A record 5.6 Tbps Distributed Denial-of-Service (DDoS) attack, powered by a Mirai botnet comprising over 13,000 compromised IoT devices, was launched last week.
This ultra-short, hyper-volumetric attack lasted just 80 seconds, during which it spewed vast amounts of traffic at an internet service provider from Eastern Asia. Cloudflare says its autonomous, distributed defence systems successfully mitigated the attack in real-time without human intervention or any noticeable disruptions.
“Detection and mitigation were fully autonomous… [It] didn’t trigger any alerts, and didn’t cause any performance degradation. The systems worked as intended,” says Cloudflare.
While the attack had an extraordinary aggregate power of 5.6 Tbps, each of the 13,000 IoT devices involved contributed an average of just over 1 Gbps per second to the deluge.
IoT devices continue to power botnet attacks
IoT vulnerabilities were once again at the centre of enabling a botnet to deliver a massive cyberattack. The compromised devices, likely exploited for using default credentials or unpatched firmware, collectively created this record-breaking torrent of malicious traffic.
This latest episode reinforces concerns over the lack of security inherent in many IoT devices, with even ostensibly innocuous devices being co-opted into vast, malicious botnets.
The attack wasn’t an isolated incident in a quiet quarter. According to Cloudflare, the fourth quarter of 2024 saw a sharp spike in hyper-volumetric DDoS attacks – those exceeding 1 Tbps – rising by 1,885% quarter-on-quarter (QoQ). DDoS attacks exceeding 100 million packets per second (pps) also increased significantly, up 175% QoQ, with 16% of these surpassing the astronomical threshold of 1 billion pps.
Cloudflare reports that while the majority (93%) of network-layer attacks remain relatively small, under 500 Mbps, the sheer strength of recent hyper-volumetric assaults – enabled by IoT botnets – has set alarm bells ringing across industries.
Compounding the challenge is the brevity of many modern attacks.
“91% of network layer DDoS attacks end within ten minutes. Only 2% last over an hour,” Cloudflare explains. “Because the duration of most attacks is so short, it is not feasible, in most cases, for a human to respond to an alert, analyse the traffic, and apply mitigation.”
Global origins of DDoS attacks
Mirroring its findings from the previous quarter, Cloudflare revealed that Indonesia has continued to top the global charts as the largest source of DDoS attacks. Hong Kong and Singapore were placed second and third, respectively, reflecting a notable regional shift in attack origination.
For HTTP DDoS attacks, the geographical source can be determined by examining the specific IP addresses of compromised devices since these cannot be spoofed. For network-layer attacks, however, Cloudflare relies on the locations of its extensive global data centres (spanning over 330 cities worldwide) where attack traffic is intercepted and mitigated. This ensures accurate attribution, even in the face of techniques like IP spoofing.
When surveyed, Cloudflare’s target customers overwhelmingly confessed they weren’t sure who was behind the attacks. However, among those who identified their attackers, 40% named competitors as the culprits, pointing to a worrying trend of industrial sabotage.
State or state-sponsored actors were implicated in 17% of cases, while disgruntled individuals – whether customers or ex-employees – ranked similarly. Notably, 14% of customers pointed to extortionists, reflecting the rising threat of ransom-driven ‘RDoS’ (Ransom Denial-of-Service) attacks.
Countries and sectors in the crosshairs
China once again held its unenviable crown as the most attacked country, based on the billing address locations of Cloudflare’s target clients. However, 2024 Q4 showed surprising newcomers: The Philippines debuted in second place, and Taiwan jumped seven spots to take the third-place position.
Sector-wise, the ‘Telecommunications, Service Providers, and Carriers’ segment emerged as the most heavily-targeted industry. It dethroned the banking and financial services industry, which plunged seven spots from its 2024 Q3 position at the top to eighth place this quarter.
Meanwhile, the ‘Internet and Marketing & Advertising’ sector rounded out the top three under attack—evidence that attacks continue to proliferate across increasingly diverse verticals.
Defensive strategies must evolve alongside DDoS threats
This latest barrage of hyper-volumetric attacks underscores critical lessons for IoT and online security moving forward. While the vast majority of attacks remain small and short-lived, their growing intensity, scale, and unprecedented distributed origins – from insecure IoT devices – point to a bleak horizon if action is not taken.
IoT device manufacturers must shoulder responsibility, from enforcing stricter security standards to ensuring routine patching for vulnerabilities to avoid their devices becoming part of a botnet like Mirai and its variants. Likewise, organisations need to adopt layered, inline DDoS mitigation solutions that can automatically thwart even the most well-coordinated attacks without risking operational downtime.
For industries heavily reliant on their digital presence, the financial and reputational risks of being caught unprepared are almost immeasurable. As DDoS attacks evolve, from industrial sabotage in competitive fields to tools of geopolitical conflict, businesses must respond with an equal and opposite evolution of defences.
(Image by Pete Linforth)
See also: Gayfemboy breaks Mirai botnet trend to become persistent threat
Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Cyber Security & Cloud Expo, AI & Big Data Expo, Intelligent Automation Conference, Edge Computing Expo, and Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
