Beta

Radar 2.0 is currently in Beta. You can still use Radar Classic during the transition period.

Report header image

DDoS Attack Trends for 2021 Q1

Cloudflare automatically detects and mitigates DDoS attacks across its global network using its autonomous edge DDoS detection and mitigation engine. This report includes the DDoS insights and trends as observed on our network.



DDoS attack trends for 2021 Q1

DDoS activity

The first quarter of 2021 was a busy one for attackers. Cloudflare automatically detected and mitigated DDoS attacks across its global network using its autonomous edge DDoS detection and mitigation engine. This report includes the DDoS insights and trends as observed on our network. For a deep dive analysis, check out our Q1 DDoS attack trends blog.

Highlights: Application-layer DDoS attacks

When we analyze attacks, we calculate the 'DDoS activity' rate, which is the percent of attack traffic out of the total traffic (attack + clean). This allows us to normalize the data points and avoid biases towards, for example, a data center that sees more traffic and therefore also more attacks.

Highlights: Network-layer DDoS attacks


Application-layer DDoS attacks

Application-layer DDoS attacks, or HTTP DDoS attacks, are attacks that aim to disrupt an HTTP server by making it unable to process requests. If a server is bombarded with more requests than it can process, the server will drop legitimate requests or even crash.

DDoS attack activity

DDoS activity per industry

DDoS activity by source country

DDoS activity by target country

Ransom DDoS Attacks & Threats

The percent of respondents that reported being targeted by a ransom DDoS attack or that have received threats in advance of the attack.


Network-layer DDoS attacks

Number of attacks

While application layer attacks strike the application (Layer 7 of the OSI model) running the service end users are trying to access, network layer attacks target exposed network infrastructure (such as in-line routers and other network servers) and the Internet link itself.

Network-Layer DDoS Attacks - Distribution by month

On a monthly basis, January was Q1’s busiest month for attackers, constituting 42% of the total attacks observed in the quarter.

Network-layer DDoS attacks: Distribution of size by month

Size of attacks

There are different ways of measuring a L3/4 DDoS attack’s size. One is the volume of traffic it delivers, measured as the bit rate (specifically, gigabits-per-second). Another is the number of packets it delivers, measured as the packet rate (specifically, packets-per-second). Attacks with high bit rates attempt to saturate the Internet link, while attacks with high packet rates attempt to overwhelm the routers or other in-line hardware devices.

Network-layer DDoS attacks: Distribution by packet rate

Network-layer DDoS attacks: Distribution by bit rate

Duration of attacks

Network-layer DDoS attacks: Distribution by duration

Attack vectors

An attack vector is the attack method that the attacker utilizes. In 2021 Q1, SYN flood attacks continued to remain the most popular attack vector used by attackers, followed by RST, UDP, and DNS amplification attacks.

Network-layer DDoS attacks: Distribution by top attack vectors

Emerging threats

Emerging threats are attack vectors that have significantly increased compared to the previous quarter.

Network-layer DDoS attacks: Top emerging threat vectors


DDoS activity by Cloudflare data center country

Unlike application-layer DDoS attacks, attackers can (and typically do) spoof the source IP address to obfuscate the source location of the DDoS attack. For this reason, when analyzing L3/4 DDoS attacks, we bucket the traffic by the Cloudflare edge data center locations where the traffic was ingested, and not by the location of the source IP. Cloudflare is able to overcome the challenges of spoofed IPs by displaying the attack data by the location of Cloudflare's data center in which the attack was observed. We're able to achieve geographical accuracy in our report because we have data centers in over 200 cities around the world.

Network-layer DDoS Attacks by Country