Outbound and Cross-bound DDoS Attacks on the Rise

Modern DDoS techniques require visibility and mitigation at the network edge.

Red blue and green down arrows on black background

Network operators worldwide have rushed to upgrade network infrastructure to meet increased demand for bandwidth and throughput driven by remote work and education. In many cases, this has resulted in service providers accelerating timelines for 5G and other high-bandwidth access technologies.

The constant evolution of the internet and global network topology has forced adversaries and defenders to adapt. Changes in attack vectors and methodology allow distributed denial-of-service (DDoS) attackers to circumvent defenses and countermeasures. Meanwhile, security practitioners face a constant battle of adapting their defense posture to mitigate this evolving threat.

DDoS Defenses

DDoS defenses traditionally have been focused on protecting internet properties and networks by implementing attack detection, classification, traceback, and mitigation technologies at points of convergence for inbound network traffic. This typically was accomplished by deploying defensive measures northbound of protected assets on directly connected networks. Source-address validation (SAV), for example, has had a very positive impact in reducing prominent vectors such as DNS amplification as they become ineffective.

This approach worked well to defend targeted organizations and networks from inbound DDoS attacks; however, outbound and cross-bound DDoS attacks can be just as devastating and disruptive as inbound attacks. Compromised workstations, Internet of Things (IoT) devices, and high-capacity servers have been subsumed into botnets and used to launch DDoS attacks. The traffic generated by these systems has significantly impacted production services for both enterprise and service provider networks. Because of adversary innovation and adaption, defenders must change their way of thinking and, in turn, adapt to the current threat landscape.

Adaptive DDoS

In an adaptive DDoS attack, adversaries perform extensive pre-attack reconnaissance to identify specific elements of the service delivery chain to target. Increasingly, they are making use of botnet nodes and reflectors/amplifiers that are closer to the target, a phenomenon recently observed with botnets attacking Ukraine. This minimizes the number of boundaries DDoS attack traffic must traverse, often resulting in fewer opportunities to detect and mitigate the attack.

The combination of increased available bandwidth and throughput, increased population of abusable devices, and adaptive DDoS attack techniques magnify the threat to network operators. As such, network operators should move from a default posture of DDoS mitigation to a new posture of DDoS suppression.

DDoS Suppression

By implementing adaptive DDoS defenses at all edges of their networks, including directly within peering and customer aggregation points of presence (PoPs), network operators can suppress DDoS attack traffic as it ingresses at multiple points across the entire network edge—or before it ever converges into a large-scale attack. By implementing edge-based attack detection, intelligent DDoS mitigation, and network infrastructure-based mitigation techniques at all network ingress points, operators can implement adaptive DDoS suppression systems that scale to counter DDoS attack capacity and adversary innovation.

One method of DDoS suppression NETSCOUT uses to secure network edges is an ATLAS Threat Intelligence Feed (AIF) that can predefine what IP addresses or Classless Inter-Domain Routing (CIDR) blocks an adversary might use to launch an attack. When an attack using the identified infrastructure begins, AIF countermeasures can immediately and quickly start blocking before any additional routing decisions, countermeasures, or manual analysis is required, nullifying the attack before it ever reaches critical mass.


The operational community has successfully suppressed spoofed attack initiator traffic, resulting in demonstrable decreases in reflection/amplification DDoS attacks when compared with direct-path attacks. The next logical step is to extend this paradigm into adaptive DDoS suppression across the network edge to further build a safer, more resilient internet for all.

Check out the NETSCOUT DDoS Threat Intelligence Report for more details.