Changing priorities and hacker approaches to implementing attacks

In the second half of 2022, NETSCOUT recorded a 79% increase in DDoS attacks on wireless telecommunications providers worldwide. This trend continued among wireless providers in Asia Pacific in H1 2023, when the number of attacks increased by 294%. According to NETSCOUT, this is due to many broadband gaming internet users switching to 5G fixed wireless access as providers roll out their networks.
NETSCOUT gathers threat intelligence from its ATLAS sensor network. Built over decades of work with hundreds of ISPs around the world, it identifies trends based on an average of 424 Tbps of peer-to-peer Internet traffic, a 5.7% increase over 2022. Since 2019, the company has seen a nearly 500% increase in HTTP/S application layer attacks and a 17% increase in DNS reflection/amplification in the first half of 2023.
“While global events and the expansion of 5G networks have led to an increase in DDoS attacks, attackers continue to evolve their approaches to be more dynamic, using dedicated infrastructure such as bulletproof hosts or proxy networks to launch attacks,” said Richard Hummel, senior director of threat intelligence at NETSCOUT. “The lifecycle of DDoS attack vectors demonstrates the attackers' persistence in finding and exploiting new methods, while DNS waterboarding and carpet bombing have become more common.”

Other key findings from the NETSCOUT 1H2023 DDoS Threat Intelligence Report

There’s an increase in the number of carpet bombings by 55%, to more than 724 attacks per day. These attacks cause significant damage to the global Internet, spreading to hundreds or even thousands of hosts simultaneously. This tactic often avoids triggering bandwidth threshold alerts, making it difficult to resolve the consequences of a DDoS attack in a timely manner.
DNS Water-Torture attacks are becoming common. Since the beginning of the year, the number of daily DNS attacks using the water torture method has increased by almost 353%. The top five most common industries include wired and wireless communications, data hosting, e-commerce and mail order companies, as well as insurance and brokerage companies.
Educational institutions and government resources are disproportionately targeted. Attackers create their own or use various types of malicious infrastructure as platforms for launching attacks. For example, open proxy servers have been consistently used for HTTP/S application-level DDoS attacks against targets in the higher education and public administration sectors. At the same time, DDoS botnets were frequently used to attack state and local governments.
Sources of DDoS attacks are constant. A relatively small number of nodes are involved in a disproportionate number of DDoS attacks, with an average IP churn rate of only 10%, as attackers tend to reuse infrastructure for attacks. Although these nodes are persistent, their impact fluctuates as attackers change the list of available infrastructures every few days.
Visit the NETSCOUT Cyber Threat Horizon to get real-time DDoS attack statistics, maps, and analytics.