Let’s face it: Life isn’t safe, and threats exist all around us.

Quarter picture of blue & green circle in left lower corner, screen color split with green upper half & black lower with green circle and 4 spherical rings around it.

Most of us learn early on not to stroll down a dark alley, but if you’re an internet service provider (ISP) or enterprise, mitigating threats isn’t that simple. The devastation caused by a distributed denial-of-service (DDoS) attack that takes down websites and business-critical applications is likely to result in unhappy customers, lost revenue, and irreparable damage to your brand.

We’ve seen a major uptick in DDoS attacks to the tune of nearly 13 million in 2022, which represents a high-water mark. Meanwhile, adversaries are getting smarter and better at what they do, allowing them to evade defenses and traditional mitigation techniques more effectively.

Since the mid-2000s, volumetric attacks—or packet floods—were by far the most prevalent type of DDoS attack, with DNS amplification leading the pack. Then in 2021, we saw a move toward TCP-based, direct-path attacks. As adversaries refine their techniques and more accurately choose their targets, unexpected attacks can range from carpet bombing to application-layer attacks on websites and DNS servers to TCP direct-path vectors. This trend continues today, so it’s more important than ever for ISPs and enterprises to fully protect their networks, stateful devices, and other critical infrastructure.

What Are Multivector Attacks?

A multivector DDoS attack combines multiple techniques such as DNS amplification, TCP direct-path, and application-layer attacks concurrently. This type of attack comprises approximately half of all DDoS attacks, with 29 percent between one and five vectors, 8 percent between six and 10, and 2 percent (or approximately 250,000) utilizing more than 11 vectors. This highlights the importance of advanced or adaptive DDoS defenses.

Primary Attack Methods

Adaptive DDoS goes beyond multivector attacks by adding more sophisticated techniques to enhance their effectiveness. Adaptive DDoS begins with reconnaissance and probing before the attack to see what gets through and what doesn’t. Adversaries craft their attack based on those findings to target soft spots in network defenses and then perform real-time monitoring of the attack to see what’s working and what isn’t. Here’s a look at the most frequently used DDoS attack vectors we’re seeing today.

HTTP/HTTPS application-layer attacks

With more than 1 billion websites across the globe, these are the favorite targets of DDoS attacks. A prime example of the devastation caused by application-layer attacks occurred when government, financial, and media sites across Ukraine were attacked just prior to the Russian invasion. According to the National Cyber Security Centre (NCSC), adversaries also attacked ISP Viasat approximately one hour before the invasion began. Although the likely target was Ukraine’s military, it affected internet users across the country as well as Central European wind farms and internet users. Based on NETSCOUT research, we’ve seen a 487 percent increase in these attacks in the past four years.

Direct-path DDoS attacks

TCP-based direct-path attacks are growing at a rapid rate and can be more difficult to mitigate than reflection/amplification attacks. The latter can be mitigated with BGP Flowspec, for example, or other types of countermeasures. Perhaps because reflection/amplification attacks are more easily mitigated, we’ve seen an 18 percent decline over the last three years, while direct-path attacks jumped 18 percent over that time.

Carpet-bombing attacks

As the name implies, instead of seeking out a single host, carpet-bombing DDoS attacks target entire IP address ranges and are designed to evade the more common DDoS detection mechanisms. These attacks jumped from an average of 670 in 2021 to 1,134 in 2022, according to our research. That represents a 69 percent increase, with most attacks targeting ISP networks.

DNS query flood attacks

This form of application-layer attack has more than tripled since 2019 when it first came into use, marking a 243 percent increase. Most of these attacks target ISPs, but we saw adversaries recently use this tactic on national security and commercial banking sectors across the world, most likely related to the invasion of Ukraine.

Learn More

Threats are all around us in life, but with the proper knowledge and defenses, you can protect your network. NETSCOUT just released our fifth-anniversary DDoS threat intelligence report, “Unveiling the New Threat Landscape,” with findings from the second half of 2022. We encourage you to read the report and examine your current defenses against the ever-changing cyberthreat landscape.

Check out the latest NETSCOUT Threat Report