DDoS Threat Intelligence Report

DDoS Visibility

Imagine your website swamped, servers overloaded, and customers locked out—all thanks to a relentless distributed denial-of-service (DDoS) attack. This isn’t a hypothetical scenario; it’s a real and growing threat.

In 2023 alone, we observed 13,142,840 DDoS attacks. This surge underscores a stark reality: Without proper DDoS protection, organizations are left scrambling in the dark, desperately trying to mitigate an attack that’s already causing major damage. The repercussions of an unmitigated DDoS attack extend beyond mere inconvenience; they manifest in tangible crises. Critical hospital services, including scheduling, can grind to a halt, risking lives when seconds count. Businesses face not only significant financial hemorrhage but also erosion of customer trust that took years to build. And for network operators, the relentless barrage of DDoS threats creates a siegelike environment, with a constant state of security fatigue replacing the essential proactive stance needed to safeguard their digital assets.

Instead of playing defense at the last minute, imagine being one step ahead of attackers. With advanced DDoS protection powered by predictive and real-time threat intelligence, you can identify and prioritize threats before they impact network infrastructure. Such protection further allows organizations to react instantly and automatically mitigate attacks, minimizing downtime and disruptions. Ultimately, this allows for business continuity, ensuring customers and users have uninterrupted access to critical services. Investing in proactive DDoS protection transforms defense strategies from reactive to predictive. This frees security teams to focus on strategic initiatives, knowing they have a robust shield against online threats.

Gaining insight and visibility into the DDoS threat landscape is the first step down the road to predictive DDoS defense. Throughout this 2H 2023 DDoS Threat Intelligence Report, our ASERT team dissects trends and attack methodologies adversaries are deploying against service providers, enterprises, and end users and provides actionable recommendations on the needed steps for moving from reactive to predictive responses.

Key Findings


The rise of tech-savvy and politically motivated DDoS hacktivism that transcends geographic borders, as exemplified by groups such as NoName057(16) and Anonymous Sudan in 2023, signifies a distinct shift in the global cybersecurity landscape. These groups demonstrate not only advanced technical prowess but also the ability to harness such skills for varied political agendas. This trend marks a new era in cyberattacks, profoundly impacting networks and organizations worldwide.

Read More


Imagine an unseen world where a hidden epidemic of malicious activity thrives.  Beneath the surface of normal internet traffic, analysis reveals a growing infection of DDoS attacks targeting authoritative and recursive Domain Name System (DNS) servers, the unsung heroes of the internet’s infrastructure. From groups such as Lazarus Bear Armada (LBA) in 2019 to more successful operations run by Anonymous Sudan, DNS query floods can cause a domino effect, knocking systems offline that serve hundreds to thousands of websites. Massive industries such as gaming and gambling experience similar collateral damage when gaming servers, hosting tens of thousands of users, experience increasing waves of DDoS attacks.

Read More


A “sophistication gap” in DDoS attacks is becoming increasingly evident. On one end, advanced attackers employ custom tools and cloud infrastructure; on the other, some still use basic, often free services. This disparity demands quick and targeted responses to effectively safeguard against these evolving cyberthreats.

Read More

NETSCOUT Visibility

Multiple decades working with the world’s largest service providers and enterprises grants NETSCOUT far-reaching visibility into the global internet, allowing us to discern the pulse of the digital world. Our capacity to monitor and respond to DDoS attacks is powered by our ATLAS telemetry platform that enables us to analyze an impressive 500 terabits per second (Tbps) of network traffic. Such comprehensive coverage yields insights into a large majority of the DDoS attacks around the world.

To further enhance our understanding of the DDoS landscape, NETSCOUT actively identifies and tracks reflectors/amplifiers, botnets capable of executing DDoS attacks, and other potentially exploitable nodes across the global internet daily. Each day, we compare these identified nodes with our worldwide DDoS attack telemetry.  This helps us determine which of these nodes are currently being misused for such attacks. By monitoring nodes, both active and susceptible to abuse, we can estimate the maximum impact of an attack if all such devices were exploited. This comprehensive approach allows us to not only visualize the current attack landscape but also to predict future threats.

To illustrate the importance of global visibility in the DDoS attack landscape, we investigated a spike in DNS reflection/amplification attacks, predominantly in EMEA, during the second half of the year, suggesting another major shift in adversary tactics. However, we discovered that while the number of abusable reflection and amplification nodes seems to be on the decline, the impact per node is on the rise. The following graphs showcase the number of source IPs in DNS reflection/amplification attacks by day and calculate the impact bits per second (bps) per node.