Unveiling the New Threat Landscape
The rising tide of DDoS attacks threaten organizations worldwide that deliver critical access and services. This tide brings new threats, evolving tactics, and a doubling-down on adversary methodologies to launch hybrid application-layer and botnet-based direct-path DDoS attacks.
From our first Worldwide Infrastructure Security Report (WISR) in 2005 to our 5th Anniversary DDoS Threat Intelligence Report today, we have witnessed a tenfold increase in DDoS attacks. These attacks evolved from simple denial-of-service to dynamic distributed denial-of-service where attacks evolve and adapt to counter network defenders. This is unfolding while adversaries continue to expand and launch new botnets to devastating effect, creating a shifting paradigm with direct-path attacks at the center. Complex multi-vector attacks and more sophisticated adversary methodologies have become commonplace, highlighting the need for intensive scrutiny of the threat landscape and an ever-evolving defense-in-depth positioning to weather the onslaught of attacks that include carpet-bombing to application-layer and state-exhaustion attacks.
These attacks have a very real impact as reported by our customers, the largest service providers and enterprises in the world. We continue to invest heavily in research and development of our Visibility Without Borders®, ATLAS platform, as we have done for over the last two decades. ATLAS is the key to understanding these threats, learning from them, and positioning organizations to mitigate these attacks. It is also the fuel that powers this DDoS Threat Intelligence Report, enabling global DDoS awareness and defense. We would like to thank our customers for supporting and joining us in this mission, as Guardians of the Connected World.
ANIL SINGHAL, CEO NETSCOUT
Scaling Internet Traffic to Infinity and Beyond
NETSCOUT’s ATLAS platform has visibility into an average of 401 Tbps of internet traffic, a staggering aggregate average of 34.6 exabits per day and greater than 50 percent of estimated international transit capacity.
Meanwhile, the peak sum of DDoS alert traffic in one day reached as high as 436 petabits and more than 75 trillion packets in the second half of 2022; a global surge in bandwidth/throughput in July drastically increased these benchmarks, with service providers scrubbing a large percentage of malicious traffic, especially high-severity alerts. At the same time, enterprises eliminated an additional daily aggregate average of 2.5 petabits of unwanted traffic.
Bad Bots in Business
Threaded throughout the massive amounts of aggregate bandwidth and throughput is a dangerous trend that started in 2021, in which bots feature more prominently in attacks, accelerating the throughput rates at an astonishing pace.
Separated by a growing margin, direct-path bot attacks dominate the top of the attack toolkit, resulting in millions of bots launching hundreds of thousands of attacks on enterprises and service providers alike, many of which caused significant disruptions.
Rising Tides in Attack Methodology
From TCP direct-path attack vectors to carpet-bombing and application-layer attacks against DNS servers and websites, adversaries accelerated their adoption of attack targets and techniques, resulting in huge increases in the second half of 2022.
Dissecting an Adaptive DDoS Attack
What may seem mundane is actually incredibly complex. DDoS attacks span countries, networks, and techniques like water finding a path through any available means.
A single attack can span dozens of countries and networks. As one attack against the energy sector illustrates, organizations must adopt new strategies such as Adaptive DDoS Defense to combat the growing complexity.
DDoS Attack Motivations Know No Bounds
From nihilism to extortionism, adversaries leverage DDoS attacks to incite fear, cause mayhem, and cash out. Organizations experienced a veritable smorgasbord of DDoS attack motivations in 2022 stemming from events in late February as websites were taken offline just prior to the Russia-Ukraine war. Those events created a cascade of attacks against dozens of countries and industries that continue to this day.
National security and government, manufacturing, wireless telecommunications, and even the optics industry experienced these diverse motivations in the DDoS threat landscape.
Takedown and Take Action
In 2022, multiple global takedown efforts focused on disrupting botnets and DDoS-for-hire services, with varying degrees of success. At the same time, the global community came together to implement solutions for wide-scale adoption of security measures to effectively cut off the Hydra’s heads in rapid succession.
Although these efforts were somewhat successful, adversaries are resilient and alter attack methods to continue widespread destruction via DDoS attacks.
The visibility NETSCOUT gains from our ATLAS platform spans the entire globe, with historical data over multiple decades, to bring trends and real-time analytics to the research team and our Threat Horizon Portal.
The following statistics reveal the depth of our visibility across the global internet:
More than two decades of working with more than 500 internet service providers (ISPs) has allowed us to build a sensor network that spans more than 50 percent of the world’s largest networks.
ATLAS collects DDoS attack statistics from an average of 93 countries every day—effectively half of the world.
ATLAS data reveals that DDoS attacks are one of the most frequent cybersecurity threats facing organizations today. They jumped from hundreds to thousands between 2005 and 2013 and increased 807 percent from ~325,000 in Q1 2013 to ~2.9 million in Q1 2022.
DDoS attacks nearly reached a plateau of 13 million for 2022—a new high water mark for attack frequency—all while adversaries become more adept at evading defense and traditional DDoS mitigation.
From 2006 to 2021, volumetric attacks reigned supreme, with DNS amplification at the forefront. It was in early 2021 when we detected a tectonic shift in preference by adversaries to TCP-based, direct-path attacks—a move that carries throughout 2022 and one that organizations and enterprises must address to protect stateful devices and downstream customers.
attack duration breakdown
Over the past four years, more than 4 million DDoS attacks lasted longer than one hour and a quarter of those lasted more than 12 hours, underscoring the importance of having adaptive DDoS solutions that can simultaneously handle short-lived and long-lived attacks.
multi-vector attack breakdown
Multi-vector attacks made up more than 40 percent of all DDoS attacks with 29 percent between 2 and 5 vectors, 8 percent between 6 and 10, and 3 percent leveraging more than 11 vectors in a single attack. This equates to more than 250,000 DDoS attacks using more than 10 vectors in a single attack, once again illustrating the importance of adaptive DDoS practices.
DDoS Attack Timeline
Visibility Is the Key to Successful DDoS Defense
Internet Service Providers (ISPs)
Global insights from just shy of 13 million attacks in 2022 allow us to precisely detect and pinpoint DDoS-related traffic.
This metaphorical “needle in the haystack” peaks at a cumulative maximum for one hour of 39.13 Tbps on April 17, 2022.
The aggregate peak for one day occurred on November 30, 2022, with a cumulative maximum of 389.57 Tbps (44,497 DDoS attacks contributed to this cumulative value).
Examining our global telemetry revealed that approximately 25 percent of all our customer alerts move into active mitigation. ISPs must prioritize what alerts and traffic to mitigate while balancing between cost, capacity, and service disruption for customers. This translates to many attacks not receiving mitigation as the provider absorbs the attack across its network footprint and focuses on the most impactful attacks likely to disrupt the largest number of networks and customer services.
However, a smaller number of mitigations compared with alerts does not tell the whole story. When looking at the bandwidth and throughput of the alert traffic, we see an entirely different metric play out. Our analysis reveals that approximately 25 percent of normal baseline traffic is mitigated due to some alert threshold established by our customers, but when impact bandwidth and throughput reaches higher severity, ISPs drop 80 to 100 percent of the attack traffic. At times, the use of BGP Flowspec will even exceed the 100 percent mitigation threshold as entire ports and protocols get dropped in routing.
The previous graphs tell a particularly important truth. Not all alert traffic will be mitigated by the ISP networks. This is especially true when the impact of alerts is lower in severity. As previously discussed, ISPs must balance cost, capacity, and providing services to consumers. Thus, enterprises and downstream consumers should consider investing in on-premises or hybrid DDoS mitigation solutions to bolster their defensive posture.
With 13 million attacks in the ISP networks, we turned our attention to the enterprise, where we gathered data from one-fifth of our enterprise customers and found more than 3,500 events per day or 145 per hour. These events stemmed from high-impact traffic tripping predefined thresholds, creating a denial-of-service (DoS) alert. Not all of these alerts are DDoS attacks; high-throughput scanning also can trip these thresholds. Nonetheless, these events along with GeoIP blocks, application-layer attacks, and inbound brute-forcing/exploitation resulted in traffic being dropped to downstream users on these networks.
The following ATLAS statistics highlight the amount of mitigated anomalous traffic in enterprise environments every day:
Average amount of daily bytes equating to approximately 3.5 petabits of data, the equivalent of almost 2,000 days (about five-and-a-half years) of 4K streaming video
2.5 trillion packets (the DeLorean only needed 1.21 trillion watts to time travel!)
A daily aggregate of about 3.2 Tbps of traffic (consider the largest single attack recorded now is 3.4 Tbps)
Contrary to the 25 percent mitigation ratio for ISPs, nearly every alert in the enterprise environment resulted in application of preconfigured countermeasures, a large majority of which are GeoIP blocking.
DDoS Botnet Impact
Threaded through all the statistics about network bandwidth, throughput, and attack frequency is the continuing driver of direct-path, botnet-sourced attacks. This is even more relevant for the enterprise statistics, because enterprises tend to receive the largest portion of bot-based attacks. A large majority of direct-path attacks come from DDoS botnets such as Mirai, Satori, and even lists of proxy servers leveraged by groups such as Killnet.
In 2022, NETSCOUT tracked approximately 1.35 million bots from malware families such as Mirai, Meris, and Dvinis. The analysis covers attack statistics for enterprises and ISPs and identifies the countries and industries targeted. The scale of attacks on the enterprise illustrates the dominance of bot attacks against enterprises as opposed to ISPs.
average impact per bot node
Top attack source countries
Top attack target countries
top targeted industries
Internet Service Providers (ISPs)
attacks in ISP networks
Top attack source countries
Top attack target countries
botnet-sourced attacks involved
TCP SYN floods and reflection/amplification attacks
DDoS Attack Vectors and Methodology in Focus
Direct-path and volumetric DDoS Attacks are equally responsible for causing mayhem on the global stage, but it is more than just one or the other. To understand the impact, we must further break these attacks down into their parts. First, we look at the continuing trend of TCP-based attacks. The top five vectors clearly illustrate the preference of adversaries in 2022 with four out of the five including an overwhelming majority of TCP-based attacks.
Inside these vectors, we next look at the types of attacks. For this we break it down into four distinct categories:
HTTP and HTTPS Application-Layer Attacks
Today, there are more than one billion websites on the internet, and it should come as no surprise that websites are often the target of DDoS attacks. We witnessed how devastating these types of attacks can be with the events preceding the Russo-Ukrainian conflict knocking out key financial, government, and media sites prior to ground forces invading. Based on a sampling of our data set, we witnessed a 487 percent increase in HTTP/HTTPS attacks since 2019.
Direct-Path DDoS Attacks
Several times we have noted adversary preference for TCP-based direct-path attacks—and for good reason. These attacks are growing at an alarming rate and often are harder to mitigate than reflection/amplification attacks, which can be mitigated with BGP Flowspec or other well-established countermeasures. While reflection/amplification attacks declined 18 percent since 2020, direct-path attacks climbed 18 percent over three years, creating a difference of nearly 2 million attacks between them.
Carpet-bombing DDoS attacks target entire IP address ranges rather than a single host. These attacks are intended to evade common DDoS detection mechanism. This trend started in November 2021 and really accelerated in August 2022. Daily attacks using this method rose from an average of 670 in 2021 to an average of 1,134 in 2022, a 69 percent increase. Comparing the first half of 2022 with the second provides an even greater increase of 110 percent in this methodology being leveraged by adversaries. A brief segue into industries targeted with this method revealed most attacks were against ISP networks.
DNS Query Flood (DNS Water-Torture) Attacks
A form of application-layer attack, DNS query floods have more than tripled since they really became weaponized in 2019, a 243 percent increase in adoption of this attack technique. The average daily attack count for 2022 is approximately 850 attacks, a 67 percent increase over the 522 average in 2021.
Further sub-divided into regions, the following increases in this attack technique indicate adversaries are using it everywhere:
Most attacks of this nature affect ISPs, however in the second half of 2022, adversaries used this tactic to target both the national security and commercial banking sectors in North America (NAMER) and Europe, the Middle East, and Africa (EMEA). There is a high degree of certainty that these attacks are almost exclusively related to the ongoing conflict between Russia and Ukraine.
Are Global Takedowns the Solution?
DDoS attacks are relentless and ever-present on the internet. Every user that connects to the internet has experienced some form of disruption because of these attacks. What, then, can governments and other organizations do to solve this problem on the world stage? In the past year, there have been several operations or drivers in the network and security communities to help mitigate these threats. There are three primary areas worth considering: botnet takedowns, DDoS-for-hire confiscations and arrests, and a global push in the security community to squash threats before they become a problem—something NETSCOUT calls DDoS suppression.
While botnet takedowns happen numerous times per year, the size of the individual botnets means that the impact is hardly noticed. In June of 2022, the United States Department of Justice, in cooperation with entities in Germany, the Netherlands, and the U.K., took down the RSOCKS proxy botnet, which at one point was said to be more than 8 million proxies strong. This takedown was observable in the NETSCOUT data set both from a bot availability standpoint and from a decrease in observed attacks leveraging botnets.
Thousands of DDoS attacks are coordinated and directed by numerous so-called “booter” or “stresser” criminal operators every year. These DDoS-for-hire enterprises often advertise in underground forums and hide behind layers of proxies, tunnels, and takedown-resistant jurisdictions or upstream providers. Nonetheless, researchers, law enforcement, and legitimate operators often work together to identify, shutter, and prosecute those using or operating DDoS-for-hire services.
On December 14, 2022, a globally coordinated law enforcement effort seized 50 domain names and about as many illicit DDoS-for-hire services and made arrests around the globe. Notably, for the most active DDoS-for-hire services that resumed operation, DDoS attack activity decreased against several prominent broadband access networks by approximately 50 percent in the immediate aftermath of December’s takedown event. Although activity often resumes shortly after a takedown, disruption and deterrence have become the goal to help stunt growing DDoS attack trends and limit the impact of DDoS-for-hire services.
Altering the Equation with Global Security Initiatives
The introduction of DDoS-for-hire services in 2013 brought about a fundamental shift in the DDoS threat landscape. For the first time, unskilled attackers could directly launch high-impact reflection/amplification DDoS attacks adversely impacting targeted networks, organizations, and individuals and resulting in significant collateral disruption. Volumetric attacks quickly surpassed the long-standing reign of TCP SYN/ACK flooding because of the emergence of these services. However, the ability to spoof internet traffic is required to initiate these high-impact reflection/amplification DDoS attacks. And after an initial burst of enthusiasm in the early 2000s, little additional progress had been made in broadening the deployment of source-address validation (SAV; also known as anti-spoofing) best current practices (BCPs). The lackluster attitude toward well-known BCPs came into stark focus in the wake of COVID-19: With everyone working in remote offices and taking classes at home, DDoS attacks escalated to unprecedented levels during this period.
In response to these trends, a renewed push to encourage the deployment of SAV has been underway within the global internet operational community since mid-2021. NETSCOUT is a key participant in this effort, educating network operators worldwide on how to identify the sources of spoofed reflection/amplification attack initiator traffic, as well as how to implement anti-spoofing functionality on their network edges. And in 2022, after approximately one-and-a-half years of concerted effort by the operational community to broaden the deployment of SAV, a momentous 17 percent global decrease in reflection/amplification attacks was observed when compared with 2021. Further, the overall decrease from 2020 is measured at 18 percent. This constitutes the single largest change in internet-wide DDoS attack dynamics since the introduction of DDoS-for-hire services in 2013 and is signal proof of the ability of network operators to meaningfully improve the overall resiliency and security of the internet at scale.