Adaptive DDoS Suppression for a Safer, More Resilient Internet

Network operators have been working overtime for the past few years to meet the skyrocketing demand for bandwidth and throughput driven by remote work and greater investment in digital initiatives, as well as to support a rapidly expanding Internet of Things (IoT) landscape with billions of devices. From rolling out upgraded infrastructure to accelerating 5G and other high-access timelines, network operators have dramatically delivered when it comes to faster, high-volume connectivity.

Unfortunately, as much as these network upgrades help businesses and individuals connect and succeed in ways not even imagined a few years ago, they also open the door to something else—the opportunity for massive security vulnerabilities.

IoT Malware Proliferates

Online threats continue to multiply at significant speeds. For example, according to the data in NETSCOUT’s 1H 2022 Threat Intelligence Report, there are more than 500,000 compromised devices infected with IoT malware capable of launching distributed denial-of-service (DDoS) attacks. Another telling statistic from the report is that 5.5 million distinct adversary IPs have attacked NETSCOUT customers in the first half of 2022 alone. Overall, the threat of malware and botnet DDoS attacks is growing, and expanded internet capacity only makes the potential problems worse. 

Attack Vectors and Methods Circumvent Protections

The evolution of internet and global network topology is driving changes in attack vectors and methodologies that allow DDoS attackers to get around traditional defenses and countermeasures. And when you add to that all the increased bandwidth and throughput that network operators have been busy deploying, coupled with increasing populations of abusable devices, you end up with the potential for a new type of massive DDoS attacks.

A traditional network operator approach to DDoS attacks has been carrier-grade network address translation (CG-NAT), which can’t be used to protect newer online devices and services that employ protocols that don’t live behind NAT and thus lie exposed without protection. In addition, whereas existing DDoS defense approaches focused on attack detection, classification, traceback, and mitigation have worked well for inbound traffic, outbound and cross-bound DDoS attacks using today’s more robust operator infrastructures can be just as devastating. 

In short, what’s been working for network operators is no longer a viable long-term solution. Instead, network operators need to change their way of thinking, adapt to the new threat landscape, and move from a default posture of DDoS mitigation to a new paradigm of adaptive DDoS suppression. 

Why We Need Adaptive DDoS Suppression

Adaptive DDoS suppression approaches are needed because DDoS attacks themselves are now adaptive, with adversaries performing extensive pre-attack reconnaissance to identify specific weak points. Attackers are also using botnet nodes and reflectors/amplifiers that are topologically adjacent to targets, minimizing the administrative boundaries that DDoS attack traffic must traverse and reducing opportunities to stop such attacks. 

An adaptive DDoS suppression defense pushes DDoS defense to the edges of the network, including directly within peering and customer aggregation points of presence (PoPs). This allows network operators to suppress DDoS attack traffic as it enters anywhere at the network edge, shutting it down before it can become a large-scale attack. 

By implementing edge-based attack detection, intelligent DDoS mitigation, and network infrastructure-based mitigation techniques at all network ingress points, operators can implement adaptive DDoS suppression systems that scale to counter DDoS attack capacity and adversary innovation.

For more details on the changing dynamic of DDoS attacks and ways, adaptive DDoS suppression systems can stop threats at the network edge, read the NETSCOUT 1H 2022 DD0S Threat Intelligence Report.