Network layer attacks
Network layer attacks show DDoS attack trends at the network layer. These attacks can be split by the network protocol they use: ICMP, TCP, UDP and others.
When filtering by location or autonomous system (AS), we are filtering by the source location/AS of the attack — which can be very different to the location of the human orchestrator of the attack. Refer to botnets for more information.
List of endpoints
Timeseries
Example: hourly percentage breakdown by attack method
In the following example, we will examine the worldwide versus Singapore distribution of mitigated attacks by network protocol:
curl "https://api.cloudflare.com/client/v4/radar/attacks/layer3/timeseries_groups?name=global&dateRange=1d&location=&name=singapore&location=SG&dateRange=1d&aggInterval=1h&format=json" \
--header "Authorization: Bearer <API_TOKEN>"
If we inspect the abbreviated response below, we can conclude that globally, at those timestamps, UDP
and TCP
attacks were mostly evenly split.
{ "success": true, "errors": [], "result": { "global": { "timestamps": ["2022-11-06T13:00:00Z", "2022-11-06T14:00:00Z", "..."], "udp": ["50.784034", "51.055221", "..."], "tcp": ["49.213944", "48.943769", "..."], "icmp": ["0.002023", "0.001009", "..."], "gre": ["0.0", "0.0", "0.0", "..."] }, "singapore": { "timestamps": ["2022-11-06T13:00:00Z", "2022-11-06T14:00:00Z", "..."], "tcp": ["79.605287", "83.943885", "..."], "udp": ["20.394594", "16.056115", "..."], "icmp": ["0.000119", "0.0", "..."], "gre": ["0.0", "0.0", "..."] }, "meta": { "dateRange": { "startTime": "2022-11-06T13:00:00Z", "endTime": "2022-11-07T13:00:00Z" }, "normalization": "PERCENTAGE", } }
}
We can also conclude that the distribution of network layer attacks coming from Singapore — or, more accurately, reaching Cloudflare’s data center located in Singapore — differs quite a bit from the worldwide distribution. At those times, the distribution of network layer attacks clearly favors TCP.
For more information refer to the API reference for this endpoint.
Summary
Example: Russia - overall percentage breakdown by network protocol
We can also filter by source location and examine attacks coming from Russia:
curl "https://api.cloudflare.com/client/v4/radar/attacks/layer3/summary?location=RU&name=attacks_ru&dateRange=1d&format=json" \
--header "Authorization: Bearer <API_TOKEN>"
{ "success": true, "errors": [], "result": { "attacks_ru": { "udp": "86.682356", "tcp": "11.928664", "gre": "1.381015", "icmp": "0.007965" }, "meta": { "dateRange": { "startTime": "2022-11-06T15:00:00Z", "endTime": "2022-11-07T15:00:00Z" }, "normalization": "PERCENTAGE" } }
}
The response shows that the attacks coming from Russia to other locations tended to use the UDP network protocol at those timestamps.
For more information refer to the API reference for this endpoint.
Next steps
Refer to DNS to learn more about the aggregated and anonymized DNS queries to Cloudflare’s 1.1.1.1 public resolver service.