• United States



TCP Floods Are Again the Leading DDoS Attack Vector

BrandPost By Michael Wetherbee
Jan 09, 20234 mins

Responding quickly to attacks that hit the network edge or an Internet-facing service is imperative and changing defenses rapidly to adapt to subtle changes onsite is crucial.

idg week 40

My personal and professional objectives, like those of many other people, are centered around improving on how I get things done. Or, more importantly, about how to do things more efficiently. One of my favorite things to watch on the attention-sucking platform of TikTok or YouTube Shorts are life hacks. Life hacks are supposed to make tasks easier or more efficient to accomplish but, in many cases are simply more complicated.

This passion to improve how things are done more efficiently is not isolated to individuals; it spills over into all aspects of our community, including government, retail, service organizations, and the like. And although many of these attempts to be more efficient may help other people, there are also people out there striving to be more efficient in malicious activities.

The Bad Guys Want It Too

The bad actors in the distributed denial-of-service (DDoS) world are those people. The bad guys may be motivated by money, competition, or simply power within their specific community. The truth is, they will change their tactics, as we do, to make their actions more efficient, but in most cases, for much different and nefarious reasons.

The findings in the latest NETSCOUT DDoS Threat Intelligence Report demonstrate how sophisticated cybercriminals have become more efficient at bypassing defenses with new DDoS attack vectors and successful methodologies. 

tcp floods key findings article 6 in body image 1 NETSCOUT

“By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies,” says Richard Hummel, threat intelligence lead at NETSCOUT. “In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised new attack vectors, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications.”

TCP Flood Attacks Are Again the Most Popular Vector for DDoS Attackers

NETSCOUT’s Active Threat Level Analysis System (ATLAS) compiles DDoS attack statistics from most of the world’s ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in more than 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report.

One key finding that continues a trend that started in early 2021: TCP-based flood attacks (SYN, ACK, RST) remain the most-used attack vector, comprising approximately 46% of all attacks (see Figure 1).

Figure 1: Top DDoS attack vectors during the first half of 2022.

figure one top ddos attack vectors article 6 in body image2 NETSCOUT

State exhaustion attacks target stateful devices that are an integral part of the security stack, such as firewalls and VPN concentrators. These targets are attractive because the attacks can be smaller in size and designed to evade defenses meant for other threats.

Figure 2: State flood attacks trend upward.

figure two state flood attacks trend upward article 6 in body image 3 NETSCOUT

Why You Need a Hybrid Defense Strategy

So how do you prevent and stop DDoS attacks or, specifically TCP flood attacks? The best practice for protecting your network in today’s ever-changing DDoS attack landscape is a hybrid approach.

Protection strategies of the past will suffice in some situations, such as in an attack designed to overwhelm your Internet circuit before traffic arrives on your site. However, attacks specifically designed to evade those protections, such as TCP state exhaustion, are the basis for the new attack landscape. Furthermore, the ability to respond quickly to attacks that dodge the cloud solution and hit the network edge or an Internet-facing service is imperative and having the agility to change defenses rapidly to adapt to subtle changes onsite is crucial.

Figure 3: NETSCOUT Omnis AED provides hybrid DDoS defense.

figure three netscout omnis aed provides hybrid ddos defense article 6 image 4 NETSCOUT

By implementing comprehensive DDoS defenses such as NETSCOUT’s Arbor Edge Defense (AED) at all edges of the network, network operators can overpower DDoS attack traffic as it enters the network edge (see Figure 3). With edge-based attack detection combined with cloud-scrubbing capacity, automated bilayer communication, indicators of compromise (IoC) analysis, command-and-control (C2) communication blocking, and current, actionable threat intelligence, operators can tackle any DDoS attack before it causes damage.

For more information on hybrid, dynamic, comprehensive DDoS protection, download the white paper “An On-Premises Defense Is the Cornerstone for Multilayer DDoS Protection.”