DDoS Threat Intelligence Report

Internet Traffic and Slipstreamed Threats

Global Internet Traffic Visibility

We are committed to true global visibility and tracking the growing DDoS problem with insight into more than 500 contributing networks—with more networks being added weekly. NETSCOUT’s intelligence from these internet service providers (ISPs) provide a holistic and nuanced perspective on the good and bad of the vast, interconnected digital universe. This macro view of the internet’s transit traffic yields many unique insights. We extracted findings from an average of 424Tbps of total internet peering traffic during the first half of 2023—a 5.74 percent increase over 2H 2022.

The constant expansion in internet visibility becomes critical as the internet grows—one organization reported a 21 percent growth in international internet peering traffic at the end of 2022—and the visibility gained is essential to developing attack mitigation strategies, because more than 75 percent of these networks see dozens or even hundreds of incoming DDoS attacks every day.

Wired and wireless telecommunications and cloud hosting providers accounted for more than 86 percent of our internet traffic insights—approximately 368Tbps. The remaining industries combined account for ~56Tbps globally in 1H 2023.

Beginning in February 2022, internet peering traffic associated with ~40 satellite-based internet providers began increasing. This peaked just prior to 2023, when we observed a significant decrease. The decrease appears to be the result of a prominent satellite internet provider imposing bandwidth limits across its network. By February 2023, we observed the total internet peering traffic traversing satellite networks leveling off at around 900Gbps globally.

The Undercurrent of Malicious Traffic

In racing, drivers often use a technique called slipstreaming, drafting directly behind another car to increase speed. Like slipstreaming, adversaries use the resources of others to steal “speed” to the detriment of others. Unfortunately, the theft never ends, and ISP networks always bear the cost. In the first half of 2023, NETSCOUT observed a staggering total of ~7.9 million DDoS attacks, representing a 31 percent increase year over year. This represents an unbelievable 44 thousand DDoS attacks per day.

The growth in attacks implies this malicious traffic is ever-present. To illustrate how this attack traffic is always present, we dive into HTTP/S and DNS below.

HTTP/S Application-Layer Attacks

DNS Amplification Attacks

The Power of Persistence

Formula 1 tracks remain the same, every race, every year, with only variables in weather, visibility, and road conditions. That persistence enables drivers to prepare and build confidence in their ability. The same persistence is true in the infrastructure abused by adversaries to launch DDoS attacks—from reflectors/amplifiers to DDoS botnets and even lists of open proxies conscripted into attack tools. Despite the fact there are hundreds of millions of abusable internet-connected devices an adversary can leverage to launch DDoS attacks, ASERT confirmed that a relatively small number of nodes are involved in a disproportionate number of DDoS attacks and contribute significantly to attack impact.

Persistent Attacker-Abused Infrastructure

Every day, NETSCOUT enterprise customers face security events from millions of attacker-abused and/or owned network-connected devices. We can identify persistent infrastructure leveraged by these relentless attackers by analyzing countermeasure behavioral heuristics.

Validated Attack Sources Based on Three Key Characteristics

1

Daily persistence over time

2 DDoS Icon

Volume of attack traffic directed towards NETSCOUT customers

3 Customers Icon

Number of customers targeted by the same persistent infrastructure

During the first half of 2023, the top 5 percent of persistent attack sources’ IP addresses revealed that ~90 percent of the IPs maintained a constant presence within any given two-week interval.

Within the same context of a dynamic two-week moving window, we determined that approximately half of the attack sources identified and blocked by our enterprise solutions corresponded to persistent attackers.

Within the same context of a dynamic two-week moving window, we determined that approximately half of the attack sources identified and blocked by our enterprise solutions corresponded to persistent attackers.

Based on comparative analysis, fully one-third of persistent attack sources remain unidentified by conventional threat intelligence feeds and methodologies. NETSCOUT’s unique breadth and depth of insight into the global DDoS threat landscape allows us to determine that blocking only 5 percent of persistent attack sources would result in a significant reduction in attack impact.

Based on comparative analysis, fully one-third of persistent attack sources remain unidentified by conventional threat intelligence feeds and methodologies. NETSCOUT’s unique breadth and depth of insight into the global DDoS threat landscape allows us to determine that blocking only 5 percent of persistent attack sources would result in a significant reduction in attack impact.

Known DDoS Sources

In addition to persistent attackers, NETSCOUT’s visibility provides a unique perspective into known DDoS sources used in reflection/amplification and botnet attacks.  A high day-to-day persistence implies the attacker infrastructure NETSCOUT knew about yesterday is the same participating in today’s DDoS activity (in other words, known DDoS sources).

The figure below illustrates the degree of persistence exhibited by abusable reflectors/amplifiers and DDoS-capable botnets from April to June 2023. Our research revealed that these attack sources have an average of 10 percent churn. We also discovered that many of the IPs churning from day-to-day are responsible for a large amount of impact against our customers. This means that while there is a high degree of persistence in reusable adversary-abused infrastructure, it is equally imperative to have an always-updated list of new IPs to account for the high-impact sources evolving near-daily. NETSCOUT’s ATLAS Intelligence Feed (AIF) includes a daily list of both the persistent and new infrastructure to provide full-scope coverage on DDoS attacks sourced from these IPs.

Bulletproof Hosting (BPH) Providers  

Bulletproof hosting (BPH) providers pose a unique and challenging threat. Their activity is often disguised under a veil of legitimacy; however, due to their willful neglect of community norms, their illicit activities often evade normal responses such as takedown requests. Furthermore, inaction by their peers and upstream providers prolongs abusive behavior, often across the course of many years, resulting in BPH providers becoming emboldened by the internet community’s lack of response. This allows BPH providers to refine and enhance their methods unencumbered while incident responders must search for ways to track and mitigate their behavior. Many of the most notorious threats to internet safety and stability previously have found safe havens at BPH providers, but this strategy is becoming less tenable as we uncover and provide defensive recommendations to our customers and the world.

As described in our recent blog focused on bulletproof hosting providers, we classify them as belonging to one of three categories: malicious, abusive, or controversial.

We focus our examination on the malicious and abusive categories of two well-known BPH providers. We refer to these BPH providers as Provider X and Provider Y. Provider X operates its own autonomous system (AS) and has dozens of small Internet Protocol version 4 (IPv4) prefixes it announces into the global BGP routing table. In total, Provider X announces less than a /16 of IPv4 address space. This is not a lot of addresses. However, when we consider the frequency of attacks involving this provider, it becomes apparent Provider X is a significant source of attacks.

Most of these attacks are sourced from Provider X to other networks. Compared with a university of a similar network size, Provider X exhibits a greater number of attacks originating from its network than it should.

To further classify suspicious traffic sourced from this provider, we analyzed the outbound packet size distribution. Typical traffic patterns would exhibit either consistency on one end or a sinusoidal curve of varied packet sizes over time. Instead, we see packet sizes polarized at both ends simultaneously. In normal traffic, it is extremely rare for large packets to trail immediately behind small packets. This suggests that the network in question is atypical and likely used for a limited subset of specialized applications such as scanning and malicious content hosting.

By way of contrast, Provider Y has been known to provide internet transit for other bulletproof hosters, acting as their upstream ISP. Provider Y announces only one-fourth the IPv4 address space that Provider X does, but the number of attacks we see on our customer networks involving Provider Y are more than double Provider X’s, and the attacks in and out are closer to being symmetrical. Because of the nature of these types of services, it’s highly probable they are enabling malicious activity to (command and control, exfiltration, and so forth) and from (exploitation, scanning, brute-forcing) this network, resulting in a higher degree of symmetry of inbound/outbound traffic.

Although DDoS attacks are sourced from BPH providers, what we typically find is that those DDoS attacks are predominantly short-lived and moderate in volume. Today, BPH providers rarely originate volumetric DDoS attack traffic directly. In some cases, as seen with Provider Y, they or their downstream customers may themselves be the targets of DDoS attacks. However, most BPH providers today are used for the previously mentioned activities such as aggressive internet scanning and the hosting of harmful content such as phishing pages or malware. For example, Provider X is the source of a great deal of aggressive and abusive internet scanning.

This activity does not always show up in volumetric measurements but can be seen and mitigated by intermediate systems that observe aggregate traffic flows or employ threat intelligence feeds that include BPH infrastructure.