l SOLUTION BRIEF l

Adaptive DDoS Protection with Sightline and TMS

Introduction
Per NETSCOUT’s latest Threat Intelligence Report for 1H 2023, a staggering total of
~7.9 million DDoS attacks were observed, a 31 percent increase year-over-year. This
represents an unbelievable 44 thousand DDoS attacks per day. The unmatched breadth and
depth of our DDoS attack data
Attack trends indicate that volumetric reflection / amplification (R/A) attacks are on the decline,
likely due to these attack vectors being easily identified and mitigated with existing techniques allows us to identify the exact
and tools. Where R/A attacks have diminished, direct-path, dynamic multi-vector attacks are point in time when new DDoS
increasing, and are more difficult to detect and mitigate. These dynamic, direct-path DDoS
attack vectors are discovered,
attacks can also change vectors frequently during an attack, often evading less sophisticated
DDoS defenses. tested, optimized, first utilized
by adaptive attackers, and
The damage of successful DDoS attacks ranges from critical service downtime to total network
outages. This disruption can tarnish brand reputation, customer trust, and revenue. eventually weaponized in
DDoS-for-hire services.
Figure 1: Regional DDoS Attack Counts. – NETSCOUT 1H 2023 DDoS Threat Intelligence Report.

APAC EMEA LATAM NAMER

18,000

16,000

14,000

12,000
Attack Count

10,000

8,000

6,000

4,000

2,000

0
01/01/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23 07/01/23

Challenge
Defending large networks against today’s DDoS attacks requires as much knowledge about
your adversary as possible. However, knowing and understanding the adversary is only the
beginning. You must also be able to operationalize that knowledge to adapt defenses to an
attacker’s ever-changing tactics. This dynamic shift in attack tactics necessitates a smarter,
faster, and more granular level of mitigation than has been required in the past. NETSCOUT’s
Adaptive DDoS Protection was designed with these goals in mind.

SECURITY 1
 l SOLUTION BRIEF l Adaptive DDoS Protection with Sightline and TMS

100%

90%

80%

70%
Persistence Percentage

60%

50%

40%

30%

20%

10%

0%
01/03/23 02/01/23 03/01/23 04/01/23 05/01/23 06/01/23

Figure 2: Top 5 Percent of Persistent Attackers – NETSCOUT 1H 2023 DDoS Threat Intelligence Report.

Solution
Adaptive DDoS Protection starts with NETSCOUT’s unrivaled global visibility into the DDoS
threat landscape. Because of our relationships with technology, service provider, and
commercial partners developed over 25 years in the DDoS space, NETSCOUT has visibility During the first half of 2023,
into 50+ percent of all Internet traffic; including 230+ countries and territories, 600+ industry the top 5 percent of persistent
verticals, 31,000+ ASNs, seeing tens of millions of attacks per year. This threat data is collected
attack sources’ IP addresses
in our ATLAS® Threat Intelligence system to be analyzed by our ASERT team, comprised of
security analysts and researchers with decades of experience. ASERT currently tracks over revealed that ~90 percent of
1.3 million bots and 500,000 known abusable reflection and amplification systems actively the IPs maintained a constant
participating in DDoS attacks around the globe. This threat intelligence is continuously updated
and provided to customers via our ATLAS Intelligence Feed (AIF).
presence within any given two-
week interval.
Utilizing Adaptive DDoS threat intelligence from AIF, Sightline can detect all types of DDoS
attacks from flow data and proactively identify broader ranges of attacks that are often missed.

The majority of application-layer, reflection/amplification, and direct-path volumetric DDoS

attack traffic share a near-universal characteristic: a significant degree of attack source
persistence. NETSCOUT’s ASERT Team identified DDoS reflectors/amplifiers, DDoS botnet
nodes, and DDoS attack generators exhibit an average churn rate of only 10 percent over a
two-week interval from their inception. In practical terms, this means that 90 percent of verified
DDoS attack sources can be proactively blocked for as much as two weeks after initial discovery.

It is estimated that using the list of known IP addresses in AIF actively conducting DDoS attacks
on a global basis, Sightline can detect 80-90% of DDoS attacks without further analysis. This
precise characterization allows diversion of only the necessary traffic that needs mitigation,
minimizing any potential collateral damage due to over-mitigation.

Adaptive DDoS Protection for TMS provides adaptive mitigation. Once the attack is detected
and classified, Sightline and TMS understand the optimal mitigation method whether it be using
Flowspec, ACLs, or TMS to surgically block the specific attack. The same attack analysis engine
that detected the attack continues to run, analyze, and adapt as the attack evolves. As attackers
continue to change the parameters of the attack, this evolution is monitored, and TMS can
follow and adapt its mitigation to match.

SECURITY 2
 l SOLUTION BRIEF l Adaptive DDoS Protection with Sightline and TMS

Summary
Unlike more fixed solutions, an Adaptive DDoS Protection approach combines intelligent
machine learning algorithms with dynamically updated actionable DDoS Threat Intelligence,
enabling defenders to adapt to changing attack vectors in real-time based on both software Threat actors are now relying
and human security expertise. more on DDoS-capable
As multi-vector dynamic DDoS attacks are becoming the norm, it has become imperative botnets, Tor nodes, and open
for service providers to implement DDoS defenses that can adapt to rapidly changing attack proxy servers to generate
characteristics and mitigate attacks. NETSCOUT® Arbor Sightline and TMS with Adaptive
and obfuscate the actual
DDoS Protection is the only solution in the market to address the challenge posed by
dynamic DDoS attacks. sources of direct-path DDoS
attacks. As a result of the
great rebalancing described
in our 2H 2022 DDoS Threat
Intelligence Report—we have
seen a renewed emphasis
on direct-path attacks and
a transition from a nearly
decade-long stint of reflection/
amplification preeminence.

Corporate Headquarters Sales Information Product Support

NETSCOUT Systems, Inc. Toll Free US: 800-309-4804 Toll Free US: 888-357-7667
Westford, MA 01886-4105 (International numbers below) (International numbers below)
Phone: +1 978-614-4000
www.netscout.com

NETSCOUT offers sales, support, and services in over 32 countries. Global addresses, and international numbers are
listed on the NETSCOUT website at: www.netscout.com/company/contact-us

© 2023 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Omnis, Guardians of the Connected World, Adaptive Service Intelligence, Arbor, ATLAS, InfiniStream,
nGenius, and nGeniusONE are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or its subsidiaries and/or affiliates in the USA and/or other countries.
Third-party trademarks mentioned are the property of their respective owners.
SECSB_041_EN-2301 10/2023