Network layer attacks
Network layer attacks show DDoS ↗ attack trends at the network layer. These attacks can be split by the network protocol they use: ICMP ↗, TCP ↗, UDP ↗ and others.
When filtering by location or autonomous system (AS), we are filtering by the source location/AS of the attack — which can be very different to the location of the human orchestrator of the attack. Refer to botnets ↗ for more information.
In the following example, we will examine the worldwide versus Singapore distribution of mitigated attacks by network protocol:
If we inspect the abbreviated response below, we can conclude that globally, at those timestamps, UDP
and TCP
attacks were mostly evenly split.
We can also conclude that the distribution of network layer attacks coming from Singapore — or, more accurately, reaching Cloudflare's data center located in Singapore — differs quite a bit from the worldwide distribution. At those times, the distribution of network layer attacks clearly favors TCP ↗.
For more information refer to the API reference for this endpoint.
We can also filter by source location and examine attacks coming from Russia:
The response shows that the attacks coming from Russia to other locations tended to use the UDP ↗ network protocol at those timestamps.
For more information refer to the API reference for this endpoint.
Refer to DNS to learn more about the aggregated and anonymized DNS queries to Cloudflare's 1.1.1.1 public resolver service.