access to a proactive protection service. With DDoS Secure, clients can have peace of mind, knowing that their business’s reputation, income, and network are protected. The service also offers them the potential for growth and partnerships through DDoS compliance.

While protecting clients’ networks and operations, DDoS Secure also gives them a line of sight about attempted attacks through post-incident reports on all mitigations completed. In addition, with the recent launch of  Liquid’s Next-Gen Cyber Security Fusion Centre, the organisation will be able to monitor all online activity live and deter an attack before it reaches your network.

“With this measure in place, there will be higher visibility of potential attacks, and we will be able to mitigate threats and proactively secure businesses automatically. In addition, we can now manage and protect our customers in real-time. Yet, another achievement as Liquid Cyber Security introduces a solution that brings the world’s best practices in protecting against DDoS attacks,” concluded Mohkles.

The COVID-19 pandemic has created significant challenges and changes to the world as we know it. As enterprises quickly moved to remote working also implementing a new hybrid set-up, adversaries have seized the opportunity and we have witnessed significant growth in the number of cyberattacks. In particular, DDoS attacks have grown – not only in size and frequency – but adversaries have also swivelled to focus on low-volume, persistent attacks that run for longer periods of time, frequently injecting attack traffic. These low-volume attacks enable adversaries to evade basic defensive measures, yet they still have significant impact on enterprise systems and operations.

Modern malware is hijacking IoT devices
As the name indicates, DDoS attacks are distributed in nature. A single attack may employ multiple DDoS weapons to overwhelm the victim’s network and defences. Our security research team have been tracking DDoS weapons and their behaviours and reporting on their frequency and impact over the last several years. Our latest H1 2021 DDoS Attack Mitigation: Global State of DDoS Weapons Report provides detailed insights into the origins of DDoS activity, highlighting how easily and quickly modern malware can hijack IoT devices and convert them into malicious botnets. The report also provides some helpful guidance on what organisations can do to protect against such activities and act rather than sit and wait for the inevitable to happen.

What we can see is that with new attacks and new malware variants, we are witnessing new layers of sophistication in how IoT and smart devices are being weaponised. Cybercriminals are recruiting IoT devices into their botnet armies, aided by Mozi malware and spreading this around the world. Here I’ve summarised some of the key findings:

DDoS weapons are steadily growing
The total number of DDoS weapons increased by 2.5 million during H1 2021 this was the same as previous quarters, meaning the number of DDoS weapons has been steadily growing with a total number of 15 million weapons tracked. SSDP (Simple Service Discovery Protocol) remains the largest reflected amplification weapon with 3.2 million potential weapons exposed to the internet. This is an increase of over 28 percent compared to the previous reporting period.

And while DDoS attackers have been increasingly focused on smaller attacks launched persistently over a longer period, these larger-scale attacks might not occur as frequently, but they cause a lot of damage and make significant headlines as a result. The rest of the amplification weapons remained virtually the same with SNMP, Portmap, TFTP and DNS Resolvers as the top five. It is important to note that all these weapons experienced growth in numbers except for DNS Resolvers. 

China leads the way
DDoS attacks are not limited to a specific geographic location and can originate from and attack organisations anywhere in the world. However, what we found in this report is that China (for the second reporting period in a row) continues to lead the way in hosting the highest number of potential DDoS weapons including both amplification weapons and botnet agents. This was closely followed by the U.S. which remains the second-largest source of DDoS weaponry, particularly amplification weapons, followed by South Korea.

This edition of the threat intelligence report takes a deeper look at how botnets work. Botnets or drones are compute nodes like computers, servers, routers, cameras and other IoT devices infected by malware and are the tools controlled and used by DDoS attackers. Malware has been playing an important role in the expansion of botnets, automating the process of bot infection and recruitment. Subsequently, these botnets are used to launch large-scale DDoS attacks. The increase or decrease of botnets can be attributed to factors such as the growth of IoT, new vulnerabilities, as well as CVEs exploited by attackers, large-scale security updates to patch CVEs and botnet takedowns.

Botnet agents halve in H1 2021
In H1 2021, the total number of botnet agents almost halved with 449,509 tracked and China hosting 44% of the total number of drones available worldwide. This is likely due to the high-profile takedown of the Emotet botnet, one of the largest botnets in the world, dubbed “the internet’s most dangerous malware”. In early 2021 international law enforcement took down Emotet’s command and control infrastructure in more than 90 countries. While this takedown was a contributing factor to the large-scale reduction in botnet agents, it is important to note that these changes may be temporary as attackers can quickly build their infrastructures back up and exploit network systems and vulnerabilities.

One other particularly prevalent malware in the DDoS world is Mozi. Mozi is a DDoS-focused botnet that utilises a large set of Remote Code Executions (RCEs) to leverage Common Vulnerabilities and Exposures (CVEs) in IoT devices for infection. Once infected, the botnet uses peer-to-peer connectivity to send and receive configuration updates and attack commands. Our report found that in the first half of 2021 Mozi reached 360,000 systems from manufacturers including Huawei, Realtek, NETGEAR and many others. The Mozi botnet includes infected bots around the globe with China, India, Russia, Brazil leading the list of countries and regions.

Strategies for protecting the network against DDoS attacks
So how do organisations protect their networks and resources against such attacks? Organisations should invest in Zero Trust models and create micro-perimeters within the network to limit access to resources. They should also look to invest in modern AI and machine learning solutions that will not only defeat attacks but also protect against the unknown.

Likewise, organisations should investigate whether they are already infected. If network devices suddenly start generating abnormal amounts of traffic this might be because they are infected and, in this instance, they should immediately isolate suspicious devices and limit the traffic originating from these devices.

It is important to observe and block commonly exploited ports, and potentially block, payloads and any BitTorrent traffic coming into or going out the network. Above all, organisations should make sure that their security infrastructure is regularly updated and that IoT devices are running the latest firmware with all the necessary security patches. And finally, they should use modern DDoS techniques like baselining to see anomalous behaviour versus historical norms. Additionally, AI/ML techniques for detection and zero-day attack prevention can really help security teams.

As we prepare for 2022, it is commonly acknowledged that hybrid and remote working environments are here to stay, and security teams will need to look at how they secure a mix of on-premises, multi-cloud and edge-cloud environments. Sophisticated DDoS threat intelligence combined with real-time threat detection, AI and ML capabilities as well as automated signature extraction allow organisations to defend against all kinds of DDoS attacks, no matter where they originate.