Top 6 DDoS Lessons from 1H 2023

Introducing NETSCOUT’s DDoS Threat Intelligence Report Issue 11

Black background with red lights spraying from left corner to upper right corner.

NETSCOUT’s latest threat report is now available, bringing you distributed denial-of-service (DDoS) insights from the first half of 2023. In this blog, we take a look at the top six takeaways from the report.

1. Complete Network Visibility Enables Total Network Control

Accelerating at amazing speeds, the growth of the internet necessitates increased visibility. NETSCOUT’s commitment to worldwide visibility granted us insights into an average of 424 Tbps of internet peering traffic in 1H 2023, a 5.7 percent increase over the 401 Tbps reported at the end of 2022.

NETSCOUTS’s pervasive visibility allowed us to monitor nearly 7.9 million DDoS attacks in the first half of 2023 alone. By analyzing the techniques and patterns of so many attacks, we can gain a deep understanding and develop ever more effective solutions to protect and defend networks across the globe.

2. The Power of Persistence

The majority of observed application-layer, reflection/amplification, and direct-path volumetric DDoS attack traffic shares a near-universal characteristic: a significant degree of attack source persistence. NETSCOUT’s Security Engineering and Response Team
(ASERT) identified DDoS reflectors/amplifiers, DDoS botnet nodes, and DDoS attack generators exhibiting an average churn rate of only 10 percent over a two-week interval from their inception. In practical terms, this means that 90 percent of verified DDoS attack sources can be proactively blocked for as much as two weeks after initial discovery. This enables an enormous amount of DDoS attack mitigation to become fully automated.

3. DDoS Attack Infrastructure Telemetry

ASERT examined several types of abusable infrastructure leveraged in DDoS attacks worldwide. In 1H 2023, we observed open proxies consistently leveraged in HTTP/S application-layer DDoS attacks. Threat actors are now relying more on DDoS-capable botnets, Tor nodes, and open proxy servers to generate and obfuscate the actual sources of direct-path DDoS attacks. We have seen a renewed emphasis on direct-path attacks and a transition from a nearly decade-long stint of reflection/amplification preeminence.

Bulletproof hosting (BPH) providers pose a unique and challenging threat. Their activity is often disguised under a veil of legitimacy; however, due to their willful neglect of community norms, their illicit activities often evade normal responses such as takedown requests. Many of the most notorious threats to internet safety and stability previously have found safe havens at BPH providers, but this strategy is becoming less tenable as we uncover and provide defensive recommendations to our customers and the world.

4. Adversary Discovery Lifecycle

The unmatched breadth and depth of our data horizon allow us to identify the exact point in time when new DDoS attack vectors are discovered, tested, optimized, first utilized by adaptive attackers, and eventually weaponized in DDoS-for-hire services. This DDoS Threat Intelligence Report covers the evolution of the Apple remote management system (ARMS), TP240, and Service Location Protocol (SLP) DDoS attack vectors from inception to weaponization. We further detail how our visibility into the attacker discovery process allowed us to operationalize threat intelligence even before these attacks could be used against our customers.

5. Carpet-Bombing and DNS Water Torture Attacks Increase Pace

Domain Name System (DNS) water torture DDoS attacks have been steadily rising in prevalence, with a sharp increase observed in June 2023. By the end of the first half of 2023, DNS water torture attacks had increased by a staggering 353 percent. A sudden resurgence in carpet-bombing attacks prompted our researchers to investigate this tactic, and since the first week of 2023, we observed a 55 percent increase in daily carpet-bombing attacks. These attacks often use the very same devices leveraged in DNS reflection/amplification attacks to obfuscate the actual DDoS attack generators. At the same time, carpet-bombing attacks continue to rise, and our new research demonstrates that most carpet-bombing attacks are single vector rather than multivector, with DNS reflection/amplification being the most prevalent attack type, followed by Session Traversal Utilities for Nat (STUN) reflection/amplification.

6. World Events Fuel DDoS Attack Campaigns

Since the initiation of ground operations in the Russia/Ukraine conflict at the beginning of 2022, NETSCOUT has extensively detailed the intersection between online and kinetic operations in history’s most extensive campaign of hybrid warfare. Since that time, ideologically motivated DDoS attacks targeting the United States, Ukraine, Finland, Sweden, Russia, and other countries have remained constant. Last year, Finland experienced a wave of DDoS attacks before and immediately after its NATO acceptance. Sweden has experienced a similar onslaught as that country’s bid to join NATO moves forward. But it’s not just politics: A wave of DDoS attacks hammered wireless telecommunications, no doubt a result of 5G wireless connectivity expanding at a staggering rate and subscribers opting to use 5G as their primary internet connection. And make no mistake, these attacks often target critical resources including healthcare; energy; and private companies providing government services, platforms, and infrastructure. Moreover, there is often collateral damage associated with these attacks.

Learn more with in-depth analysis, interactive charts, and free downloads at NETSCOUT’s DDoS Threat Intelligence Report Issue 11 interactive website.