Just as the emergence of COVID-19 led to changes in how threat actors launched attacks, the return to work and school that began in 2H 2021 (before Omicron reared its ugly head in November) resulted in a number of changes on the part of cyberattackers.

One of the more noticeable changes has been an increase in attacks that target specific industries. With these direct-path attacks, threat actors target individual organizations rather than indiscriminately targeting customers of communications service providers (CSPs) such as internet service providers (ISPs) and wireless carriers.

Specifically, threat actors launched two direct-path packet-flooding attacks of more than 2.5 terabits per second using server-based botnets in 2H 2021. These are the first terabit-class, direct-path distributed denial-of-service (DDoS) attacks that have been identified, and they signal that changes are afoot in attacker strategy.

Here Comes the Rain—Again

At one time, attackers were limited in their ability to carry out attacks by limited bandwidth and the tools they used. But that’s far from the case today. In fact, attackers can use DDoS-for-hire services to completely bypass the technical knowledge needed to launch a massive DDoS attack. Moreover, they continue to make use of established direct-path DDoS attack mechanisms such as SYN, ACK, RST, and GRE floods.

In terms of flooding attacks, SYN-flood was the most popular DDoS attack vector from 1996 to 2018, when it was overtaken by DNS reflection/amplification. This changed again in 2021 when direct-path DDoS attacks became the leader. This can easily be seen through the sharp increase in ACK flood attacks against online credit card processors and other financial services organizations that we reported in the 1H 2021 NETSCOUT Threat Intelligence Report. Likewise, the 2H 2021 Threat Intelligence Report shows that SYN floods and ACK floods are the top two vectors for 2H 2021.

The increase in direct-path DDoS attacks is directly tied to two factors:

  • Anti-spoofing: Network operators have focused increased attention on implementing source-address validation (SAV), or anti-spoofing. Although those efforts have been ongoing since the early 2000s, SAV still is not universally deployed. Because reflection/amplification DDoS attacks require a spoofed IP address, this anti-spoofing capability is a vital element of cybersecurity for network operators. Not only does SAV make it impossible for attackers to emit spoofed attack initiator traffic from their networks, but it also limits the DDoS-for-hire services and bespoke attack infrastructure that can launch reflection/amplification attacks. This isn’t meant to imply that direct-path DDoS attacks don’t generate considerable negative collateral impact. On the contrary, almost all DDoS attacks, including direct-path attacks, are overkill and can cause significant interference in how unrelated parties conduct online activity. Because of the high-bandwidth focus of reflection/amplification attacks, however, their collateral damage footprint tends to be even more wildly disproportionate than most direct-path DDoS attacks. 
  • Server-class botnets: As discussed in a recent blog, attackers are subsuming server-class nodes into mainstream Mirai botnets to launch multiple simultaneous direct-path DDoS attacks while retaining the ability to direct high amounts of attack traffic toward targets on demand. TCP-based direct-path DDoS attacks do not have to be spoofed. When a sufficient number of bots participate in an attack, exhausting state on the attack target can still occur.

Learn more about the factors driving a marked increase in direct-path DDoS attacks during 2021—and why we anticipate their popularity to continue growing—by reading the 2H 2021 NETSCOUT Threat Intelligence Report.

Subscribe to Our Blog