Modern DDoS techniques require visibility and mitigation at the network edge. Credit: NETSCOUT Network operators worldwide have rushed to upgrade network infrastructure to meet increased demand for bandwidth and throughput driven by remote work and education. In many cases, this has resulted in service providers accelerating timelines for 5G and other high-bandwidth access technologies.The constant evolution of the internet and global network topology has forced adversaries and defenders to adapt. Changes in attack vectors and methodology allow distributed denial-of-service (DDoS) attackers to circumvent defenses and countermeasures. Meanwhile, security practitioners must constantly adapt their defense posture to mitigate this evolving threat.DDoS defensesDDoS defenses have traditionally focused on protecting internet properties and networks by implementing attack detection, classification, traceback, and mitigation technologies at points of convergence for inbound network traffic. This typically was accomplished by deploying defensive measures northbound of protected assets on directly connected networks. Source-address validation (SAV), for example, has had a very positive impact in reducing prominent vectors, such as DNS amplification, as they become ineffective.This approach worked well to defend targeted organizations and networks from inbound DDoS attacks; however, outbound and cross-bound DDoS attacks can be just as devastating and disruptive as inbound attacks. Compromised workstations, Internet of Things (IoT) devices, and high-capacity servers have been subsumed into botnets and used to launch DDoS attacks. The traffic generated by these systems has significantly impacted production services for both enterprise and service provider networks. Because of adversary innovation and adaption, defenders must change their way of thinking and, in turn, adapt to the current threat landscape.Adaptive DDoSIn an adaptive DDoS attack, adversaries perform extensive pre-attack reconnaissance to identify specific elements of the service delivery chain to target. Increasingly, they are using botnet nodes and reflectors/amplifiers that are closer to the target, a phenomenon recently observed with botnets attacking Ukraine. This minimizes the number of boundaries DDoS attack traffic must traverse, often resulting in fewer opportunities to detect and mitigate the attack.The combination of increased available bandwidth and throughput, increased population of abusable devices, and adaptive DDoS attack techniques magnify the threat to network operators. As such, network operators should move from a default posture of DDoS mitigation to a new posture of DDoS suppression.DDoS SuppressionBy implementing adaptive DDoS defenses at all edges of their networks, including directly within peering and customer aggregation points of presence (PoPs), network operators can suppress DDoS attack traffic as it ingresses at multiple points across the entire network edge — or before it ever converges into a large-scale attack. By implementing edge-based attack detection, intelligent DDoS mitigation, and network infrastructure-based mitigation techniques at all network ingress points, operators can implement adaptive DDoS suppression systems that scale to counter DDoS attack capacity and adversary innovation.One method of DDoS suppression NETSCOUT uses to secure network edges is an ATLAS Threat Intelligence Feed (AIF) that can predefine what IP addresses or Classless Inter-Domain Routing (CIDR) blocks an adversary might use to launch an attack. When an attack using the identified infrastructure begins, AIF countermeasures can immediately and quickly start blocking before any additional routing decisions, countermeasures, or manual analysis is required, nullifying the attack before it ever reaches critical mass.ConclusionThe operational community has successfully suppressed spoofed attack initiator traffic, resulting in demonstrable decreases in reflection/amplification DDoS attacks when compared with direct-path attacks. The next logical step is to extend this paradigm into adaptive DDoS suppression across the network edge to further build a safer, more resilient internet for all.Check out the NETSCOUT DDoS Threat Intelligence Report for more details. Related content brandpost Sponsored by Netscout How to Avoid Getting Crushed Under a Tidal Wave of Traffic Systems with resilience, scale, and a multilayered defense can stop multipurpose application-layer DDoS attacks. By NETSCOUT Mar 09, 2023 4 mins DDoS brandpost Sponsored by Netscout Is Your XDR Strategy Incomplete? Why you can’t have XDR without NDR. By NETSCOUT Mar 07, 2023 5 mins Security brandpost Sponsored by Netscout How 3 Tools Can Revitalize Your Security Strategy Focus on visibility to improve your security posture. By NETSCOUT Mar 07, 2023 4 mins Security brandpost Sponsored by Netscout Protecting the Edge Is More Important Than Ever NETSCOUT’s Omnis Arbor Edge Defense Earns Security Today’s 2022 CyberSecured Award By NETSCOUT Mar 07, 2023 2 mins DDoS PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe