Introducing the 5th Anniversary DDoS Threat Intelligence Report

Smoke illustrated on black to grey background with quarter, half green and pink circles on left side

The rising tide of distributed denial-of-service (DDoS) attacks threatens organizations worldwide that deliver critical access and services. From our first Worldwide Infrastructure Security Report (WISR) in 2005 to our 5th Anniversary DDoS Threat Intelligence Report today, we have witnessed a tenfold increase in DDoS attacks. These attacks evolved from simple denial-of-service (DoS) to dynamic DDoS where attacks evolve and adapt to counter network defenders.

Unparalleled Visibility

NETSCOUTʼs ATLAS platform has visibility into an average of 401 terabits of internet traffic every second—a staggering aggregate average of 34.6 exabits per day and greater than 50 percent of estimated international transit capacity. Meanwhile, the peak sum of DDoS alert traffic in one day reached as high as 436 petabits and more than 75 trillion packets in the second half of 2022; a global surge in bandwidth/throughput in July drastically increased these benchmarks, with service providers scrubbing a large percentage of malicious traffic, especially high-severity alerts. At the same time, enterprises eliminated an additional daily aggregate average of 2.5 petabits of unwanted traffic.

Botnet Impact

Threaded throughout the massive amounts of aggregate bandwidth and throughput is a dangerous trend that started in 2021, in which bots feature more prominently in attacks, accelerating the throughput rates at an astonishing pace. Separated by a growing margin, direct-path bot attacks dominate the top of the attack toolkit, resulting in millions of bots launching hundreds of thousands of attacks on enterprises and service providers alike, many of which caused significant disruptions. A large majority of direct-path attacks come from DDoS botnets such as Mirai, Satori, and even lists of proxy servers leveraged by groups such as Killnet.

Attack Vectors and Methodology

DDoS attack vectors generally fall into one of three categories: volumetric, application-layer, and state-exhaustion attacks. From TCP direct-path attack vectors to carpet-bombing and application-layer attacks against DNS servers and websites, adversaries accelerated their adoption of attack targets and techniques in the second half of 2022, resulting in huge increases. Direct-path and volumetric DDoS attacks are equally responsible for causing mayhem on the global stage, but it is more than just one or the other. The top five vectors clearly illustrate the preference of adversaries in 2022, with four out of the five including an overwhelming majority of TCP-based attacks.

Adaptive DDoS Attacks

What may seem mundane is indeed incredibly complex. DDoS attacks span countries, networks, and techniques like water finding a path through any available means. A single attack can span dozens of countries and networks. Modern DDoS attacks include reconnaissance, advanced multivector attacks, and real-time monitoring for efficacy leading to adaptations throughout the campaign. Organizations must adopt new strategies such as advanced DDoS defense and suppression to combat the growing complexity.

Attack Motivations

From criminal extortion and competitive takeout to cyber warfare and geopolitical pressure, adversaries leverage DDoS attacks to incite fear, cause mayhem, and cash out. Organizations experienced a variety of DDoS attack motivations in 2022. In late February websites were taken offline just prior to the Russia-Ukraine war. Those events created a cascade of attacks against dozens of countries and industries that continue to this day. National security and government, manufacturing, wireless telecommunications, and even the optics industry experienced diverse motivations in the DDoS threat landscape.

All the above is unfolding while adversaries continue to expand and launch new botnets to devastating effect, creating a shifting paradigm with direct-path attacks at the center. Complex multivector attacks and more sophisticated adversary methodologies have become commonplace, highlighting the need for intensive scrutiny of the threat landscape and an ever-evolving defense-in-depth to weather the onslaught of attacks.

Check out the complete 5th Anniversary DDoS Threat Intelligence Report today.