TCP Floods Are Again the Leading DDoS Attack Vector

Stateless, Arbor Edge Defense is Still the Best Defense

black background with white and color images on the right

My personal and professional objectives, like those of many other people, are centered around improving on how I get things done. Or, more importantly, about how to do things more efficiently. One of my favorite things to watch on the attention-sucking platform of TikTok or YouTube Shorts are life hacks. Life hacks are supposed to make tasks easier or more efficient to accomplish but, in many cases are simply more complicated.

This passion to improve how things are done more efficiently is not isolated to individuals; it spills over into all aspects of our community, including government, retail, service organizations, and the like. And although many of these people are attempting to be more efficient in good ways that may help other people as well as themselves, there are people out there striving to be more efficient in malicious activities as well.

The Bad Guys Want It Too

The bad actors in the distributed denial-of-service (DDoS) world are those people. The bad guy’s motivations are different. They may be motivated by money, competition, or simply power within their specific community. The truth is, they will change their tactics, as we do, to make their actions more efficient, but in most cases, for much different and nefarious reasons.

Key Findings: TCP Flood Attacks Most Used in 1H 2022

The findings in the latest NETSCOUT DDoS Threat Intelligence Report demonstrate how sophisticated cybercriminals have become more efficient at bypassing defenses with new DDoS attack vectors and successful methodologies.

"By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies," says Richard Hummel, threat intelligence lead at NETSCOUT. "In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised new attack vectors, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications."

TCP Flood Attacks Are Again the Most Popular Vector for DDoS Attackers

NETSCOUT's Active Threat Level Analysis System (ATLAS) compiles DDoS attack statistics from most of the world's ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in more than 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT's ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report. A key finding from NETSCOUT’s H1 2022 DDoS Threat Intelligence Report is that continuing a trend that started in early 2021, TCP-based flood attacks (SYN, ACK, RST) remain the most-used attack vector, comprising approximately 46 percent of all attacks (see Figure 1).

Top DDoS attack vectors during the first half of 2022

Figure 1: Top DDoS attack vectors during the first half of 2022.

State exhaustion attacks target stateful devices that are an integral part of the security stack, such as firewalls and VPN concentrators. These targets are attractive because the attacks against them can be smaller in size and designed to evade defenses meant for other threats.

State flood attacks trend upward

Figure 2: State flood attacks trend upward.

Why You Need a Hybrid Defense Strategy

So how do you prevent and stop DDoS attacks or, specifically TCP flood attacks? The best practice for protecting your network in today’s ever-changing DDoS attack landscape is a hybrid approach. Protection strategies of the past will suffice in some situations, such as in an attack designed to overwhelm your internet circuit before traffic arrives on your site. However, attacks specifically designed to evade those protections, such as TCP state exhaustion, are the basis for the new attack landscape. Furthermore, the ability to respond quickly to attacks that dodge the cloud solution and hit the network edge or an internet-facing service is imperative, and having the agility to change defenses rapidly to adapt to subtle changes onsite is crucial.

NETSCOUT Omnis AED provides hybrid DDoS defense

Figure 3: NETSCOUT Omnis AED provides hybrid DDoS defense.

By implementing comprehensive DDoS defenses such as NETSCOUT’s Arbor Edge Defense (AED) at all edges of their networks, network operators can overpower DDoS attack traffic as it enters the network edge (see Figure 3). With edge-based attack detection combined with cloud-scrubbing capacity, automated bilayer communication, indicators of compromise (IoC) analysis, command-and-control (C2) communication blocking, and current, actionable threat intelligence, operators can tackle any DDoS attack before it can cause damage.

For more information on hybrid, dynamic, comprehensive DDoS protection, download the white paper “An On-Premises Defense Is the Cornerstone for Multilayer DDoS Protection.”