DDoS Threat Intelligence Report Reveals Troubling Attacker Behavior

If there’s one consistent quality shared by all cybercriminals, it’s they never fail to innovate to get what they want – whether that’s to spy; spread mayhem, or access sensitive corporate data, personal information, or lucrative financial details. 

This certainly holds true for our findings in the newest DDoS Threat Intelligence Report, which launches September 27, 2022. As we discussed in a previous blog, we have changed the formatting of the report to make the data more accessible and reader-friendly, essentially breaking it into eight vignettes that cover geographical findings as well as several troubling trends. 

In addition to data for four geographical regions — North America, Latin America; Asia Pacific (APAC); and Europe, Middle East, and Africa (EMEA) — the following new sections cover a number of attack trends.

Adversaries Evolve and Innovate Attack Methods and Vectors

Bad actors never stop adapting their strategies for launching successful distributed denial-of-service (DDoS) attacks, which becomes clear by examining three specific types of attacks: DNS water torture, which experienced a 46% increase since 2H 2021; carpet-bombing, which increased after a slight decrease last year; and TCP-based attacks, which dominated the DDoS vector charts. These trends bring into stark relief the need for organizations to adapt thinking, understanding, and defenses to combat DDoS.  

Adaptive DDoS Attacks and Learning How to Suppress Them

An adaptive DDoS attack starts when threat actors use advanced reconnaissance to identify target networks. They follow this with continuous efficacy monitoring before quickly changing vectors to counter mitigation. Attackers then use topologically adjacent infrastructure for continuous innovation and vector weaponization. Traditional DDoS defenses have protected internet properties by using detection, classification, traceback, and mitigation technologies for inbound network traffic. However, this approach hasn’t addressed outbound or cross-bound DDoS that uses compromised workstations, Internet of Things (IoT) devices, and high-capacity servers. All of which are being subsumed into botnets and used by adversaries to launch DDoS attacks. It’s vital to understand this strategy and how to suppress this increasingly damaging behavior.

War, Religion, and Politics: The New Battleground for DDoS

Although adversaries never need a new reason to launch attacks, the sociopolitical landscape during the first six months of 2022 provided them with plenty of fodder. Our data shows bad actors targeted countries, governments, companies, communities of interest, and individuals in response to issues related to war, politics, religion, sports, and even entertainment events. In fact, the majority of high-profile DDoS attack campaigns in the first six months of the year correspond with national or regional conflicts that have generated worldwide reactions. The Russia/Ukraine conflict provided ample evidence of this troubling behavior, with attackers targeting those countries and the organizations within them, as well as countries that showed solidarity with either side.

Botnets Multiply and Level Up

We continue to see innovation utilizing botnets — groups of malware-infected computing systems known as bots. In fact, our findings indicate a disturbing increase in the use of botnets as adversaries innovate and scale them for greater size and effectiveness. We are now tracking more than 400,000 high-confidence botted nodes, with threat actors increasingly utilizing direct-path attacks sourced from botnets to launch application-layer attacks. In the first half of the year, there was an 11% increase from 2H 2021 in direct-path attacks — almost all of which is attributable to botnet innovation. 

Learn more about how attackers are innovating and impacting networks around the world in the upcoming DDoS Threat Intelligence Report, due to be available September 27. Meanwhile, check out our real time DDoS attack map.