Distributed denial-of-service (DDoS) attacks grew in frequency and volume last year, with the number of HTTP DDoS assaults steadily increasing to outpace Layer 3/Layer 4 attacks in the fourth quarter, Cloudflare said on Tuesday.

At an average of 4,870 DDoS attacks every hour, the web security firm blocked roughly 21.3 million DDoS attacks in 2024, up 53% compared to the approximately 14 million attacks blocked in 2023.

The number of blocked attacks increased steadily starting with the second quarter of last year, going from 4 million to 6 million in the third quarter and reaching 6.9 million in the fourth quarter.

During the last three months of the year, Cloudflare blocked 3.5 million HTTP DDoS attacks and 3.4 million Layer 3/Layer 4 attacks, the company’s latest DDoS threat report reveals.

Most of the HTTP incidents (73%) were attributed to known botnets, but the company also documented attacks spoofing legitimate browsers (11%), containing suspicious or unusual HTTP attributes (10%), and ones using other vectors (8%).

“These attack vectors, or attack groups, are not necessarily exclusive. For example, known botnets also impersonate browsers and have suspicious HTTP attributes,” Cloudflare explains.

The technology provider also noticed that 13 of the top user agents most frequently observed in DDoS attacks were Chrome versions ranging from 118 to 129, although the browser has been updated to version 132 for both desktop and mobile devices.

According to Cloudflare, roughly 92% of HTTP DDoS attack requests observed during the fourth quarter of the year were over HTTPS, and the remaining 8% requests were over plaintext HTTP.

When it comes to Layer 3/Layer 4 (network layer) attacks, SYN floods (38%), DNS floods (16%), and UDP floods (14%) were the most common attack vectors. Six percent of the observed network layer attacks were launched by Mirai botnets.

The largest DDoS attack blocked during the last three months of 2024 was a 5.6 terabit per second (Tbps) UDP DDoS assault launched by a Mirai-variant botnet against an internet service provider in Eastern Asia.

The attack lasted 80 seconds and originated from 13,000 unique source IP addresses, each contributing, on average, around 1 gigabyte per second.

The previous record-breaking DDoS attack seen by Cloudflare peaking at 3.8 Tbps.

While most (93%) network layer DDoS attacks in the fourth quarter of last year did not exceed 500 Mbps, the number of hyper-volumetric network layer DDoS attacks reached 420, up 1,885% quarter-over-quarter.

Of the HTTP DDoS attacks observed during the last three months of 2024, 63% did not exceed 50,000 requests per second (rps), and only 3% exceeded 100 million rps.

“The majority of HTTP DDoS attacks (72%) end in under ten minutes. Approximately 22% of HTTP DDoS attacks last over one hour, and 11% last over 24 hours. Similarly, 91% of network layer DDoS attacks also end within ten minutes. Only 2% last over an hour,” Cloudflare says.

During the fourth quarter of 2024, Indonesia was the largest source of DDoS attacks, followed by Hong Kong and Singapore, while China was the most attacked country, followed by the Philippines and Taiwan. Telecommunications organizations, the internet industry, and marketing firms were attacked the most.

Related: 27 DDoS Attack Services Taken Down by Law Enforcement

Related: Anonymous Sudan DDoS Service Disrupted, Members Charged by US

Related: Quantifying ROI in Cybersecurity Spend

Related: Secret US Documents on Ukraine War Plan Spill Onto Internet: Report