Adaptive DDoS Suppression for a Safer, More Resilient Internet

Network operators have been working overtime for the past few years to meet the skyrocketing demand for bandwidth and throughput driven by remote work, greater investment in digital initiatives, and a rapidly expanding Internet of Things (IoT) landscape with billions of devices. From rolling out upgraded infrastructure to accelerating 5G and other high-access timelines, network operators have dramatically delivered when it comes to faster, high-volume connectivity.

Unfortunately, although these network upgrades help businesses and individuals connect and succeed in many new ways, they also open the door to something else—the opportunity for massive security vulnerabilities.

IoT Malware Proliferates Online threats continue to multiply at significant speeds. For example, according to the data in NETSCOUT’s 1H 2022 Threat Intelligence Report, there are more than 500,000 compromised devices infected with IoT malware capable of launching distributed denial-of-service (DDoS) attacks. The report also states that 5.5 million distinct adversary IPs have attacked NETSCOUT customers in the first half of 2022 alone. Overall, the threat of malware and botnet DDoS attacks is growing and expanded Internet capacity only makes the potential problems worse. 

Attack Vectors and Methods Circumvent Protections  The evolution of Internet and global network topology is driving changes in attack vectors and methodologies that allow DDoS attackers to bypass traditional defenses and countermeasures. Add that to increased bandwidth and throughput, coupled with a growing number of abusable devices, and you end up with the potential for a new type of massive DDoS attacks.

One traditional network operator approach to DDoS attacks is carrier-grade network address translation (CG-NAT). But this can’t be used to protect newer online devices and services that employ protocols that don’t live behind NAT and thus lie exposed without protection. In addition, whereas existing DDoS defense approaches focused on attack detection, classification, traceback, and mitigation have worked well for inbound traffic, outbound and cross-bound DDoS attacks using today’s more robust operator infrastructures can be just as devastating. 

In short, what’s been working for network operators is no longer a viable long-term solution. Instead, network operators need to change their way of thinking, adapt to the new threat landscape, and move from a default posture of DDoS mitigation to a new paradigm of adaptive DDoS suppression. 

Adaptive DDoS Suppression

We need adaptive DDoS Suppression because DDoS attacks themselves are now adaptive, with adversaries performing extensive pre-attack reconnaissance to identify specific weak points. Attackers are also using botnet nodes and reflectors/amplifiers that are topologically adjacent to targets, minimizing the administrative boundaries that DDoS attack traffic must traverse and reducing opportunities to stop such attacks. 

An adaptive DDoS suppression defense pushes DDoS defense to the edges of the network, including directly within peering and customer aggregation points of presence (PoPs). This allows network operators to suppress DDoS attack traffic as it enters anywhere at the network edge, shutting it down before it can become a large-scale attack. 

By implementing edge-based attack detection, intelligent DDoS mitigation, and network infrastructure-based mitigation techniques at all network ingress points, operators can implement adaptive DDoS suppression systems that scale to counter DDoS attack capacity and adversary innovation.

For more details on the changing dynamic of DDoS attacks and ways, adaptive DDoS suppression systems can stop threats at the network edge, read the NETSCOUT 1H 2022 DD0S Threat Intelligence Report.