In the fourth quarter of 2024, around 512,000 DDoS attacks were registered worldwide. The figure has gradually increased from 274,000 incidents in the first quarter of 2023.

Introduction

DDoS Statistics: As we move to 2025, cybersecurity is still at risk of distributed denial of service (DDoS) attacks that interrupt services to businesses, governments, and organisations. A DDoS attack takes place when several infected systems bombard a target with traffic so much that it can no longer handle the traffic and goes down.

Due to developments in technology, the frequency, complexity, and gravity of DDoS attacks have greatly increased. Below, we will discuss the current DDoS statistics for 2024 with an emphasis on scale, economic impact, frequency, and other factors.

In 2021, around ** percent of distributed denial of service (DDoS) attacks were directed at the United States. The United Kingdom took the second place, and China the third place with just below ** percent of attacks. The computer and internet industry are most frequently targeted.

In 2023, organizations in the finance industry worldwide saw the highest share of DDoS attacks, ** percent. The finance industry ranked second, with over ** percent, while healthcare followed, with **** percent.

In the first half of 2024, DDoS attacks on web search portals and all other information services in Indonesia had the highest average duration, amounting to around *** minutes per attack. DDoS attack, also known as a Distributed Denial-of-Service attack, is a type of cybercrime where the attacker overwhelms a server with internet traffic in an effort to prevent people from accessing linked websites and online services.

The Distributed Denial-of-Service (DDoS) Attack Protection Software market is a vital segment of the cybersecurity landscape, designed to safeguard businesses and organizations from the increasing threat of DDoS attacks. These malicious attempts to disrupt the normal functioning of targeted servers, services, or net

The statistic shows the distributed denial-of-service (DDoS) and bot protection software market share as of February 2024, by vendor. As of then, Cloudflare Security had the greatest market share worldwide, which stood at 82.16 percent.

The DDoS (Distributed Denial of Service) Attack Protection Service market is an essential segment of the cybersecurity landscape, responding to the increasing threat posed by cybercriminals who launch disruptive attacks on businesses and services online. DDoS attacks can incapacitate websites and services by overwhe

The Distributed Denial-of-Service (DDoS) Attack Solution market has become increasingly vital in today's digital landscape, where businesses and organizations face the imminent threat of cyber-attacks that can paralyze their operations and tarnish their reputations. DDoS attacks overwhelm targeted systems with

The DDoS Protection Tool market has emerged as a critical component in the cybersecurity landscape, evolving to meet the increasing frequency and sophistication of Distributed Denial-of-Service (DDoS) attacks. These attacks can incapacitate websites and online services by overwhelming them with traffic, resulting in

In the second half of 2023, DDoS attacks on wired telecommunication carriers in Thailand amounted to around ***** thousand. DDoS attack, also known as a Distributed Denial-of-Service Attack, is a type of cybercrime where the attacker overwhelms a server with internet traffic in an effort to prevent people from accessing linked websites and online services.

In 2023, the estimated number of distributed denial-of-service (DDoS) cyberattacks in Italy was of approximately 13,000. This represents a decrease from the 2,000 attacks registered in 20212. In 2019 and 2020, the country registered the peak of DDoS attacks, with over 15,000 cyberattacks reported.

In today's interconnected digital landscape, the DDoS (Distributed Denial of Service) Protection and Mitigation Hardware market plays an essential role in safeguarding organizations from the ever-growing threat of cyberattacks. DDoS attacks can disrupt services and cause significant financial and reputational losses

• Dataset were generated attack traffic using hping3.
• Distribution of 232,714 instances: 98,970 legitimate (42.5%), 83,320 low-rate DDoS (35.8%), and 50,424 high-rate DDoS (21.7%).
• The dataset contains 21 features to identify features most relevant to DDoS detection in SDN-enabled SD-WAN environments.

In 2020, the number of detected Distributed Denial-of-Service (DDoS) attacks and responses to those attacks by South Korea's Internet and Security Agency totaled about *** cases, down from about *** the previous year. Following large-scale cyberattacks on South Korea in 2009, which included DDoS attacks on websites of the Blue House and major government agencies, South Korea established a "DDoS shelter" to mitigate DDoS attacks.

The Distributed Denial-Of-Service (DDoS) Protection market has emerged as a critical segment in the cybersecurity landscape, driven by the growing sophistication of cyber threats and the increasing reliance on online services. DDoS attacks, which aim to overwhelm a service with excessive traffic, can cripple operati

The Anti-DDoS Protection (ADS) Software market has rapidly evolved in recent years, emerging as a critical component for organizations striving to maintain their online presence and safeguard their digital assets against Distributed Denial of Service (DDoS) attacks. In an age where businesses increasingly rely on in

The Cloud DDoS Mitigation Tool market has emerged as a critical segment in the cybersecurity industry, driven by the increasing frequency and sophistication of Distributed Denial of Service (DDoS) attacks targeting businesses worldwide. Organizations across various sectors, such as finance, e-commerce, and telecommu

Between 2021 and 2024, the magnitude of the largest DDoS attacks have increased steadily. The attack with the largest breadth was recorded in 2024, reaching two Terabits per second.

1.Introduction

In the digital era of the Industrial Internet of Things (IIoT), the conventional Critical Infrastructures (CIs) are transformed into smart environments with multiple benefits, such as pervasive control, self-monitoring and self-healing. However, this evolution is characterised by several cyberthreats due to the necessary presence of insecure technologies. DNP3 is an industrial communication protocol which is widely adopted in the CIs of the US. In particular, DNP3 allows the remote communication between Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA). It can support various topologies, such as Master-Slave, Multi-Drop, Hierarchical and Multiple-Server. Initially, the architectural model of DNP3 consists of three layers: (a) Application Layer, (b) Transport Layer and (c) Data Link Layer. However, DNP3 can be now incorporated into the Transmission Control Protocol/Internet Protocol (TCP/IP) stack as an application-layer protocol. However, similarly to other industrial protocols (e.g., Modbus and IEC 60870-5-104), DNP3 is characterised by severe security issues since it does not include any authentication or authorisation mechanisms. More information about the DNP3 security issue is provided in [1-3]. This dataset contains labelled Transmission Control Protocol (TCP) / Internet Protocol (IP) network flow statistics (Common-Separated Values - CSV format) and DNP3 flow statistics (CSV format) related to 9 DNP3 cyberattacks. These cyberattacks are focused on DNP3 unauthorised commands and Denial of Service (DoS). The network traffic data are provided through Packet Capture (PCAP) files. Consequently, this dataset can be used to implement Artificial Intelligence (AI)-powered Intrusion Detection and Prevention (IDPS) systems that rely on Machine Learning (ML) and Deep Learning (DL) techniques.

2.Instructions

This DNP3 Intrusion Detection Dataset was implemented following the methodological frameworks of A. Gharib et al. in [4] and S. Dadkhah et al in [5], including eleven features: (a) Complete Network Configuration, (b) Complete Traffic, (c) Labelled Dataset, (d) Complete Interaction, (e) Complete Capture, (f) Available Protocols, (g) Attack Diversity, (h) Heterogeneity, (i) Feature Set and (j) Metadata.

A network topology consisting of (a) eight industrial entities, (b) one Human Machine Interfaces (HMI) and (c) three cyberattackers was used to implement this DNP3 Intrusion Detection Dataset. In particular, the following cyberattacks were implemented.

On Thursday, May 14, 2020, the DNP3 Disable Unsolicited Messages Attack was executed for 4 hours.

On Friday, May 15, 2020, the DNP3 Cold Restart Message Attack was executed for 4 hours.

On Friday, May 15, 2020, the DNP3 Warm Restart Message Attack was executed for 4 hours.

On Saturday, May 16, 2020, the DNP3 Enumerate Attack was executed for 4 hours.

On Saturday, May 16, 2020, the DNP3 Info Attack was executed for 4 hours.

On Monday, May 18, 2020, the DNP3 Initialisation Attack was executed for 4 hours.

On Monday, May 18, 2020, the Man In The Middle (MITM)-DoS Attack was executed for 4 hours.

On Monday, May 18, 2020, the DNP3 Replay Attack was executed for 4 hours.

On Tuesday, May 19, 2020, the DNP3 Stop Application Attack was executed for 4 hours.

The aforementioned DNP3 cyberattacks were executed, utilising penetration testing tools, such as Nmap and Scapy. For each attack, a relevant folder is provided, including the network traffic and the network flow statistics for each entity. In particular, for each cyberattack, a folder is given, providing (a) the pcap files for each entity, (b) the Transmission Control Protocol (TCP)/ Internet Protocol (IP) network flow statistics for 120 seconds in a CSV format and (c) the DNP3 flow statistics for each entity (using different timeout values in terms of second (such as 45, 60, 75, 90, 120 and 240 seconds)). The TCP/IP network flow statistics were produced by using the CICFlowMeter, while the DNP3 flow statistics were generated based on a Custom DNP3 Python Parser, taking full advantage of Scapy.

1. Dataset Structure

The dataset consists of the following folders:

20200514_DNP3_Disable_Unsolicited_Messages_Attack: It includes the pcap and CSV files related to the DNP3 Disable Unsolicited Message attack.

20200515_DNP3_Cold_Restart_Attack: It includes the pcap and CSV files related to the DNP3 Cold Restart attack.

20200515_DNP3_Warm_Restart_Attack: It includes the pcap and CSV files related to DNP3 Warm Restart attack.

20200516_DNP3_Enumerate: It includes the pcap and CSV files related to the DNP3 Enumerate attack.

20200516_DNP3_Ιnfo: It includes the pcap and CSV files related to the DNP3 Info attack.

20200518_DNP3_Initialize_Data_Attack: It includes the pcap and CSV files related to the DNP3 Data Initialisation attack.

20200518_DNP3_MITM_DoS: It includes the pcap and CSV files related to the DNP3 MITM-DoS attack.

20200518_DNP3_Replay_Attack: It includes the pcap and CSV files related to the DNP3 replay attack.

20200519_DNP3_Stop_Application_Attack: It includes the pcap and CSV files related to the DNP3 Stop Application attack.

Training_Testing_Balanced_CSV_Files: It includes balanced CSV files from CICFlowMeter and the Custom DNP3 Python Parser that could be utilised for training ML and DL methods. Each folder includes different sub-folder for the corresponding flow timeout values used by the DNP3 Python Custom Parser. For CICFlowMeter, only the timeout value of 120 seconds was used.

Each folder includes respective subfolders related to the entities/devices (described in the following section) participating in each attack. In particular, for each entity/device, there is a folder including (a) the DNP3 network traffic (pcap file) related to this entity/device during each attack, (b) the TCP/IP network flow statistics (CSV file) generated by CICFlowMeter for the timeout value of 120 seconds and finally (c) the DNP3 flow statistics (CSV file) from the Custom DNP3 Python Parser. Finally, it is noteworthy that the network flows from both CICFlowMeter and Custom DNP3 Python Parser in each CSV file are labelled based on the DNP3 cyberattacks executed for the generation of this dataset. The description of these attacks is provided in the following section, while the various features from CICFlowMeter and Custom DNP3 Python Parser are presented in Section 5.

4.Testbed & DNP3 Attacks

The following figure shows the testbed utilised for the generation of this dataset. It is composed of eight industrial entities that play the role of the DNP3 outstations/slaves, such as Remote Terminal Units (RTUs) and Intelligent Electron Devices (IEDs). Moreover, there is another workstation which plays the role of the Master station like a Master Terminal Unit (MTU). For the communication between, the DNP3 outstations/slaves and the master station, opendnp3 was used.

Table 1: DNP3 Attacks Description

DNP3 Attack

Description

Dataset Folder

DNP3 Disable Unsolicited Message Attack

This attack targets a DNP3 outstation/slave, establishing a connection with it, while acting as a master station. The false master then transmits a packet with the DNP3 Function Code 21, which requests to disable all the unsolicited messages on the target.

20200514_DNP3_Disable_Unsolicited_Messages_Attack

DNP3 Cold Restart Attack

The malicious entity acts as a master station and sends a DNP3 packet that includes the “Cold Restart” function code. When the target receives this message, it initiates a complete restart and sends back a reply with the time window before the restart process.

20200515_DNP3_Cold_Restart_Attack

DNP3 Warm Restart Attack

This attack is quite similar to the “Cold Restart Message”, but aims to trigger a partial restart, re-initiating a DNP3 service on the target outstation.

20200515_DNP3_Warm_Restart_Attack

DNP3 Enumerate Attack

This reconnaissance attack aims to discover which DNP3 services and functional codes are used by the target system.

20200516_DNP3_Enumerate

DNP3 Info Attack

This attack constitutes another reconnaissance attempt, aggregating various DNP3 diagnostic information related the DNP3 usage.

20200516_DNP3_Ιnfo

Data Initialisation Attack

This cyberattack is related to Function Code 15 (Initialize Data). It is an unauthorised access attack, which demands from the slave to re-initialise possible configurations to their initial values, thus changing potential values defined by legitimate masters

20200518_Initialize_Data_Attack

MITM-DoS Attack

In this cyberattack, the cyberattacker is placed between a DNP3 master and a DNP3 slave device, dropping all the messages coming from the DNP3 master or the DNP3 slave.

20200518_MITM_DoS

DNP3 Replay Attack

This cyberattack replays DNP3 packets coming from a legitimate DNP3 master or DNP3 slave.

20200518_DNP3_Replay_Attack

DNP3 Step Application Attack

This attack is related to the Function Code 18 (Stop Application) and demands from the slave to stop its function so that the slave cannot receive messages from the master.

20200519_DNP3_Stop_Application_Attack

1. Features

The TCP/IP network flow statistics generated by CICFlowMeter are summarised below. The TCP/IP network flows and their statistics generated by CICFlowMeter are labelled based on the DNP3 attacks described above, thus allowing the training of ML/DL models. Finally, it is worth mentioning that these statistics are generated when the flow timeout value is equal with 120 seconds.

Table