DDoS Attacks Are on the Increase—and They Are Harder to Detect

Per NETSCOUT’s latest DDoS Threat Intelligence Report for 1H 2023, a staggering total of ~7.9 million distributed denial-of-service (DDoS) attacks were observed during the first half of the year—a 31 percent increase year over year. This represents an unbelievable 44,000 DDoS attacks every day.

New Attack Types Call for Smarter Mitigation

Attack trends indicate that volumetric reflection/amplification (RA) attacks are on the decline. And where RA attacks have diminished, direct-path, dynamic multivector attacks have increased and are more difficult to detect and mitigate. These dynamic, direct-path DDoS attacks can also change vectors frequently during an attack, often evading less sophisticated DDoS defenses. This dynamic shift in attack tactics necessitates a smarter, faster, and more granular level of mitigation than has been required in the past. NETSCOUT’s Adaptive DDoS Protection (ADP) was designed with these goals in mind.

ADP starts with NETSCOUT’s unrivaled visibility into more than 50 percent of all internet traffic, seeing tens of millions of attacks per year. This threat data, collected in our ATLAS Threat Intelligence system to be analyzed by our ASERT team, currently tracks more than 1.3 million bots and 500,000 known abusable reflection and amplification systems actively participating in DDoS attacks around the globe. This threat intelligence is continuously updated and provided to customers via our ATLAS Intelligence Feed (AIF).

By utilizing adaptive DDoS threat intelligence from AIF, NETSCOUT Sightline can detect all types of DDoS attacks from flow data and identify broader ranges of attacks that are often missed.

We estimate that by using the list of known IP addresses in AIF actively conducting DDoS attacks on a global basis, Sightline can detect between 80 and 90 percent of DDoS attacks without further analysis. This precise characterization allows the diversion of only the traffic that needs to be diverted for mitigation, minimizing any potential collateral damage due to over-mitigation.

Adaptive Mitigation with ADP for TMS

ADP for NETSCOUT’s Arbor Threat Mitigation System (TMS) provides adaptive mitigation. The same attack analysis engine that detected the attack continues to run, analyze, and adapt as the attack evolves. As attackers adjust the parameters of the attack, this evolution is monitored, and TMS can follow and align its mitigation to match.

NETSCOUT Arbor DDoS protection solutions execute real-time traffic analysis and machine learning to inspect and analyze traffic with deep granularity to detect and classify specific attack vectors dynamically and intelligently. Unlike more fixed solutions, an ADP approach combines intelligent machine learning algorithms with dynamically updated actionable DDoS threat intelligence, enabling defenders to adapt to changing attack vectors in real time based on both software and human security expertise.

The majority of application-layer, reflection/amplification, and direct-path volumetric DDoS attack traffic share a near-universal characteristic: a significant degree of attack source persistence. NETSCOUT’s ASERT team identified DDoS reflectors/amplifiers, DDoS botnet nodes, and DDoS attack generators exhibit an average churn rate of only 10 percent over a two-week interval from their inception. In practical terms, this means that 90 percent of verified DDoS attack sources can be proactively blocked for as much as two weeks after the initial discovery. 

Threat actors are now relying more on DDoS-capable botnets, Tor nodes, and open proxy servers to generate and obfuscate the actual sources of direct-path DDoS attacks. As a result of the great rebalancing described in our 2H 2022 DDoS Threat Intelligence Report, we have seen a renewed emphasis on direct-path attacks and a transition from a nearly decade-long stint of reflection/amplification preeminence.

Learn more about NETSCOUT Adaptive DDoS Protection and adaptive DDoS mitigation.