Universal Truths, and Consequences

Most discussions of DDoS attacks are related to the impact of notable attacks against specific organizations. Broader DDoS attack campaigns against diverse organizations, networks, industries, geographies, and even ideological or geopolitical affinities are also quite common.  Despite their perceived increased tempo, these attacks are almost always considered to be exceptional events, constituting a significant divergence from the norm. 

But when we consider that NETSCOUT’s ASERT team observed more than 10 million DDoS attacks across 2023 — an average of ~30,000+ attacks each day, 1000+ attacks every hour, with a new attack being launched nearly every 2.5 seconds — a very different picture emerges.  And when we factor in the disproportionate collateral impact of DDoS attacks on people and organizations affected by the disruption of internet facing services and properties, it becomes clear that the very fabric of the internet itself is under constant assault, with very real consequences for us all. 

Infinite Impact Asymmetry

DDoS attacks are attacks against capacity and/or state and are intended to disrupt the availability of targeted applications, services, and infrastructure. They have become the online weapon of choice for both casual and skilled attackers due to the turmoil they inflict on targets unprotected by comprehensive, scalable, and adaptive DDoS defenses.  Because adversaries leverage compromised and abusable online resources belonging to legitimate organizations and individuals to launch DDoS attacks, the tangible cost to attackers is nil, while the costs for unprepared defenders are immense. 

As we shall see, attackers have, for all practical purposes, essentially unlimited DDoS attack resources at their disposal. Understanding this imbalance, and understanding how to counteract it, is the key to successful DDoS defense. 

Quantifying the Burden

The following metrics reveal how big of a burden DDoS really is. Over the past four years DDoS attacks have remained alarmingly common, with our telemetry showing more than 1 million attacks per month by the end of 2023 (Figure 1). 

DDoS attacks result in more than 40,000 cumulative attack hours every week. Not every attack requires intervention, yet the burden itself remains immense (Figure 2). 

Telecommunication providers are the frontline and deal with DDoS attacks constantly. They carry the brunt of DDoS attack impact in a time where terabit-per-second (Tbps) and hundred million-packets-per-second (Mpps) DDoS attacks are no longer a rarity (Figure 3 & 4). 

Reflection/Amplification — Assessing Maximal Attack Potential

While these statistics are quite sobering by themselves, it is even more concerning that attackers can wreak all this havoc while only leveraging a small percentage of the abusable DDoS attack resources of any given type! ASERTs global research scanner reveals a potential of ~1.5M DNS reflector amplifiers on any given day, but less than 10% are abused by DDoS attackers (Figure 4). In addition to the global pool of available reflectors/amplifiers, adversaries continue to add to the number of bots capable of launching DDoS attacks (Figure 5).  

Turning the Tables on Attackers with NETSCOUT’s Adaptive DDoS Threat Intelligence

No matter the amount of attack resources an adversary can wield, the combination of NETSCOUT’s DDoS defense expertise, coupled with worldwide visibility into the global DDoS attack trends, ensures that organizations using our solutions can expertly and proficiently mitigate the largest and most complex DDoS attacks at true internet scale.  By anticipating and tracking the emergence of new DDoS vectors and methodologies from their initial discovery through full weaponization, we empower defenders to successfully defend against not only day-zero, but minute-zero DDoS attack techniques. NETSCOUT’s Adaptive DDoS Threat Intelligence is a true force multiplier, reversing the resource asymmetry normally enjoyed by attackers. 

Contributors:

• Roland Dobbins
• Richard Hummel