Key Findings

Accelerating at amazing speeds, the growth of the internet necessitates increased visibility. And NETSCOUT’s commitment to worldwide visibility granted us insights into an average of 424Tbps of internet peering traffic in 1H 2023, a 5.7 percent increase over the 401Tbps reported at the end of 2022. The internet’s rapid growth unfortunately experienced drag—a reduction in capabilities because of an increase in DDoS attacks. For example, we witnessed a nearly 500 percent growth in HTTP/S application-layer and 17 percent increase DNS reflection/amplification attack volumes in 1H 2023.

The majority of observed application-layer, reflection/amplification, and direct-path volumetric DDoS attack traffic share a near-universal characteristic: a significant degree of attack source persistence. NETSCOUT’s ASERT Team identified DDoS reflectors/amplifiers, DDoS botnet nodes, and DDoS attack generators exhibit an average churn rate of only 10 percent over a two-week interval from their inception. In practical terms, this means that 90 percent of verified DDoS attack sources can be proactively blocked for as much as two weeks after initial discovery.

Given the persistence of adversary attack infrastructure, ASERT examined several different types of abusable infrastructure leveraged in DDoS attacks worldwide—DDoS botnets, open proxies, The Onion Router (Tor) nodes, and attacker-friendly networks commonly referred to as bulletproof hosting providers. In 1H 2023, we observed open proxies consistently leveraged in HTTP/S application-layer DDoS attacks primarily directed toward the higher education and national government sectors, whereas DDoS botnets frequently target state and local governments.

The unmatched breadth and depth of our data horizon allows us to identify the exact point in time when new DDoS attack vectors are discovered, tested, optimized, first utilized by adaptive attackers, and eventually weaponized in DDoS-for-hire services. This DDoS Threat Intelligence Report covers the evolution of the Apple remote management system (ARMS), TP240, and Service Location Protocol (SLP) DDoS attack vectors from inception to weaponization. We further detail how our visibility into the attacker discovery process allowed us to operationalize threat intelligence even before these attacks could be used against our customers.

Domain Name System (DNS) water torture DDoS attacks have been steadily rising in prevalence—with a sharp increase observed in June 2023. These attacks often use the very same devices leveraged in DNS reflection/amplification attacks to obfuscate the actual DDoS attack generators. At the same time, carpet-bombing attacks continue to rise, and our new research demonstrates that most carpet-bombing attacks are univector rather than multivector, with DNS reflection/amplification being the most prevalent attack type, followed by Session Traversal Utilities for Nat (STUN) reflection/amplification.

Since the initiation of ground operations in the Russia/Ukraine conflict at the beginning of 2022, NETSCOUT has extensively detailed the intersection between online and kinetic operations in history’s first true example of hybrid warfare. Since that time, ideologically motivated DDoS attacks targeting the United States, Ukraine, Finland, Sweden, Russia, and other countries have remained constant. Last year, Finland experienced a wave of DDoS attacks before and immediately after its NATO acceptance. Sweden has experienced a similar onslaught as that country’s bid to join NATO moves forward. But it’s not just politics: A wave of DDoS attacks hammered wireless telecommunications, no doubt a result of 5G wireless connectivity expanding at a staggering rate and subscribers opting to use 5G as their primary internet connection.