How Service Providers Can Collaborate on DDoS Mitigation Across Network Boundaries

Dark blue background with light blue dots in a wave pattern

Distributed denial-of-service (DDoS) attacks are rising. In fact, for the first time in history, the annual number of observed DDoS attacks crossed the 9.5 million attack threshold, with NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) seeing 9.7 million attacks over the course of 2021. Many of these attacks are also falling into the adaptive DDoS category, meaning the attackers are changing vectors as soon as they realize what is blocking their previous method. 

These increases in DDoS attacks and in the complexity of those attacks have impacted how internet service providers (ISPs) think about DDoS and how they can assist their customers and collaborate with other ISPs both upstream and downstream in mitigation efforts, since they are closer to the source of the attacks and see the traffic first.

Dealing with this level of attack should not fall on the backs of the ISPs alone but requires collaboration among all stakeholders in the battle against DDoS attacks. Plans such as “DDoS peering” between tier-1 U.S. operators and the Internet Engineering Task Force (IETF) DDoS Open Threat Signaling (DOTS) program attempted to develop collaboration programs that required installing provisioned infrastructure or sharing attack data to a central database. Even though these programs uncovered reluctance primarily in the executive suite simply based on business decisions related to sharing data, these initiatives demonstrate that there are some stakeholders on the front lines of the battle who want to fight DDoS together.

Trailblazing Collaboration

NETSCOUT has been a trailblazer in efforts to coordinate DDoS protection and collaboration within our customer ecosystem. For more than 20 years, NETSCOUT’s Arbor DDoS defense products have been deployed in a majority of the world’s ISP networks and many enterprise networks. Arbor DDoS protection products enable collaboration among ISPs and their customers so they can fight the global threat of DDoS attacks together. This collaboration falls into three categories: ISP-to-ISP collaboration, customer-to-ISP collaboration, and sharing of threat intelligence.


To assist with attack collaboration among ISPs, NETSCOUT’s Arbor Sightline provides a unique, fully integrated internetwork signaling mechanism that allows network operators with Sightline to share attack attributes and coordinate defenses spanning network boundaries. This enables an operator to assist their peers in collaboration at an unprecedented level to collectively stop DDoS attacks nearer their source. One ISP may see DDoS traffic that is attacking its network customers but originates or passes through an upstream ISP. The ISP under attack can alert the upstream ISP that the identified attack traffic is coming through its network and can provide attack details and attack countermeasures.

Customer to ISP

To assist with customer-to-ISP collaboration, NETSCOUT Arbor Edge Defense (AED), which can be deployed on the customer premises, provides cloud-signaling capability so customers can share attack attributes with their upstream ISP. The upstream providers can use the identified attack attributes to create countermeasures within their systems and further share those countermeasures with their peers.

Sharing Threat Intelligence

To help feed the ecosystem and the DDoS defense community as a whole, organizations with both Sightline and AED deployments send anonymous attacks statistics back to NETSCOUT’s ASERT and Active Threat Level Analysis System (ATLAS), providing information about observed DDoS attacks and other forms of cyberthreats experienced by these organizations. No one has the global threat intelligence presence that NETSCOUT employs to provide awareness for our customers and the DDoS protection community as a whole. NETSCOUT generates this awareness via its Cyber Threat Horizon, threat reports, blog posts, and threat advisories. 

  • Cyber Threat Horizon: A global cybersecurity situational awareness platform, NETSCOUT Cyber Threat Horizon provides highly contextualized visibility into global threat landscape activity that’s tailored for each organization’s specific vertical and geographic profile.
  • Threat reports: NETSCOUT’S bi-annual Threat Intelligence Report offers our customers unique insight into worldwide DDoS attack activity and other cybersecurity threats.
  • ASERT blog: ASERT engineers and researchers are part of an elite group of institutions that are referred to as “super remediators” and represent the best in information security. This team delivers world-class network security research and analysis for the benefit of today’s enterprise and network operators via a number of vehicles—none more accessible than the ASERT blog.
  • Threat advisories: If ASERT deems something important or dangerous to our customers’ networks, cloud, or on-premises, we will issue advisories to them related to identification and mitigation.

This data can also be returned back to the customer ecosystem in the form of the ATLAS Intelligence Feed (AIF). The AIF arms the Arbor DDoS protection products with highly curated and current threat intelligence that enables customers to protect themselves from the latest DDoS and other cyberthreats.

Collaboration: A Key to Protection

As the global DDoS threat landscape grows and attacks become more frequent and complex, worldwide network operators, their peers, and their customers have to adapt to meet the new requirements for identification and mitigation of these new attacks. Collaboration between all of the internet entities looking for protection against these global attacks is the key to this adaptation.

Read more about NETSCOUT's smart security.