DDoS Threat Intelligence Report

DDoS Targeting

Gaming Giants Experience Waves of DDoS and Triple Extortion

Politics and international conflicts are among primary motives in the DDoS threat landscape. But perhaps the most influential cause of DDoS attacks is that of gaming and the gambling associated with gaming. Our findings consistently show that the gaming sector is a prime target for these attacks, attracting a diverse range of threat actors globally. 

The allure of attacking the gaming industry lies in its substantial financial value and the goal of disrupting competitors. The industry’s heavy reliance on digital infrastructure and high-profile nature, often in the spotlight of media, heightens its vulnerability to DDoS attacks. A notable aspect of these attacks is their frequent occurrence during online gaming tournaments. Although these events are sometimes linked to the extensive gambling activities around them, it is the DDoS attacks themselves that pose the most significant threat. These attacks not only disrupt the gaming experience but also threaten the integrity and stability of the gaming industry’s digital platforms, highlighting the critical need for robust cybersecurity measures. 

In early 2023, a prominent multiplayer online gaming provider (Company A), experienced a multiphased cyberattack. The initial phase was a DDoS attack, which was more severe than any other attacks faced by the company throughout the year. This DDoS attack disrupted not only the online gaming services but also other critical operational services. Following this, Company A faced a series of additional cyberattacks. These culminated in a significant data breach and subsequent ransom demands, which were communicated to Company A via email. 

This phenomenon is not isolated. Another notable online gaming company that operates a platform and game creation system enabling users to design, create, and play games made by others (Company B) experienced a volume of DDoS attacks nine times greater than the average seen across the global gaming industry. A key distinction in this scenario is the active user base participation in these DDoS attacks, despite such activities constituting serious crime in many regions, to gain competitive edges against other players. A brief internet search reveals an abundance of tools and methods specifically tailored to assist players in identifying competitors and launching basic DDoS attacks against them, which leads to Company B facing a constant onslaught of DDoS attacks. 

The heightened frequency and sophistication of DDoS attacks in the gaming industry, as revealed by NETSCOUT’s analysis, underscores the urgent need for robust cybersecurity measures. These attacks, targeting major online gaming companies, not only disrupt game play but also compromise critical operational and data security. Successfully defending against such attacks requires a comprehensive cybersecurity strategy involving advanced protection measures, user awareness, and industrywide collaboration to counter the growing threat. With the active participation of some users in these attacks for competitive advantage, the gaming industry faces the additional challenge of curbing the accessibility and use of DDoS tools. It is imperative that gaming companies, cybersecurity experts, and regulators unite and actively collaborate to combat the escalating threat of DDoS attacks. This concerted effort is essential not just for maintaining but also for strengthening a secure and fair gaming environment. 

Industries Under Assault by DDoS Botnets

Adapting to the Changing Pulse of DDoS Threats from Reflection/Amplification Attacks to Direct-Path Attacks

Much like a doctor meticulously analyzing an echocardiogram for any signs of irregularity, NETSCOUT’s ASERT team scrutinizes the data from the NETSCOUT visibility platform with equal precision. Our goal is to detect emerging or evolving DDoS threats, an integral part of maintaining the resilience of enterprises and services providers and the user experience they deliver. Given all the internal and external threats faced by enterprises, what is ASERT’s prognosis?  

Current trends indicate a gradual rise in direct-path DDoS attacks. Although the rate of reflection and amplification attacks has generally remained consistent, there were notable exceptions. Throughout the year, there were a few significant spikes in these types of attacks, with some reaching as high as 40 billion total packets in a single day. These intense surges predominantly targeted internet service providers (ISPs) that use enterprise in-line DDoS defense systems for data centers or specific infrastructure such as authoritative DNS servers.

A significant development as the year ended was the marked increase in activity from a bulletproof hosting provider. This provider is known for its association with DDoS attacks executed via the DDoSia tool, linked to the Russian threat actor group NoName057(16). The variable nature of this activity suggests a strategic pattern, likely reserved for high-impact attacks that demand considerable resources. 

ASERT Advice

Enterprises across various sectors constantly face these sophisticated cyberthreats, underscoring the need for advanced defense mechanisms and unmatched global visibility. Solutions incorporating machine learning and comprehensive threat intelligence are paramount. These systems provide robust, continuous protection, operating at the network edge to efficiently block and mitigate inbound attacks and prevent compromised internal systems from communicating with external command-and-control servers.

Employing these cutting-edge defenses enables businesses to strengthen their digital environments, ensuring operational resilience and continuity in the face of an ever-evolving spectrum of cyberthreats. 

Analyzing Adversary Infrastructure Reuse in Direct-Path DDoS Attacks

Depending on the adversary and its level of sophistication, the infrastructure used to launch DDoS attacks can vary greatly. In previous reports we showcased high-impact infrastructure with a near 90 percent persistency rate over two-week moving windows. For this report, we wanted to expand on this and look at the entirety of all global attacks. Daily observations of every attacker IP reveal significant fluctuation in new attacker IPs over a two-week moving average. 

This pattern indicates a substantial degree of IP churn, with a large portion of daily attacker infrastructure being previously unseen in the past two weeks. The volume of these new attacker IPs as a proportion of the total further demonstrates that adversaries are continually evolving their infrastructure, or randomizing their approach to launch attacks, rather than relying solely on stable attack platforms. 

Overall, the data highlights the dynamic nature of the threat landscape and the rate at which new resources are regularly employed for malicious activities. Amidst the noise of the chaotic internet, our analysis aims to surface meaningful threat signals by focusing on the most persistent attacker infrastructures. Specifically, by tracking only attacker IPs that are globally observed across multiple enterprises, show consistent traffic volumes blocked over time, and are active for many days out of each two-week rolling window, we can concentrate on adversaries likely representing organized and impactful campaigns. By focusing on the most significant and consistent threats, we have stronger insight into the most formidable threats facing the internet today.

DNS and Collateral Damage

DNS Servers Under Constant Barrage of DDoS Attacks

Transitioning from adversary infrastructure to targeted infrastructure, perhaps the most critical area is that of attacks on authoritative and recursive DNS servers. Starting at the end of 2019, there’s been a marked rise in DNS water torture attacks, a growing threat that targets the critical systems at the heart of the internet’s control plane. DNS query floods—attacks specifically designed to overwhelm authoritative DNS servers—experienced a massive 553 percent increase from 1H 2020 to 2H 2023. Adversaries are no longer content with targeting one website or one server: They frequently go after systems that, if successfully taken down, would result in far-reaching collateral damage.

Consolidation of Web Infrastructure

When collocated domains share web infrastructure, DDoS attacks targeting one website and disrupting the underlying infrastructure diminish performance, availability, and overall reliability for all collocated websites. These adverse effects either propagate inadvertently or can be used by the attacker to conceal the real target. Investigation of attacks affecting at least one domain reveals that, on average (median) seven domains suffer collateral damage. The top 15 percent of attacks, in terms of web collateral damage, impact as few as 100 and as many as 100,000 or more websites. 

Authoritative Nameservers in the Crosshairs

Because so many domains rely on a relatively small number of authoritative DNS servers, successful attacks become magnified in terms of impact. NETSCOUT’s visibility enables observation of between 50 and 100 DNS query flood attacks against DNS infrastructure daily. Although over-provisioning systems and relying on a single authoritative DNS hosting provider appears to be cost-effective and a natural decision to avoid additional costs or seemingly redundant DDoS defense systems, it does not take much to recognize that devastating, multimillion query-per-second floods are no longer a rarity.

Recursive Resolvers and the Looming Threat

We identified dozens of public resolvers that attracted a startling 50,000 DDoS attacks in 2H 2023. 83 percent of these attacks targeted prominent public resolvers, while the remaining 17 percent of attacks were scattered among the less prominent resolvers. Globally exposed DNS resolvers pose multifaceted risks, including susceptibility to DDoS attacks, cache poisoning, and security breaches due to their unrestricted internet access. Best practices for mitigating these dangers include restricting resolver access to authorized networks, implementing rate limiting and Domain Name System Security Extensions (DNSSEC), and regular security monitoring and updates. This approach enhances security and maintains the integrity and performance of DNS services.

Moreover, even resolvers shielded against direct attack from external sources find themselves vulnerable to DDoS attacks from their ostensible user base. They must first defend against threats from within, such as malicious actors from inside their network boundaries, before turning their shields outward to fend off reflection/amplification attacks from outside. From experience, shielding an external resolver from DNS reflection/amplification bears a notorious challenge. The path is clear: To mitigate these risks, global exposure of DNS resolvers should be avoided at all costs, and reliance should be placed on intelligent DDoS mitigation services with proactive defense strategies and threat mitigation capabilities. The alternative means the acceptance of collateral downtime for any device legitimately configured to use the resolver in question. 

ASERT Advice

These findings underscore the critical importance of protection for both authoritative and recursive DNS servers and demonstrate that DNS query floods composed of millions of queries per second (mqps) are a constant in the authoritative nameserver market.

Besides well-known public resolvers, there is no legitimacy in exposing a resolver globally. Doing so not only poses a significant threat of collateral downtime to the network’s devices using this DNS resolver, but it also violates best common practices and good internet citizenship by hosting another piece of abusable infrastructure. Even shielding an external resolver from outside does not guarantee a nonintermittent uptime if not protected with the right assets.