The DDoS threat landscape is always evolving. Hacktivists have ready access to funds for paid botnet infrastructure with the ability to use them in persistent attacks. Botnets as a service provide multipurpose bots with many available, selectable attack vectors. Virtual Private Servers (VPS) can be easily spun up with access to enormous amounts of bandwidth. Internet of Things (IoT) devices provide an abundance of easily compromised hosts with access to plentiful bandwidth. Attacks bigger than 1Tbps and 100s of Mpps still occur with a potential for multi-Terabit attacks to happen in the future.  

In Q2 2023, Vercara observed attacks as large as 873Gbps. However, we are seeing a trend where many attackers now use—and some of them seem to prefer to use—stealthier attacks that use evasion to avoid mitigation and cause unavailability or severe service degradation for unprotected targets. One indicator of this is that 42% of all DDoS attacks that we observed in August 2023 were less than 500Mbps. 

Persistent challenges, traditional tools. 

The DDoS protection industry has a long history of adapting to new threat vectors as they emerge, and traditional thresholds-based DDoS countermeasures have long provided protection against a wide variety of attacks. Many UDP reflection and amplification vectors are still popular, notably DNS reflection, and current measures are really effective against these types of attacks. However, Vercara has seen signs of emerging DDoS attacks using direct path attacks from IoT or VPS hosts, that make detection and mitigation more challenging for many DDoS protection providers. Although ~10Gbps is the average (mean) attack size observed today on the Vercara platform, attacks less than 50Mbps and as relatively small as 10Mbps can have a significant impact when targeted intelligently. 42% of all DDoS attacks observed by Vercara for August 2023 were less than 500Mbps. 

The increasing percentage of encrypted traffic in general and the increased use of encryption in DDoS attacks has made the use of many traditional, vector specific countermeasures difficult. If you cannot decrypt the traffic, how can you spot a pattern on which to filter? If you rely solely on rate-based countermeasures to trigger a mitigation, how do you stop malicious DDoS traffic that is purposely sent at a rate beneath the trigger thresholds? Can you do it without false positives? If the encrypted attack is smaller, how is it distinguishable from legitimate traffic? If you hold a certificate and decrypt the traffic to inspect it to find a pattern, can you do that at the scale required to stop a larger DDoS attack? There are some partial answers today, but we have observed DDoS attack traffic leaking through Content Delivery Networks (CDNs) and causing issues with origin services and Web Application Firewalls (WAFs) that are not configured to protect against this. 

Q2 2023 Vercara DDoS Attack Vectors 

Carpet bombing – a rising attack trend.  

Carpet bombing has been on the rise for the last year. Spreading a DDoS attack across many destinations on an entire network prefix both evades many detection thresholds for individual target hosts and frustrates rate-based mitigation countermeasures. Profiling traffic for entire prefixes and looking at a prefix as an aggregate destination allows more effective thresholds. 37% of all DDoS attacks observed by Vercara during August 2023 were carpet bomb attacks. 

DNS water torture has been on the rise since late 2022 and has now cracked the top 10 attack vectors observed by Vercara (as of Q2 2023). These attacks target DNS resolvers to saturate or degrade DNS resolution by sending very small packets (queries) that are crafted to utilize programmatically randomized target records within a zone. This presents several challenges to traditional DDoS mitigation countermeasures. Extremely distributed sources can fall below the source-based detection or mitigation-triggering thresholds and still materially impact the availability and performance of the targeted DNS resolvers in many cases. Randomized target records being queried can make a regular expression-based filtering strategy a game of whack-a mole that is more manually intensive. Several different forms of DNS authentication including forcing TCP (vs. the standard UDP query) can be an effective tool against DNS water torture.  

Q2 2023 Vercara DDoS Stats 

Vercara DDoS Protection keeps pace with evolving threats.  

As the DDoS landscape and attack tools and techniques are evolving, mitigation technology, architecture, and services have also evolved to continue detecting and blocking attacks. The increasing percentage of encrypted attacks, the continued rise in carpet bombing, the recent surge of DNS water torture attacks, heavy automated network scanning for vulnerabilities to exploit, and other low level application layer DDoS attacks have made detection and mitigation more challenging for providers.  

Automated integration of WAF into some encrypted attacks can help, but only if the WAF implementations are tightly integrated with adequate volumetric DDoS mitigation. WAF and CDNs frequently leak DDoS traffic when not tightly integrated with an intelligent automated DDoS solution. Threat intel-based mitigation leverages breadth of visibility into attack sources, frequency, and persistence. It also realizes and leverages the trend of direct path versus reflected attacks. Many attack sources are direct via IoT, VPS, and other known botnet resources. Leveraging detection automation coupled with source-based threat intel, most of the bad traffic in most attacks can be immediately dropped with efficacies approaching 90%. This is a crucial step towards stopping encrypted DDoS, carpet bombs, and other sophisticated attack vectors that frequently elude traditional DDoS detection and countermeasures. 

Threat intel-based detection can complement pure DDoS mitigation solutions as well as CDN or WAF-based solutions to provide an effective, proactive DDoS mitigation component. Leveraging reputation and ML-based curation of DDoS threat intelligence based on known, recently-observed, and frequent sources of DDoS traffic can be a significant countermeasure to stop DDoS attacks. This requires broad visibility and context regarding DDoS traffic from within more regions and more providers to yield greater visibility and higher efficacy. Operationalizing this intel-based threat detection at lower triggering thresholds than typical flow-based detection against all traffic prevents false positives and enables detection of many lower-level DDoS threats proactively. This greatly benefits both pure DDoS mitigation solutions as well as cloud-based WAF solutions. The flip side of the detection benefits are the corresponding mitigation benefits not requiring visibility into encrypted packets and the ability to drop ~90% of attack traffic before needing to apply protocol-specific countermeasures. Visibility, automation, and speed of mitigation are key advantages. 

More traditional protocol-specific countermeasures, rate-based thresholding, or filtering using regular expressions continue to be effective as tools within robust purpose-built, high capacity, cloud-based DDoS mitigation platforms. Machine Learning-assisted threat intelligence based on visibility into DDoS attack sources, source frequency, and source persistence are significant additions to help combat an emerging threat in the current DDoS threat landscape of stealth and evasion. ML-enabled threat intel-based mitigation methodology is highly complementary to current mitigation methods and indispensable as a means of detection going forward.  

To learn more about how Vercara is evolving its solutions to further secure your online experience, visit the Vercara Solutions Overview page.