DDoS Threat Intelligence Report

DDoS Threats

DDoS Attack Classifications

DDoS attacks are intended to disrupt availability, often leading to widespread confusion, operational disruption, and heightened concern. The motivations for these attacks are endless, and although there are many variations of vectors and methodologies, there is an overall DDoS taxonomy grouping the vectors together.

Two primary groupings for these attacks are application-layer attacks and volumetric attacks:


DDoS ATTACK TYPE ONE

Application-Layer Attacks

Application-layer attacks target specific implementation details of a protocol or service, causing resource exhaustion. Common application-layer attacks include HTTP/S GET or POST floods, and domain name system (DNS) query floods. Application-layer attacks often have a smaller network footprint but are more noticeable in service-specific metrics. These attacks can be especially costly with autoscaling features of cloud resident services and require more-sophisticated defense capabilities. Typical constraints are server metrics such as CPU cycles or concurrent transactions.

Notorious threat actors such as NoName057(16) are increasingly focused on application-layer attacks, particularly HTTP/S GET and POST floods, leading to a 43 percent rise compared with 1H 2023.

These hacktivist groups tend to target specific industries and countries making statements about or giving support to their perceived enemies on the world stage of politics, but they often pick the specific victims arbitrarily. This means that although we can track the overall trends and expectations of a group to go after a country or industry, it’s nearly impossible to predict ahead of time which websites or individual network resources may be targeted.

DDoS ATTACK TYPE TWO

Volumetric Attacks

A volumetric attack aims to completely saturate the network capacity of the target, negating an endpoint’s ability to send or receive legitimate traffic, causing packets to be buffered and dropped.

These attacks are categorized into two main types:

1
Reflection/Amplification Volumetric Attacks

Reflection/amplification volumetric attacks leverage hundreds of thousands of unknowing users’ systems to reflect and amplify massive amounts of internet traffic toward the target. Attackers exploit vulnerabilities in various protocols and services, such as DNS, network time protocol (NTP), or simple service discovery protocol (SSDP), to amplify the amount of data being sent to the target. These attacks are particularly dangerous because they generate traffic volumes that far exceed the capabilities of the original attacking machines, making these attacks highly effective at overwhelming targets.

2
Direct-Path Volumetric Attacks

Direct-path volumetric attacks involve sending traffic directly from the attacking systems to the target without the use of intermediaries. These attacks often rely on a botnet of compromised devices to generate a high volume of traffic. Although direct-path volumetric attacks might not benefit from amplification, they can still be highly effective, especially when the botnet size is large and the attack is well-coordinated.

Both types of volumetric attacks risk exceeding the limits of infrastructure along the way to the target—often resulting in collateral damage that can be just as devastating as the attack itself. The primary bottleneck in these attacks is bandwidth and throughput.

During 1H 2024, the number of observed volumetric DDoS attacks increased by 30 percent compared with 1H 2023 and account for most of the ~41,000 DDoS attacks NETCOUT’s ASERT team observes every day. These attacks have become increasingly complex, with attackers using advanced amplification techniques to leverage abusable characteristics of multiple protocols and services.

A More Cohesive DDoS Attack Harness

As we observe the tens of thousands of DDoS attacks every day, trends emerge in the types of infrastructure and their relationship with each other. Some of these relationships surface as we monitor the sources of disruptive online activities such as DDoS attacks, credential-stuffing, invasive scans, brute-forcing activity, exploitation, and malware distribution. However, we recently started seeing DDoS attacks emerge from multiple “nuisance networks” at the same time. These nuisance networks have a business model that revolves around resiliency, anonymity, and freedom to do whatever one desires on the internet.

There are dozens of these network providers, but the following analysis focuses on six of them that we see consistently attack our customer base. In the first half of 2024, approximately 5 percent of observed DDoS attacks on our customers (approximately 2,000 attacks per day) involved at least one of these networks. Furthermore, half of these incidents involved multiple attack sources located on a single nuisance network, indicating cohesion within the networks. There is a 65 percent likelihood of organizations being targeted by attack sources located on multiple nuisance networks, versus a 35 percent chance involving attack sources located on a single nuisance network.

Tracking this cohesion enables us to identify collaborative attack infrastructures and coordinated threats. During 1H 2024, we observed ~50,000 distinct attack sources located on five of the top six nuisance networks.

A new entrant into the DDoS scene is the Zergeca botnet—an entirely new DDoS-capable botnet family coded in the Go programming language. This botnet distinguishes itself by utilizing encrypted DoH via the parallel OpenNIC DNS infrastructure for name resolution of its C2 infrastructure, making identification of botnet nodes more challenging for defenders. Another increasingly prevalent Mirai DDoS botnet variant known as “Aterna” or “CatDDoS” also employs the OpenNIC DNS infrastructure to obfuscate DNS queries related to its C2 infrastructure.

Further innovation by adversaries includes the notorious DDoSia botnet, a federated botnet developed and operated by the hacktivist group NoName057(16). The infrastructure used by the botnet is outsourced to the community, allowing anyone to provide resources. NoName057(16) incentivizes contribution with its own cryptocurrency.

ASERT also observed increased use of active botnet nodes as C2 infrastructure. In some cases, unpatched or misconfigured C2 nodes are compromised and leveraged as attack nodes; in others, botnet operators intentionally make use of dual-purpose nodes to obfuscate the C2 infrastructure and achieve a higher degree of resiliency.

End-to-End DDoS Attack Visibility

All the observations of attack infrastructure and botnet emergence are possible only because of our ATLAS visibility platform, which allows us to see DDoS attacks from networks near the attack’s source, along the transit path, and at the target network. This affords us unique insight and positioning to observe trends, detect DDoS attacks, analyze adversary infrastructure, and ultimately aid in defense of our customers’ networks.

Our extended traceback abilities allow us to observe attack traffic as it traverses multiple intermediate networks, which is crucial for identifying and tracking both spoofed direct-path attacks and the spoofed attack initiator traffic used to induce reflection/amplification attacks. Among attacks transiting multiple service providers, half were observed by at least one other service provider network, while the remainder were observed by at least two or more. Notably, during 1H 2024, 11 large-scale DDoS attacks were observed by more than 20 service provider networks.

Comprehensive end-to-end visibility enables precise identification and neutralization of threat actors and their infrastructure. Even if attack traffic does not reach its target, we can infer the complete attack profile, thereby better preparing for future threats.

Understanding DDoS Attack Dynamics

NETSCOUT monitors attacks both globally and locally per network to identify global attack trends and provide optimal protection tailored to each network’s specific context. We first determined the global aggregated DDoS attack impact via large-scale analysis of concurrent DDoS attacks. During the first half of 2024, this averaged out to 1,900 attacks, with a total volume of approximately 3.2Tbps and 595.6Mpps, at any given point in time.

Local investigations of the aggregated attack impact per network type revealed that networks with typically lower traffic loads (such as government or nonprofit organizations) report peak attack volumes on the same scale as those experienced by high-traffic networks (such as content and service providers). This indicates that the relative surge in traffic during attacks is significantly higher for lower-traffic networks (≥4 orders of magnitude) compared with high-traffic networks (3 orders of magnitude). These attack dynamics clearly demonstrate that all network types require substantial mitigation capacities to ensure robust protection.