Network layer attacks

Network layer attacks show DDoS Open external link attack trends at the network layer. These attacks can be split by the network protocol they use: ICMP Open external link , TCP Open external link , UDP Open external link and others.

When filtering by location or autonomous system (AS), we are filtering by the source location/AS of the attack — which can be very different to the location of the human orchestrator of the attack. Refer to botnets Open external link for more information.

​​ List of endpoints

​​ Timeseries

​​ Example: hourly percentage breakdown by attack method

In the following example, we will examine the worldwide versus Singapore distribution of mitigated attacks by network protocol:

curl -X GET "https://api.cloudflare.com/client/v4/radar/attacks/layer3/timeseries_groups?name=global&dateRange=1d&location=&name=singapore&location=SG&dateRange=1d&aggInterval=1h&format=json" \
     -H "Authorization: Bearer <API_TOKEN>"

If we inspect the abbreviated response below, we can conclude that globally, at those timestamps, UDP and TCP attacks were mostly evenly split.

{
  "success": true,
  "errors": [],
  "result": {
    "global": {
      "timestamps": ["2022-11-06T13:00:00Z", "2022-11-06T14:00:00Z", "..."],
      "udp": ["50.784034", "51.055221", "..."],
      "tcp": ["49.213944", "48.943769", "..."],
      "icmp": ["0.002023", "0.001009", "..."],
      "gre": ["0.0", "0.0", "0.0", "..."]
    },
    "singapore": {
      "timestamps": ["2022-11-06T13:00:00Z", "2022-11-06T14:00:00Z", "..."],
      "tcp": ["79.605287", "83.943885", "..."],
      "udp": ["20.394594", "16.056115", "..."],
      "icmp": ["0.000119", "0.0", "..."],
      "gre": ["0.0", "0.0", "..."]
    },
    "meta": {
      "dateRange": {
        "startTime": "2022-11-06T13:00:00Z",
        "endTime": "2022-11-07T13:00:00Z"
      },
      "normalization": "PERCENTAGE",
    }
  }
}

We can also conclude that the distribution of network layer attacks coming from Singapore — or, more accurately, reaching Cloudflare’s data center located in Singapore — differs quite a bit from the worldwide distribution. At those times, the distribution of network layer attacks clearly favors TCP Open external link .

For more information refer to the API reference Open API docs link for this endpoint.

​​ Summary

​​ Example: Russia - overall percentage breakdown by network protocol

We can also filter by source location and examine attacks coming from Russia:

curl -X GET "https://api.cloudflare.com/client/v4/radar/attacks/layer3/summary?location=RU&name=attacks_ru&dateRange=1d&format=json" \
     -H "Authorization: Bearer <API_TOKEN>"

{
  "success": true,
  "errors": [],
  "result": {
    "attacks_ru": {
      "udp": "86.682356",
      "tcp": "11.928664",
      "gre": "1.381015",
      "icmp": "0.007965"
    },
    "meta": {
      "dateRange": {
        "startTime": "2022-11-06T15:00:00Z",
        "endTime": "2022-11-07T15:00:00Z"
      },
      "normalization": "PERCENTAGE"
    }
  }
}

The response shows that the attacks coming from Russia to other locations tended to use the UDP Open external link network protocol at those timestamps.

For more information refer to the API reference Open API docs link for this endpoint.

​​ Next steps

Refer to DNS to learn more about the aggregated and anonymized DNS queries to Cloudflare’s 1.1.1.1 public resolver service.