ISSUE 11

NETSCOUT DDoS
Threat Intelligence Report
Complete Network Visibility Enables Total Network Control
CONTENTS

2 Key Findings

3 Internet Traffic and

Slipstreamed Threats

8 DDoS Vector Discovery

and Attack Enablers

10 Revealing Adversary
Methodology

13 Geopolitical and
Technology Impact
in DDoS

“
14 Conclusion

You were not in control;

you had no visibility…
Alain Prost, Formula 1 World Champion

You can’t win 51 Grand Prix victories without visibility. Alain Prost
needed it on the racetrack, and it’s the cornerstone of internet
security today. As internet connectivity becomes more complex
and more vital for organizations around the globe, the NETSCOUT
Visibility Without Borders® platform enables us to see around
corners with unparalleled insight into attacker behavior.

Our role is to ensure your critical infrastructure is available

and resilient—protecting everything from mass and individual
communications to economic activity, news, education, utilities,
and national security. Preparation is key to successful Adaptive
DDoS defense, and our visibility not only provides insight into the
minute-zero attacks but also tells you what to expect next with
attacks that have yet to even be deployed on the internet.

It’s that unprecedented level of visibility into all stages of

Distributed Denial of Service (DDoS) attacks that allows us to
peer into the future in our role as Guardians of the Connected
World and empower our customers to take control.

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 1

Key Findings

Internet Traffic Accelerating at amazing speeds, the growth of the internet necessitates increased visibility.
Growth and And NETSCOUT’s commitment to worldwide visibility granted us insights into an average of
Visibility 424Tbps of internet peering traffic in 1H 2023, a 5.7 percent increase over the 401Tbps reported
at the end of 2022. The internet’s rapid growth unfortunately experienced drag—a reduction
Accelerating
in capabilities because of an increase in DDoS attacks. For example, we witnessed a nearly
500 percent growth in HTTP/S application-layer and 17 percent increase DNS reflection/
amplification attack volumes in 1H 2023.

The Power of The majority of observed application-layer, reflection/amplification, and direct-path volumetric
Persistence DDoS attack traffic share a near-universal characteristic: a significant degree of attack source
persistence. NETSCOUT’s ASERT Team identified DDoS reflectors/amplifiers, DDoS botnet
nodes, and DDoS attack generators exhibit an average churn rate of only 10 percent over a
two-week interval from their inception. In practical terms, this means that 90 percent of verified
DDoS attack sources can be proactively blocked for as much as two weeks after initial discovery.

DDoS Attack ASERT examined several different types of abusable infrastructure leveraged in DDoS attacks
Infrastructure worldwide—DDoS botnets, open proxies, The Onion Router (Tor) nodes, and attacker-friendly
Telemetry networks commonly referred to as bulletproof hosting providers. In 1H 2023, we observed
open proxies consistently leveraged in HTTP/S application-layer DDoS attacks primarily
directed toward the higher education and national government sectors, whereas DDoS
botnets frequently target state and local governments.

Adversary The unmatched breadth and depth of our data horizon allows us to identify the exact point in
Discovery time when new DDoS attack vectors are discovered, tested, optimized, first utilized by adaptive
Lifecycle attackers, and eventually weaponized in DDoS-for-hire services. This DDoS Threat Intelligence
Report covers the evolution of the Apple remote management system (ARMS), TP240, and
Service Location Protocol (SLP) DDoS attack vectors from inception to weaponization.

Carpet-Bombing Domain Name System (DNS) water torture DDoS attacks have been steadily rising in
and DNS Water prevalence—with a sharp increase observed in June 2023. At the same time, carpet-bombing
Torture Attacks attacks continue to rise, and our new research demonstrates that most carpet-bombing attacks
are univector rather than multivector, with DNS reflection/amplification being the most prevalent
Increase Pace
attack type, followed by Session Traversal Utilities for Nat (STUN) reflection/amplification.

World Events Since the initiation of ground operations in the Russia/Ukraine conflict, ideologically motivated
Fuel DDoS DDoS attacks targeting the United States, Ukraine, Finland, Sweden, Russia, and other countries
Attack have remained constant. Last year, Finland experienced a wave of DDoS attacks before and
immediately after its NATO acceptance. Sweden has experienced a similar onslaught as that
Campaigns
country’s bid to join NATO moves forward. But it’s not just politics: A wave of DDoS attacks
hammered wireless telecommunications, no doubt a result of 5G wireless connectivity expanding
at a staggering rate and subscribers opting to use 5G as their primary internet connection.

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 2

 Internet Traffic and Slipstreamed Threats
Global Internet Traffic Visibility
We are committed to true global visibility Figure 1: Global Average Internet Traffic Volume
and tracking the growing DDoS problem Tbps Ingress Tbps Egress Tbps Combined
with insight into more than 500 contributing 500
networks—with more networks being 450
added weekly. NETSCOUT’s intelligence 400
from these internet service providers 350
(ISPs) provide a holistic and nuanced 300
perspective on the good and bad of the 250

Tbps
vast, interconnected digital universe. This 200
macro view of the internet’s transit traffic 150
yields many unique insights. We extracted 100

findings from an average of 424Tbps of 50

0
total internet peering traffic during the
01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23
first half of 2023 (Figure 1)—a 5.74 percent
increase over 2H 2022.
Figure 2: Contributing ISP Networks
The constant expansion in internet visibility
450
becomes critical as the internet grows—one
organization reported a 21 percent growth 440

in international internet peering traffic at 430

the end of 2022—and the visibility gained
Contributors

420
is essential to developing attack mitigation
strategies, because more than 75 percent 410

of these networks see dozens or even 400

hundreds of incoming DDoS attacks
390
every day (Figure 2).
380

01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23

The Undercurrent of Malicious Traffic

Figure 3: Regional DDoS Attack Counts
APAC EMEA LATAM NAMER

18,000
In racing, drivers often use a technique
16,000 called slipstreaming, drafting directly
14,000 behind another car to increase speed. Like
12,000 slipstreaming, adversaries use the resources
of others to steal “speed” to the detriment
Attack Count

10,000
of others. Unfortunately, the theft never ends,
8,000
and ISP networks always bear the cost. In
6,000 the first half of 2023, NETSCOUT observed a
4,000 staggering total of ~7.9 million DDoS attacks,
2,000 representing a 31 percent increase year over
year. This represents an unbelievable 44
0
01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23 thousand DDoS attacks per day (Figure 3).

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 3

 The growth in attacks implies this malicious traffic is ever-present. To illustrate how this
attack traffic is always present, we dive into HTTP/S and DNS below (Figures 4 and 5).

HTTP/S Application-Layer Attacks DNS Amplification Attacks

Figure 4: Total HTTP/S Application-Layer Attacks Figure 5: Total DNS Amplification Attacks
APAC EMEA LATAM NAMER APAC EMEA LATAM NAMER
2,000 5,500

1,800 5,000

1,600 4,500

4,000
1,400
3,500
1,200

Attack Count
Attack Count

3,000
1,000
2,500
800
2,000
600
1,500
400 1,000
200 500

0 0
01/23 07/23 01/23 07/23 01/23 07/23 01/23 07/23 01/23 07/23 01/23 07/23 01/23 07/23 01/23 07/23

MI TIGAT ED H T T P/S A PPLIC ATION-L AY ER AT TACKS IH 2 02 3 MI T IGAT ED DNS AMPL IF IC AT ION AT TACKS IH 202 3

APAC EMEA LATAM NAMER APAC EMEA LATAM NAMER

1% 37% 10% 35% 10% 35% 25% 37%

EMEA was the No. 1 targeted region

T OP 5 INDUS T RIE S TA RGE T ED BY H T T P/S A PPL ICAT ION-L AY ER AT TACKS T OP 5 INDUS T RIE S TA RGE T ED BY DNS A MPL IF ICAT ION AT TACKS

1 Wired Telecommunications Carriers 1 Wired Telecommunications Carriers

159,701 480,905
2 Data Processing Hosting and Related Services 2 Wireless Telecommunications Carriers
(except Satellite)
48,227
Wireless Telecommunications Carriers
187,700
3
(except Satellite) 3 Data Processing Hosting and Related Services

34,791 83,359
4 Electronic Computer Manufacturing 4 Satellite Telecommunications

17,020 16,598
5 Internet Publishing and Broadcasting 5 All Other Telecommunications

11,208 16,348

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 4

 The Power of Persistence
Formula 1 tracks remain the same, every race, every year, with only variables in weather, visibility, and
road conditions. That persistence enables drivers to prepare and build confidence in their ability. The same
persistence is true in the infrastructure abused by adversaries to launch DDoS attacks—from reflectors/
amplifiers to DDoS botnets and even lists of open proxies conscripted into attack tools. Despite the fact there
are hundreds of millions of abusable internet-connected devices an adversary can leverage to launch DDoS
attacks, ASERT confirmed that a relatively small number of nodes are involved in a disproportionate number
of DDoS attacks and contribute significantly to attack impact.

Persistent Attacker-Abused Infrastructure VA L IDAT ED AT TACK SOURCE S B A SED

ON T HREE CH A R AC T ERIS T IC S
Every day, NETSCOUT enterprise customers face security events from millions of
attacker-abused and/or owned network-connected devices. We can identify persistent
infrastructure leveraged by these relentless attackers by analyzing countermeasure
1 Daily persistence over time
behavioral heuristics. 2 Volume of attack traffic
directed towards
During the first half of 2023, the top 5 percent of persistent attack sources’ IP addresses NETSCOUT customers
revealed that ~90 percent of the IPs maintained a constant presence within any given
two-week interval (Figure 6). 3 Number of customers
targeted by the same
persistent infrastructure
Figure 6: Top 5 Percent of Persistent Attackers

100% T OP 5 SOURCE COUN T RIE S

90%
United States
80%

70%
26.5%
Persistence Percentage

Brazil
60%

50%
10.3%
India
40%

30%
6.9%
China
20%

10%
6.7%
Netherlands
0%
01/03/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 3.2%

Within the same context of a dynamic two-week moving window, we determined

that approximately half of the attack sources identified and blocked by our enterprise
solutions corresponded to persistent attackers.

Based on comparative analysis, fully one-third of persistent attack sources

remain unidentified by conventional threat intelligence feeds and methodologies.
NETSCOUT’s unique breadth and depth of insight into the global DDoS threat
landscape allows us to determine that blocking only 5 percent of persistent attack
sources would result in a significant reduction in attack impact.

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 5

 Known DDoS Sources

In addition to persistent attackers, NETSCOUT’s visibility provides a unique perspective into known
DDoS sources used in reflection/amplification and botnet attacks. A high day-to-day persistence
implies the attacker infrastructure NETSCOUT knew about yesterday is the same participating in
today’s DDoS activity (in other words, known DDoS sources).

Figure 7 illustrates the degree of persistence exhibited by abusable reflectors/amplifiers and

DDoS-capable botnets from April to June 2023. Our research revealed that these attack sources
have an average of 10 percent churn. We also discovered that many of the IPs churning from
day-to-day are responsible for a large amount of impact against our customers. This means that
while there is a high degree of persistence in reusable adversary-abused infrastructure, it is equally
imperative to have an always-updated list of new IPs to account for the high-impact sources evolving
near-daily. NETSCOUT’s ATLAS Intelligence Feed (AIF) includes a daily list of both the persistent
and new infrastructure to provide full-scope coverage on DDoS attacks sourced from these IPs.

Figure 7: DDoS Attack Types

Reflector/Amplifier and DDoS Botnets Feeds

1
Persistence Percentage

0.9

0.8

0.7

0.6
04/02/23 04/16/23 04/30/23 05/14/23 05/28/23 06/11/23 06/25/23

Bulletproof Hosting (BPH) Providers  

Bulletproof hosting (BPH) providers pose a unique and challenging threat. Their activity is T HREE T Y PE S OF BPH PROV IDERS
often disguised under a veil of legitimacy; however, due to their willful neglect of community
norms, their illicit activities often evade normal responses such as takedown requests. 1 M A L ICIOUS
Furthermore, inaction by their peers and upstream providers prolongs abusive behavior, often Practically no legitimate
across the course of many years, resulting in BPH providers becoming emboldened by the or lawful activity
internet community’s lack of response. This allows BPH providers to refine and enhance their
methods unencumbered while incident responders must search for ways to track and mitigate 2 A BUSIV E
their behavior. Many of the most notorious threats to internet safety and stability previously Significantly uncooperative,
have found safe havens at BPH providers, but this strategy is becoming less tenable as we unresponsive, or unwanted
uncover and provide defensive recommendations to our customers and the world. activity

As described in our recent blog focused on bulletproof hosting providers, we classify them
3 CONT ROVERSI A L
Legal, but often condemned
as belonging to one of three categories: malicious, abusive, or controversial.
for unwanted material
or activity
We focus our examination on the malicious and abusive categories of two well-known BPH
providers. We refer to these BPH providers as Provider X and Provider Y. Provider X operates
its own autonomous system (AS) and has dozens of small Internet Protocol version 4 (IPv4)
prefixes it announces into the global BGP routing table. In total, Provider X announces less
than a /16 of IPv4 address space. This is not a lot of addresses. However, when we consider
the frequency of attacks involving this provider (Figure 8 on the following page), it becomes
apparent Provider X is a significant source of attacks.

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 6

 Most of these attacks are sourced from Provider X to other networks. Compared BPH-X TA RGE T ED COUNT RIE S
with a university of a similar network size, Provider X exhibits a greater number
of attacks originating from its network than it should.
Ukraine

1,024 Attacks
Figure 8: BPH-X Attacks and Trend Line Per Day Singapore
Attack Count Trend Line
62 Attacks
180
United States
160
140
51 Attacks
120 Russia
Attack Count

100 40 Attacks
80
Netherlands
60
40 27 Attacks
20
0
01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23

To further classify suspicious traffic sourced Figure 9: Packet Size Distribution

from this provider, we analyzed the outbound 1,100
packet size distribution (Figure 9). Typical 1,000
traffic patterns would exhibit either consistency 900
on one end or a sinusoidal curve of varied 800
packet sizes over time. Instead, we see packet 700
Packet Count

sizes polarized at both ends simultaneously. 600

In normal traffic, it is extremely rare for large 500
packets to trail immediately behind small 400
packets. This suggests that the network in 300
question is atypical and likely used for a limited 200
subset of specialized applications such as 100
scanning and malicious content hosting. 0
0 200 400 600 800 1,000 1,200 1,400 1,600
By way of contrast, Provider Y has been Packet Size
known to provide internet transit for other
bulletproof hosters, acting as their upstream Figure 10: BPH-Y Inbound and Outbound Attacks Per Day
ISP. Provider Y announces only one-fourth
Inbound Outbound
the IPv4 address space that Provider X does,
but the number of attacks we see on our 550
customer networks involving Provider Y are 500
more than double Provider X’s, and the attacks 450
in and out are closer to being symmetrical 400
(Figure 10). Because of the nature of these 350
Attack Count

types of services, it’s highly probable they 300

are enabling malicious activity to (command 250
and control, exfiltration, and so forth) and 200
from (exploitation, scanning, brute-forcing) 150
this network, resulting in a higher degree 100
of symmetry of inbound/outbound traffic. In 50
contrast, Provider X is the source of a great deal 0
of aggressive and abusive internet scanning. 01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 7

DDoS Vector Discovery
and Attack Enablers
Increasingly, adversaries are creating their own and/or abusing different types of infrastructure as
platforms to conduct reconnaissance and launch attacks. The following analysis highlights how some
of that abusable infrastructure is leveraged in attacks and how adversaries discover new DDoS attack
vectors and methodologies.

Dissecting Adversary Attack Generators

Threat actors are now relying more on DDoS-capable botnets, Tor nodes, and open AT TACKS TA RGE T ING ISP s 1H 2 02 3
proxy servers to generate and obfuscate the actual sources of direct-path DDoS
attacks. As a result of the great rebalancing described in our 2H 2022 DDoS Threat
Intelligence Report—we have seen a renewed emphasis on direct-path attacks and T OR NODE S
a transition from a nearly decade-long stint of reflection/amplification preeminence.

Although reflection/amplification attacks remain the primary DDoS attack methodology

30
Daily Alerts
used to target service provider properties and infrastructure, botnets, open proxies,
and Tor nodes are employed primarily in attacks directed toward enterprises and other
OPEN PROX IE S
types of endpoint networks.

All three types of attack sources display disproportionately high rates of activity in
security events targeting institutions of higher education and data-hosting services
30
Daily Alerts
(Figure 11). The Y-axis in the figure below represents the percentage above observed
baselines (proxies, Tor nodes, and botnet nodes) in comparison to other types of hosts. BO T NE T NODE S
DDoS botnets frequently are used in attacks targeting state and local governments,
whereas open proxies have seen disproportionate use in attacks against federal/
national governments. Proxy use against federal/national governments is notable 730
Daily Alerts
because proxies are a favorite tool of ideologically motivated adversaries such as Killnet
for launching application-layer DDoS attacks against web servers and online portals.

Figure 11: Industries Impacted by Attack Generators

Higher Education State Government Federal Government

450%
INDUS T RY T OP TA RGE T S
400% 393%

1 HIGHER EDUCAT ION

350%
Attack Generator Inclusion Rate

Frequent use of open proxy,

300% botnet and Tor

250% 232% 2 S TAT E GOV ERNMEN T

Frequent use of DDoS
200% botnet attacks
150% 142%
150% 130%
126% 3 F EDER A L GOV ERNMEN T
113% 107% 98% Frequent use of open proxies
100%

50%

0%
Open Proxy Tor Botnet

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 8

A Vector is Born
Like defense in traditional warfare, the protection of digital assets during cyberwarfare is
significantly enhanced by early warnings combined with top-notch visibility. NETSCOUT’s
unmatched ability to observe emerging DDoS vectors is of the utmost importance in safeguarding
global networks. This level of visibility allows us to identify adversary attempts to exploit abusable
hosts and services to launch DDoS attacks.

Ar ARMS Reflection/Amplification

In mid-2019, NETSCOUT received notification of significant Figure 12: ARMS Related Activity
DDoS attack traffic sourced from UDP/3283, a previously 650
unused and unknown attack vector. ASERT researchers
600
immediately began reverse-engineering the attack. Within
550
four days, NETSCOUT had successfully replicated this
500
never-before-seen reflection/amplification DDoS attack,
which leveraged unpatched systems running ARMS. Our 450

testing revealed a substantial amplification ratio of 35.5:1. 400

Attack Count

350
NETSCOUT then created surgical deny lists of abused ARMS 300
reflectors/amplifiers, published customer and public advisories 250
on mitigating this new DDoS attack vector, and worked with
200
the vendor on mitigation/remediation recommendations.
150
At discovery, there were a total of 54,000 abusable nodes on
100
the public internet, and today that number is ~6,000 thanks
to in part to NETSCOUT visibility, remediation guidance 50
to network operators, education efforts, and patching by 0
Apple. This early identification of a new DDoS vector allowed 01/01/19 01/01/20 01/01/21 01/01/22 01/01/23

us to publish mitigation recommendations before adversary

Major European ISP notifies NETSCOUT
activity became commonplace in early 2020 (Figure 12). of never-before-seen attack

Tp TP240 Phone Home Figure 13: TP240 Related Activity

Reflection/Amplification 800

700
But this was not just lightning in a jar. Beginning in January
2022, NETSCOUT observed probes targeting services running 600
on UDP/10074 (Figure 13). Concurrently, NETSCOUT, via
partnerships with global network operators, vendors, and 500
Attack Count

research teams, began investigations into a potential new Initial

DDoS attack vector dubbed TP240 Phone Home. ASERT 400 discovery

discovered that this vector had an astonishing potential

amplification ratio of 4,294,967,296:1—capable of generating 300
more than 53 million packets per second. NETSCOUT
200
initially identified more than 5,000 abusable nodes on the
public internet. Today that number is fewer than ~2,800,
100
due in part to NETSCOUT’s visibility, remediation, and
public education efforts.
0
07/01/21 01/01/22 07/01/22 01/01/23 07/01/23

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 9

 Sl SLP Reflection/Amplification

Most recently, NETSCOUT witnessed the emergence of a Figure 14: SLP Related Activity
new vector with the greatest lead time yet. We discovered 400
the activity in 1H 2023, but after investigating traffic in our
global honeypot network found that adversaries started 350

probing UDP/427 in September of 2022 (Figure 14). These Research disclosure

300 to NETSCOUT about
early probes originated from a security researcher looking into new vector
vulnerabilities in the SLP protocol. In April of 2023, ASERT 250

Attack Count
characterized and provided mitigation recommendations and
surgical deny lists for this new DDoS attack vector, which is 200

capable of amplifying traffic at a ratio of 2200:1 with proper First initial probes
150
priming. At discovery, NETSCOUT identified more than 40,000 seen in NETSCOUT
abusable reflectors/amplifiers on the public internet. Today, Sensorium
100
that number is ~38,000 and declining. NETSCOUT mitigation
and remediation guidance has minimized this vector’s 50
effectiveness, ensuring customers are proactively protected
0
against SLP reflection/amplification attacks.
01/01/22 04/01/22 07/01/22 10/01/22 01/01/23 04/01/23 07/01/23 10/01/23

Revealing Adversary Methodology

In addition to using a multitude of DDoS attack vectors, threat actors also employ various attack methodologies
against targeted organizations. For example, DNS query floods were first observed in the wild in 1997, but since
that time they have evolved, with varieties of DNS water torture attacks (floods of DNS queries for nonexistent
records) becoming commonplace. When carpet-bombing attacks—in which entire networks are targeted
instead of just specific hosts on those networks—first debuted in 2017, ASERT researchers quickly issued
mitigation guidance to customers and the operational community.

Carpet-Bombing Deep Dive

Figure 15: Daily Carpet-Bombing Attacks (1H 2023)
Attack Count Trend Line

1,100 A sudden resurgence in carpet-bombing attacks prompted

1,000 our researchers to investigate this tactic, and since the first
900 week of 2023, we observed a 55 percent increase in daily
800 carpet-bombing attacks, from an average of 468 per day
700
to 724 per day (Figure 15).
Attack Count

600
It should be noted that these figures are conservative and
500 are based on high-impact attacks on ISP networks. Given the
400 nature of these attacks—adversaries intentionally spreading
300 traffic to multiple hosts, thus decreasing bandwidth rates and
200 avoiding traffic threshold alerts—it is highly plausible these
100 numbers are an order of magnitude lower than the actual
number of carpet-bombing attacks present on the internet.
0
01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 10

 Carpet-Bombing Attacks: A Breakdown

AT TACK ME T RIC S T OP 5

88 Average Attacked
IPs + Prefix 841 Maximum Attacked
IPs + Prefix
TA RGE T ED COUNT RIE S

1 United States
SOURCE COUN T RIE S

1 United States
2 Brazil 2 Netherlands

118 Average Attacking

Source IPs + Prefix 1,257 Maximum Attacking
Source IPs + Prefix 3

4
Spain
Japan
3

4
Great Britain
Germany
5 Italy 5 France

18.5 Average Attack

Duration (Minutes) 2,949 Maximum Attack
Duration (Minutes)

Because carpet-bombing attacks are designed to target a broad network footprint, it is no surprise that wired and
wireless telecommunications and cloud hosting providers bear the brunt of these attacks as they spread across
their networks. Most of the reflectors/amplifiers used to launch these attacks are sourced from the very same
networks they target.

DNS amplification features most prominently in carpet-bombing attacks, but perhaps slightly more surprising is that
STUN amplification is a close second (Figure 16). That is, until we realized that STUN is necessary for Webtrp-based
VoIP and video communications leveraged by services such as FaceTime, Skype, and Teams. This means that,
like DNS responses, it cannot be filtered wholesale at the network edge. Previously, carpet-bombing attacks were
almost always univector UDP reflection/amplification attacks. In the last 18 months, however, we have observed
an uptick in the use of TCP reflection/amplification with carpet-bombing attacks.

Figure 16: Top 10 Vectors: Carpet-Bombing DDoS Attacks (1H 2023)

DNS Amplification 84,963

STUN Amplification 36,320

NTP Amplification 25,979

ISAKMP/IKE Amplification 24,804

BitTorrent Amplification 17,479

OpenVPN Amplification 12,919

SIP Amplification 12,671

L2TP Amplification 7,072

SNMP Amplification 5,411

VSE Amplification 4,712

0 10,000 20,000 30,000 40,000 50,000 60,000 70,000 80,000 90,000 100,000
Number of Attacks

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 11

DNS Query (Water Torture)
Flood Deep Dive
The Domain Name System, or DNS, which serves
as the internet’s address book, mapping (mostly)
human-friendly names into IP addresses so that devices,
applications, and services know where to send packets.
Since 1997, attackers have been launching attacks
against DNS servers to disrupt applications and devices.
After all, if the name of a website, online game service,
or streaming video provider can’t be resolved, the effect
is the same as if the actual service itself has been successfully
attacked. This is also the case with key enterprise properties
such as corporate web servers, collaboration services, and
VPN concentrators: If an enterprise’s authoritative DNS
servers are successfully disrupted, the entire organization is,
for all practical purposes, unreachable. Unfortunately, many
organizations fail to include DNS servers in their DDoS
defense plans.

DNS Attack Analysis

DNS water torture attacks rose from an average of Figure 17: DNS Water-Torture Attacks Per Day
144 daily attacks at the start of 2023 to 611 at the end Attack Count Trend Line
of June, marking a nearly 353 percent increase in 900
only six months. The highest-impact attack involved
800
~89.4 million queries per second (mqps), a 51.1 percent
700
increase in attack impact over the same period in 2022.
600
Attack Count

A decrease took place at the start of 2023, but 500

our observations indicate that these attacks were 400
once again on the rise toward the end of 1H 2023 300
(Figure 17). This indicates that although variability in 200
attacker motivations leads to some seasonal variations
100
in targeting, DNS water torture attacks inevitably climb
0
back up and continue to remain high-impact attacks 01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23
that are highly disruptive to organizations unprepared
to defend their DNS infrastructure.

Given the diversity of attacked industries, it appears

DNS Attacks: A Breakdown
that both ideologically motivated threat actors and
DDoS extortionists intent on monetary gain attack
DNS servers to cause disruption to the online T OP 5 TA RGE T ED COUN T RIE S T OP 5 TA RGE T ED INDUS T RIE S
properties and activities of organizations in
their crosshairs. 1 United States 1 Wired Telecomm
2 Morocco 2 Wireless Telecomm
Worse, the increasing prevalence of well-known open
DNS recursive services as sources in these attacks 3 Turkey 3 Data Processing Hosting
is concerning and may indicate that adversaries are and Related Services
4 South Africa
intentionally trying to smuggle traffic past network 4 Electronic Shopping
5 Argentina
operators responsible for securing DNS resources. and Mail-Order Houses
Not only does that present more sophisticated
On a regional basis, EMEA 5 Insurance Agencies
adversaries, but DNS water torture attacks reflected and Brokerages
received most attacks,
through these services are more challenging for
with North America and
defenders to mitigate due to the intermingling of The wireline and wireless
Asia-Pacific in second and
attack traffic with genuine DNS queries originating broadband access ISP/cloud/
third place, respectively.
from legitimate sources. It is imperative that VPS/hosting/colocation, and
organizations ensure their authoritative and recursive insurance sectors were especially
DNS infrastructure is included in DDoS defense plans hard-hit by DNS water torture
and reviewed regularly. attacks during the first six
months of 2023.

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 12

 Geopolitical and Technology
Impact in DDoS
Everything from vectors to infrastructure and methodology play a part in the remaining analysis
contained in our report as we examine how geopolitical influences continue to play a dominant
role in the DDoS threat landscape—followed closely by changes in the technology arena.

Geopolitics in the Cyber Arena

Figure 18: Swedish Attacks and Trend Line Per Day
Attack Count Trend Line

450 Last year in our threat report and

in several blogs published since, we
400
detailed the presence of DDoS attacks
350 related to ongoing geopolitical and
ideological conflicts. Specifically,
300 we know that pro-Russian aligned
hacktivists targeted Finland in its
Attack Count

250
bid to join NATO. These attacks had
200 ramifications for Turkey and Hungary
as the two countries finally approved
150
Finland’s application. Fast-forward to
100 June 2023, and Sweden is on the verge
of joining NATO amidst a significant rise
50 in DDoS attacks coinciding with major
political dynamics.
0
02/26/23 03/19/23 04/09/23 04/30/23 05/21/23 06/11/23 07/02/23
On May 3, it was reported that the
Swedish parliament website had been
the target of a highly disruptive DDoS
Figure 19: Swedish Attacks Per Day attack. Sure enough, our global visibility
Minimum Maximum Average revealed a significant increase in attacks
600G against the country coinciding with
550G the timeline played out in the political
theater (Figure 18).
500G

450G These attacks culminated with a

400G DDoS attack of more than 500Gbps
350G (Figure 19) before finally subsiding
in June to a more usual daily attack
bps

300G
frequency. It is expected that DDoS
250G
attacks targeting Sweden will increase
200G yet again as the ratification of Sweden’s
150G bid to join NATO progresses through
100G the political process.
50G

0G
02/26/23 03/26/23 04/23/23 05/21/23 06/18/23 07/16/23

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 13

Wireless Advancements Impacts DDoS Landscape
In the first half of 2023, NETSCOUT observed a Figure 20: APAC Daily Attacks: Wireless Telecommunications
sharp increase in DDoS attacks against multiple Attack Count Trend Line
wireless telecommunications providers in APAC
(Figure 20). This is a global trend we observed 1,200
at the end of 2022, with a 79 percent increase in
1,100
attacks targeted at wireless telecommunications
providers. This trend isn’t surprising, given the 1,000
number of commercial 5G networks being
900
deployed globally. According to Analysis Mason’s
5G deployment tracker report, there were more 800
than 16 5G networks already deployed or set to
700
launch in 2023.

Attack / Day
600
Although we cannot confirm all these networks
were deployed, at least one service provider in 500
the region expanded significant 5G offerings
400
accounting for much of the increase in 2023. The
root cause of this shift is almost certainly tied to 300
many former broadband access users moving to
200
5G fixed wireless access, including gamers shifting
their network access. Historically, most attacks in 100
service provider networks have correlated back
0
to gaming in some fashion, prompting a shift 01/01/22 04/01/22 07/01/22 10/01/22 01/01/23 04/01/23 07/01/23
in this attack activity to the wireless space.

Conclusion CONTRIBUTORS

Richard Hummel John Kristoff

Visibility has become an even more important defensive tool for
Writer Writer
leveling the playing field. Enzo Ferrari said it best: “What’s behind
you doesn’t matter.” That is, learn from the past, but look to the future. Roland Dobbins Clark Arenberg
Lean into visibility to peer around those tight corners to see what’s Writer Writer
ahead and know where the adversary is headed. Traditionally, the costs Chris Conrad Kinjal Patel
of DDoS attacks have been in the attacker’s favor. However, when we Writer Writer
detect their early actions, such as scanning or trying to use new attack
methods, we stop them immediately. By limiting their resources and Filippo Vitale Max Resing
pushing them to use only one method, we reduce their opportunities Writer Writer
to exploit vulnerabilities. By imposing artificial scarcity of resources Chad Robertson Steinthor
and forcing attackers into unidimensional methodologies, we help Writer Bjarnasen
to reduce adversary options for exploitation. This is possible only Writer
Roman Lara
with our visibility.
Writer

Learn from what we see in the NETSCOUT Visibility Without

Borders® platform and leverage Arbor Adaptive DDoS
protection technology to take control of your future and
join NETSCOUT as Guardians of the Connected World®.

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 14

 NETSCOUT SYSTEMS, INC.® (NASDAQ: NTCT)
delivers multi-purpose, real-time visibility,
troubleshooting and protection wherever your
technology infrastructure and business applications
reside. NETSCOUT Smart Data gives technology and
business teams the next-generation level of visibility
to see the full range of performance, availability
and security risks, earlier and with more precision,
to resolve problems faster. That’s why the world’s
most demanding government, enterprise and service
provider organizations rely on NETSCOUT solutions
to assure and protect the digital services which
advance our connected world.

Visit www.netscout.com or follow @NETSCOUT

on Twitter, Facebook, or LinkedIn.

©2023 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, and the NETSCOUT logo are registered trademarks of NETSCOUT SYSTEMS, INC.,
and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brands and product names and registered and unregistered trademarks
are the sole property of their respective owners.

SECR_001_EN-2302

NETSCOUT DDoS Threat Intelligence Report: Issue 11 Page 15