Infrastructure Trends and Traffic Insights

Disruptions to digital infrastructures and service outages lead to both direct and indirect business costs. Between workforce apps and customer-facing websites, a service outage can impact the organization’s ability to deliver on revenue targets. To maintain service and network availability, modern business operations rely on a stable infrastructure consisting of data centers, network connectivity, and the Domain Name System (DNS).   

As attackers increasingly target these fundamental digital infrastructures, security teams struggle to gain the necessary insights into Distributed Denial of Service (DDoS) attacks. With current threat intelligence from experts who understand the Tactics, Techniques, and Procedures (TTPs) that threat actors use to evade detection, security teams are more prepared to combat these activities and mitigate risks like carpet-bombing attacks.   

Every month, Vercara reports on trends across three critical infrastructure domains: 

• Distributed Denial of Service (DDoS) attacks 
• Domain Name Service (DNS) traffic 
• Web Application Firewall (WAF) attacks

This monthly roundup of reports provides information to help defenders manage their infrastructure, applications, and cloud-based security solutions.  

DDoS: Attackers Return to Frequent, Smaller-Volume Attacks  

Overall, DDoS attacks saw a 14.43% month-over-month increase in volume that likely relates to attackers focused on frequent, smaller-volume attacks designed to overwhelm specific systems or network segments.    

Of the data gathered, the following highlights offer insights:  

• 5,003 DDoS attacks detected, with Vercara’s monitoring and mitigation preventing approximately 1,019 hours of downtime, a 59.39% increase compared to February 
• Largest attack peaking at 404.75 Gbps and over 105 million packets per second (Mpps), underscoring attacker scale and sophistication 
• A 7.69% decline in mega attacks (100+ Gbps), potentially indicating a shift to a strategic attacker shift toward lower-volume, harder-to-detect methodologies. 

For a deeper dive, check out our DDoS Analysis Report.

Carpet Bombing Stays Steady 

Carpet bombing is a tactic where malicious actors launch numerous small-scale attacks across a wide range of IP addresses to evade detection and complicate mitigation efforts. In the observed data, attacks between 0–0.5 Gbps accounted for 4,012 incidents, making up 80.22% of all recorded attacks. Additionally, 37.83% of attacks fell within the 0–10K packets per second (pps) range, highlighting the prevalence of low-volume, distributed assault methods.  

Carpet bombing attacks account for 77.13%% of the March DDoS attacks observed.   

Comparing month-to-month changes notes the following:  

• Small attacks (0-0.5 Gbps): 9.29% 
• Mega Attacks (100+ Gbps): -7.69% 

Two additional categories saw significant upticks, indicating a growing trend of frequent, low-scale assaults likely related to the widespread availability of affordable commoditized attack tools: 

• 0.5-1 Gbps: 101.23% increase 
• 5-10 Gbps: 117.65% increase 

Change in Attack Sizes 

Small attacks between 0-0.5 GBPS accounted for 4,012, accounting for 80.22% of all observed attacks. Additionally, 37.83% of attacks were in the 0-10K pps range.   

Comparing month-to-month changes notes the following:  

• Small attacks (0-0.5 Gbps): 9.29% 
• Mega Attacks (100+ Gbps): -7.69%

Two additional categories saw significant upticks, indicating a growing trend of frequent, low-scale assaults likely related to the widespread availability of affordable commoditized attack tools: 

• 0.5-1 Gbps: 101.23% increase 
• 5-10 Gbps: 117.65% increase 

Carpet Bombing Stays Steady 

When malicious actors target numerous IP addresses with smaller-sized attacks, called carpet bombing, they intend to evade detection and make mitigation more difficult.  

Since most organizations typically set alert triggers at higher gigabit levels, carpet bombing DDoS attacks create mitigation challenges because the threat actors: 

• Remain under alerting thresholds 
• Flood networks 
• Rotate target IPs and destinations 
• Rotate targeting method

Top 3 Attack Vectors   

The Total Traffic vector reclaimed its number one spot. While TCP ACK floods target the way servers manage connections. By sending a massive number of spoofed ACK packets, they force the server to expend resources searching for non-existent connections, eventually exhausting its capacity to handle legitimate traffic.  

The top three attack vectors for March were: 

1. Total Traffic: 45.13% (compared to February’s 30.89%) 
2. TCP ACK: 30.26% (compared to February’s 42.05%) 
3. UDP: 11.86% (compared to February’s 10.9%) 

76.35% of observed DDoS attacks consisted of one DDoS vector, while 23.65% consisted of two or more.  

Top 3 Industries 

The Financial Services industry was the most targeted during the month of March, along with the following two industries by percentage of events listed as: 

1. Financial Services: 59.71% (compared to February’s 95.85%) 
2. IT/Technical Services: 38.29% (compared to February’s 2.65%) 
3. Communication Services Providers: 1.40% 

DNS: Steady Activity and Increasing Security 

Vercara Managed DNS noted a 14.83% increase in overall DNS queries for March, with total authoritative DNS queries surpassing 4.44 trillion. However, the number of daily authoritative queries rose by 2.41%, underscoring the critical role DNS plays in supporting digital operations. Vercara’s UltraDNS observed 30 DDoS attacks targeted against the platform in March, a 3.45% decline over February.  

For a deeper dive, check out the DNS Analysis Report.

Notably, the IPSECKEY DNS record type experienced an astonishing 380.70% month-over-month increase. This specialized DNS resource records supports IPsec’s deployment by enabling organizations to publish public keys in DNS for a secure key exchange and authentication. This increase indicates that organizations are likely adopting IPSECKEY records to improve their security posture.  

IPv4 and IPv6 Trends 

Overall, March followed in February’s footsteps with the Top 3 DNS Query types: 

1. A Record 
2. AAAA record (quad-A) 
3. Name Server (NS) 

The consistent percentage of quad-A record queries indicates a continued shift toward IPv6 and its additional security benefits.   

DNS Response Codes Remain Stable 

The top two response codes remained the same month-over-month: 

1. “No Error”: most prevalent response code at 78.01%, a 12.02% month-over-month increase 
2. “NXDomain”: 21.78%, a 26.62% month-over-month decrease 

The NX Domain response code can indicate a misconfiguration or attackers using DNS enumeration tools that can cause a DDoS attack.  

Industry Sectors 

Industry sectors continue to work on and improve their DNS management, with March’s report showing both wins and areas for improvement.   

The DNS record-type queries provide insight into how the industry uses digital infrastructure. Some highlights include: 

• Widespread requests for HTTPS records indicate an emphasis on secure web communications. 
• Financial Services and Health Care verticals show a moderate presence of TXT records, indicating a heightened emphasis on email authentication protocols like SPF or DKIM. 

Software/Web Services and IT/Technical Services 

These two industries received the most DNS queries, representing 77.38% of all DNS queries. Software/Web Services accounted for 45.03%, while IT/Technical Services accounted for 32.35%. The number indicates the sectors’ extensive reliance on robust DNS services for: 

• Web hosting 
• Cloud services 
• Technical operations

Additionally, the Software/Web Services industry had a significant presence of ‘No Error’ responses, indicating effective DNS management. 

Manufacturing 

The Manufacturing industry received the third most DNS queries, accounting for 14.18%. These query volumes may indicate the growing use of digital services, including Industrial Internet of Things (IIoT) devices.  

Web Application Firewall (WAF): More Requests and New Threats 

During March, Vercara UltraWAF processed over 2.41 billion web requests, a 274.50% increase compared to February. Of these requests, 6.61% were malicious and 0.71% were identified as bot traffic.   

For a deeper dive, check out the WAF Analysis Report.

The 400 Response category showed a significant 15,020.28% increase. This response code typically indicates a Bad Request, meaning that the servers failed to understand or process the client’s request due to any of the following: 

• Malformed syntax 
• Invalid request parameters 
• Protocol violations 

In the WAF context, this code often results from the following: 

• Improperly formatted HTTP requests 
• Excessive URL lengths 
• Forbidden characters in inputs that violate security policies

Malicious actors and certain WAF security rules can trigger response errors.  

Increased Activity 

March’s data found: 

• 27.44% increase in malicious activity compared to February 
•  23.93% increase in the amount of bot traffic compared to February

Top 3 Threat Categories 

Along with these overall increases, March showed additional changes: 

1. Cookie threat category remained most prevalent, accounting for 39.48% of malicious traffic  
2. Invalid RFC threat came in second, accounting for 32.68% of malicious traffic 
3. Command Injection came in third, accounting for 17.46% of malicious traffic 

March Countermeasure of the Month 

Our featured countermeasure this month is a Responder Policy to protect portions of a site behind a login that enables organizations to perform blocks, redirect, and other actions based on match criteria.  

A Responder Policy checks for the presence of a login cookie and serves a redirect to the login page if the cookie is not in the request.   

This Responder Policy can also be combined with the following UltraWAF features:  

• Relaxation rules for SQL injection, command injection, and cross-site scripting for the URL “.*/wp-admin/.*”. 
• A Field Format rule to validate that the “wordpress_logged_in” cookie is properly formatted and the correct length. 
• WAF bypass for source IP addresses of common CMS administrators

Turnkey Cloud-based Security with Vercara 

Vercara provides a turnkey, multilayered approach to security with UltraDNS, UltraDDoS Protect, and UltraWAF. With Vercara’s comprehensive suite of solutions, organizations gain advanced security capabilities, insights for informed decision-making, and improved resilience against cyber threats.   

Contact our sales team to learn how Vercara’s suite of solutions can help defend your organization.