Revenir au blog

Follow and Subscribe

Disponible uniquement en anglais

Cette page n'est actuellement disponible qu'en anglais. Nous nous excusons pour la gêne occasionnée, merci de revenir sur cette page ultérieurement.

DDoS in December

Simran Khalsa

Staff Security Researcher

David King

Product Marketing Manager, Security

Security Informations sur le secteur

Trends and actionable insights from application DDoS attacks in December 2024

Application DDoS attacks are a significant threat to any internet-facing application or API, capable of disrupting service performance and availability for end users and potentially leading to revenue loss for organizations. These attacks specifically target Layer 7 services, such as web applications, with the intent of exhausting server resources with a relatively low volume of cleverly crafted HTTP requests. Unlike network DDoS attacks, which aim to overwhelm network infrastructure with massive amounts of traffic often measured in terabits per second (Tbps), application DDoS attacks exploit weaknesses in application code or protocol implementation to disrupt with relatively less traffic. This makes them harder to detect but no less dangerous.

Fastly works with companies worldwide at scale, using telemetry from our global infrastructure and Fastly DDoS Protection to detect and mitigate attack traffic. In this report, we share anonymized data, insights, and actionable guidance on the latest application DDoS trends to help you strengthen your security initiatives.

Key Findings

  1. Fastly observed a 249% month-over-month increase in the volume of requests associated with DDoS attacks.

  2. Organizations were least likely to see DDoS activity on the weekends (Saturday and Sunday UTC). 

  3. Nearly half of the detected attacks were directed at Media and Entertainment organizations, followed by those operating in High Technology and Commerce industries.

Traffic Trends

In December, Fastly DDoS Protection detected billions of requests linked to application DDoS attacks (Image 1).

When comparing the overall DDoS attack volume observed from November 2024 to December 2024, 2.5x (249%) more requests were linked to attacks in December. Looking at (Image 1), 6 days showed a significant spike in attacks compared to the rest of December. Together, these spikes accounted for 62.5% of attack volume for the entire month. Diving deeper, on 5 out of those 6 days, the surge was largely due to a 77% increase in the number of organizations attacked. The outlier? December 4th. On this day, the number of organizations attacked was 38% below the month's average, but the attacks were much larger.

Holiday Slowdown and Weekend Breaks

While the start of the month saw considerable activity, the volume of attack traffic dropped significantly through the second half, possibly indicating attackers, like many of us, were taking a holiday break, too. When comparing the first half of December to the second, there was a ~60% decrease in observed DDoS attack requests (Image 2).

When examining the cumulative number of DDoS attacks on a service instead of just the volume of requests therein (Image 3), we observed the same downward trend in the latter half of the month.

This further alludes to the idea that attackers are kicking back and enjoying the holidays rather than launching their normal barrage of attacks. One alternative explanation could be that Operation Poweroff contributed to the notable difference in DDoS activity in the latter half of the month.  On December 11th, Europol announced that the ongoing operation seized 27 of the most popular DDoS platforms attackers used to launch attacks. We’ll continue to monitor how this trend carries into January.

Not only did attackers wind down for the holidays, but their activity was noticeably lighter on the weekends throughout the month, too. Saturdays and Sundays (UTC) had the fewest detected DDoS requests. In fact, organizations were least likely to experience DDoS activity on weekends, with just 12% of the week’s requests occurring during those days (see Image 4). Perhaps attackers prefer to strike during the period when websites have the most visitors, maximizing disruption when it matters most.

Organizational Trends

Looking at DDoS in December through the lens of who was attacked, three industries were hit by the most DDoS requests: Media & Entertainment, High Technology, and Commerce (Image 5). Other industries attacked included organizations operating in the public sector, healthcare, and financial services, among others.

But how big were these organizations? If you aren’t a reader working for a Fortune-level company, should you be concerned about application DDoS based on the stats we observed in December? Yes. We correlated the number of applications DDoS attacks organizations saw in December to their annual revenue estimates. To ease viewing, we broke the revenue bands into four groups:

  • Enterprise: Greater than $1 billion

  • Commercial: Between $100 million and $1 billion

  • Small and Medium Businesses (SMB): Less than $100 million

  • Undisclosed: Those we were unable to pull a reliable annual revenue for. These are likely somewhere in the SMB or Commercial brackets, given they aren’t public or have limited information disclosed (Image 6).

Even the smallest organizations are hit by application DDoS attacks, especially if a portion of the undisclosed category is hypothetically attributable to them. Once an organization passed the $100 million annual revenue threshold, attackers treated them equally with nearly identical attack attribution percentages in December.

Actionable Guidance

So, what should you take away from all of this information?

It’s important to note that this data only represents one month’s data and should be used with first-party insights from your observability tools and longer-term research to create a comprehensive view. However, from this data alone, there are a few key learnings you can integrate into your existing security efforts:

  • Organizations should aim to staff their security operations center (SOC) 24/7, but based on this month’s data, it’s most important they are staffed during the business week (UTC).

  • Organizations operating in the Media and Entertainment, High Technology, or Commerce industries should pay particular attention to their defense against application DDoS attacks. This is especially important given the increased volume of attacks and the importance of availability and uptime in supporting business goals. 

  • Organizations of all sizes should ensure they have tooling to protect against application DDoS attacks. While Commercial and Enterprise organizations are the most likely to get hit and should ensure they have robust solutions capable of handling regular increased volume, even SMBs are targeted and should have some level of tooling in place. Every app and API on the internet is susceptible to this type of attack on some level.

Automatically mitigate disruptive and distributed attacks

Of course, we’d be remiss not to remind you that solutions like Fastly DDoS Protection automatically stop the attacks detailed in this report. If the customer had been in blocking mode, every detected attack request would’ve been blocked. Fastly DDoS Protection leverages our network’s massive bandwidth and adaptive techniques to keep you performant and available without any required configuration. Contact us to learn more.

Fastly
© Fastly 2025