DDoS Threat Intelligence Report

Key Findings

QuoteYou were not in control; you had no visibility…Alain Prost, Formula 1 WORLD CHAMPION

You can’t win 51 Grand Prix victories without visibility. Alain Prost needed it on the racetrack, and it’s the cornerstone of internet security today. As internet connectivity becomes more complex and more vital for organizations around the globe, the NETSCOUT Visibility Without Borders® platform enables us to see around corners with unparalleled insight into attacker behavior.

Our role is to ensure your critical infrastructure is available and resilient—protecting everything from mass and individual communications to economic activity, news, education, utilities, and national security. Preparation is key to successful Adaptive DDoS defense, and our visibility not only provides insight into the minute-zero attacks but also tells you what to expect next with attacks that have yet to even be deployed on the internet.

It’s that unprecedented level of visibility into all stages of Distributed Denial of Service (DDoS) attacks that allows us to peer into the future in our role as Guardians of the Connected World and empower our customers to take control.


Internet Traffic Growth and Visibility Accelerating

Accelerating at amazing speeds, the growth of the internet necessitates increased visibility. And NETSCOUT’s commitment to worldwide visibility granted us insights into an average of 424Tbps of internet peering traffic in 1H 2023, a 5.7 percent increase over the 401Tbps reported at the end of 2022. The internet’s rapid growth unfortunately experienced drag—a reduction in capabilities because of an increase in DDoS attacks. For example, we witnessed a nearly 500 percent growth in HTTP/S application-layer and 17 percent increase DNS reflection/amplification attack volumes in 1H 2023.

The Power of Persistence

The majority of observed application-layer, reflection/amplification, and direct-path volumetric DDoS attack traffic share a near-universal characteristic: a significant degree of attack source persistence. NETSCOUT’s ASERT Team identified DDoS reflectors/amplifiers, DDoS botnet nodes, and DDoS attack generators exhibit an average churn rate of only 10 percent over a two-week interval from their inception. In practical terms, this means that 90 percent of verified DDoS attack sources can be proactively blocked for as much as two weeks after initial discovery.

DDoS Attack Infrastructure Telemetry

Given the persistence of adversary attack infrastructure, ASERT examined several different types of abusable infrastructure leveraged in DDoS attacks worldwide—DDoS botnets, open proxies, The Onion Router (Tor) nodes, and attacker-friendly networks commonly referred to as bulletproof hosting providers. In 1H 2023, we observed open proxies consistently leveraged in HTTP/S application-layer DDoS attacks primarily directed toward the higher education and national government sectors, whereas DDoS botnets frequently target state and local governments.

Adversary Discovery Lifecycle

The unmatched breadth and depth of our data horizon allows us to identify the exact point in time when new DDoS attack vectors are discovered, tested, optimized, first utilized by adaptive attackers, and eventually weaponized in DDoS-for-hire services. This DDoS Threat Intelligence Report covers the evolution of the Apple remote management system (ARMS), TP240, and Service Location Protocol (SLP) DDoS attack vectors from inception to weaponization. We further detail how our visibility into the attacker discovery process allowed us to operationalize threat intelligence even before these attacks could be used against our customers.

Carpet-Bombing and DNS Water Torture Attacks Increase Pace

Domain Name System (DNS) water torture DDoS attacks have been steadily rising in prevalence—with a sharp increase observed in June 2023. These attacks often use the very same devices leveraged in DNS reflection/amplification attacks to obfuscate the actual DDoS attack generators. At the same time, carpet-bombing attacks continue to rise, and our new research demonstrates that most carpet-bombing attacks are univector rather than multivector, with DNS reflection/amplification being the most prevalent attack type, followed by Session Traversal Utilities for Nat (STUN) reflection/amplification.

World Events Fuel DDoS Attack Campaigns

Since the initiation of ground operations in the Russia/Ukraine conflict at the beginning of 2022, NETSCOUT has extensively detailed the intersection between online and kinetic operations in history’s first true example of hybrid warfare. Since that time, ideologically motivated DDoS attacks targeting the United States, Ukraine, Finland, Sweden, Russia, and other countries have remained constant. Last year, Finland experienced a wave of DDoS attacks before and immediately after its NATO acceptance. Sweden has experienced a similar onslaught as that country’s bid to join NATO moves forward. But it’s not just politics: A wave of DDoS attacks hammered wireless telecommunications, no doubt a result of 5G wireless connectivity expanding at a staggering rate and subscribers opting to use 5G as their primary internet connection.