DDoS Threat Intelligence Report

DDoS Defense

Intelligent DDoS Mitigation Systems Are Frontline Defense

DDoS attacks remain one of the internet’s most persistent security challenges. The packet-sending capacity of just a few colluding hosts can wreak havoc on internet targets. Many wonder why ISPs can’t just block bad traffic. After all, how difficult can that be? Although individual traffic flows in distributed systems might seem harmless, especially under encryption or within usage limits, disaster lurks unseen. Aggregating these seemingly innocent flows from attackers can unleash a potent assault on your target, often leaving traditional defenses powerless in its wake.

Three ways to mitigate DDoS attacks:

1
Eliminate or reduce harmful traffic early enough
2
Increase network capacity to absorb harmful traffic
3
Make targets unreachable to anonymous and remote systems entirely

This idea finishes the job of an attack, but it also helps prevent collateral damage to systems near the target.

NETSCOUT explores how these strategies are deployed in practice, considering their effectiveness in different environments, each facing unique pressures and trade-offs. The following is intended to shed light on those trade-offs to help guide decision-making for your own DDoS mitigation thinking and strategy. 

Firewalls perform “stateful inspection” to keep track of traffic to make informed decisions. However, they require memory to do this and can be overwhelmed by DDoS attacks, showing the limits of some security mechanisms. Many administrators have been surprised to learn that their 10Gbps connected firewall can be overwhelmed by less than 1Gbps of traffic!

The flow of traffic from attacker to data center

The flow of traffic from attacker to data center

Measuring Attack Volume

DDoS attacks are often “volumetric.”  We measure volume using metrics such as bits per second (bps) for data volume, flows per second (fps) for traffic properties, packets per second (pps) for packet size and rate, and queries per second (qps) or requests per second (rps) for application-layer attacks—depending on the type of service running.

ISP DDoS Mitigation Common Practices

ISPs can’t always block bad traffic. They selectively block certain types and provide security for their infrastructure. This includes DDoS mitigation to handle customer and network demands, using strategies such as source address validation and traffic scrubbing.

Despite these efforts by ISPs, the challenge escalates as DDoS attacks evolve in complexity, presenting a myriad of forms akin to a viral fever with countless strains. So, the question arises: how do we effectively combat these multifaceted threats? NETSCOUT delves into this by examining a broad spectrum of defense tactics deployed across our total service provider visibility. The picture? A mishmash of defenses—surgical precision with intelligence mitigation systems, blunt force using Flowspec, zero-tolerance blackhole routing, and a patchwork of router access control lists (ACLs).

To further understand the nuances of DDoS mitigation, let’s explore specific strategies:

SOURCE ADDRESS VALIDATION (SAV)

Around half of DDoS attacks are reflection/amplification attacks, made possible by IP spoofing. ISPs mitigate these by verifying customer traffic has valid source IP addresses. Although this is challenging, progress has been made thanks to vendor and community collaboration. Notably, we reported on a tectonic shift in attack methodology in 2022 because of this global vendor and community initiative.

REMOTE TRIGGERED BLACKHOLE FILTERING

This is a common method against denial-of-service attacks, where ISPs drop traffic based on Border Gateway Protocol (BGP) route announcements from customers. It’s effective in preventing volumetric attacks from reaching customer links, at the cost of making prefixes temporarily inaccessible.

FLOW SPECIFICATION (FLOWSPEC) RULES

Flowspec enhances filtering between BGP devices, targeting specific traffic types. Widely adopted in certain networks, it presents operational challenges but offers precise control over traffic management.

INTELLIGENT DDoS MITIGATION

ISPs and specialized services use this technique to direct traffic through intelligent DDoS mitigation systems for thorough inspection and attack-traffic mitigation. This method is extremely effective, focusing on maintaining normal traffic flow while isolating and treating suspicious traffic.

CONTENT DISTRIBUTION NETWORKS (CDNs)

Utilized for hosting and distributing content globally, CDNs optimize content delivery and act as extensive load balancers. Although effective, they can be expensive for smaller-scale projects. Anycast is another load-balancing technique often used, especially in DNS services.

ASERT Advice

Mitigation is not a one-size-fits-all approach. One method is preattack intelligence and early detection, like an immune system sniffling out the bad before it spreads. That is where NETSCOUT’s threat intelligence steps in, a vaccine for the digital body.

NETSCOUT’s Threat Intelligence

So, how much can NETSCOUT’s threat intelligence stop before it reaches critical systems? NETSCOUT’s analysis demonstrates what gets blocked by an intelligent DDoS mitigation system using standard bandwidth/throughput thresholds and what could be neutralized by our intel before it cripples downstream networks.

Outbound DDoS Attack Suppression

Mitigating incoming and suppressing outbound DDoS attacks is crucial for robust network operations and altruistically benefits the internet ecosystem. 

Managing outgoing threats revolves around being a responsible internet citizen. Actively preventing the egress of attack traffic curbs the DDoS tax. By preventing themselves from ending up on third-party blocklists, organizations not only achieve smoother operations but also preserve the reputation of their IP address space. In the current climate of IPv4 address exhaustion, this reputation management has a ripple effect on IP address prices and facilitates lucrative reselling opportunities.

Mitigating incoming attacks is pivotal for transit providers. Protecting networks within their customer cone not only enhances credibility but also attracts more clients. The ability to charge a premium for DDoS mitigation services makes the acquisition of such products a self-sustaining investment.

Our statistical analysis indicates that our clients’ networks encounter around 100,000 outgoing and 150,000 incoming attacks to external networks per month. Our analysis highlights a notable disparity in the attention given to suppressing outbound attacks. Overall, 99 percent of outgoing attacks are not suppressed. We find that only 19 out of 335 NETSCOUT customers with outbound attacks suppressed such an attack at least once. It is essential to recognize that while there rarely are valid reasons to forego suppressing outbound attacks, transit providers may receive explicit requests from clients to refrain from interfering with their network traffic.

ASERT Advice

These patterns of suppressing—or the lack thereof—demonstrate a landscape where DDoS attack strategies are continuously advancing. In light of these findings, it is imperative for organizations to proactively reassess and enhance their security measures against outbound attacks, ensuring they stay ahead in this ever-evolving cyberthreat environment.

The Future of DDoS Defense Requires Innovation

Adversaries made a pivotal change toward application layer and direct-path attacks beginning early last year that carried through into 2023. This shift marks an increasingly volatile landscape of DDoS attacks that continue to grow in frequency. This was due to the defenders becoming more proficient in detecting and mitigating most of the more commonly used DDoS attack vectors. Also, the broader deployment of SAV led to a significant increase in direct-path DDoS attacks. This, however, resulted in the adversaries researching new DDoS attack vectors and enhancing their attack methodologies and other aspects of their repertoires to bypass the improved defenses.

Adversary advances include:

New and improved DDoS reflection/amplification vectors

Taking increased advantage of the large numbers of available abusable reflector/amplifiers to increase the total attack volume

Bypassing existing defenses by using service-chain attacks, employing increased use of proxies, and/or by launching internally facing DDoS attacks

Increased use of IPv6 attacks

Using machine learning/artificial intelligence to automate preattack reconnaissance and for launching multivector DDoS attacks

ASERT Advice

To meet these new threats, defenders are now focusing on predictive DDoS defense, DDoS suppression, and DDoS interdiction in addition to increased emphasis on IPv6 defense. Also, the introduction of federated DDoS defense systems will open new possibilities.

Defenders are now focusing on the following:

PREDICTIVE DDoS DEFENSE
  • Tracking global malicious activity to identify potential DDoS sources
  • Using real-time DDoS threat intelligence for early detection and mitigation
DDoS SUPPRESSION
  • Proactively identifying and blocking abusable devices
  • Detecting and stopping outbound DDoS attacks both to rapidly stop internally facing attacks and to stop DDoS attacks from reaching overwhelming volumes
DDoS INTERDICTION
  • Blocking DDoS initiation traffic and DDoS command-and-control communication
  • Encouraging deployment of anti-spoofing measures at network edges
IPv6 DEFENSE
  • Addressing the rise in both unintentional and intentional IPv6 DDoS attacks with specialized defense strategies
  • Applying best current practices for IPv6 to match IPv4 defense levels
FEDERATED DDoS DEFENSE
  • Collaboration across networks for situational defense and intelligence sharing for predictive DDoS defense, DDoS suppression, and DDoS interdiction
  • Implementing programmatically driven cooperative efforts for real-time attack mitigation

Final Thoughts

The DDoS landscape is changing fast, and staying ahead of these threats is critical to your business. 2023 has shown us the real impact of these attacks across different sectors, from political hacktivism to attacks against DNS servers resulting in widespread collateral damage and to the gaming world where every microsecond is life or death (virtually). But it’s not all doom and gloom. Thanks to strong collaboration, predictive and proactive mitigations, and advanced threat intelligence, we’re better equipped to face these challenges head-on.

It needs to be a top priority, as critical as day-to-day operations, to push for stronger defenses and smarter solutions together as we build a more secure digital world.

NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) protects the connected world from cyberattacks and performance disruptions through advanced network detection and response and pervasive network visibility. The data in this report is derived from NETSCOUT’s ATLAS, which provides unparalleled internet visibility at a global scale collecting, analyzing, prioritizing, and disseminating data on DDoS attacks from 214 countries and territories, 456 industry verticals, and 13,005 Autonomous System Numbers (ASNs). ATLAS Intelligence Feed (AIF) continuously delivers relevant, actionable DDoS threat intelligence that is used proactively to defend against DDoS attacks and other cyber threats. That’s why the world’s most demanding government, enterprise, and service provider organizations rely on NETSCOUT’s industry-leading Arbor Adaptive DDoS Protection solutions to protect the digital services that advance our connected world.