DDoS Targets
Escalating Threats to Critical Infrastructure
Service availability in critical industries such as banking, financial services, government, and public utilities is of paramount importance. Disruptions in these sectors can have wide-reaching consequences for both civilian populations and national security. Given our assessment that all network types can come under significant traffic load from DDoS attacks, it is crucial to understand the specific trends affecting these industries.
Recently, we highlighted the activities of geopolitically motivated hacktivists and their coordinated DDoS attack efforts. These threat actors have increasingly expanded their focus to include more specific critical infrastructure targets, resulting in a marked increase in the frequency and intensity of daily attacks. Particularly concerning is the surge in attacks against banking and financial services, government institutions, and public utilities such as energy providers. These attacks, which can sometimes escalate by an order of magnitude, pose a significant threat by disrupting vital civilian services in countries that oppose the hacktivists’ ideologies.
NETSCOUT’s insights into these attacks reveal that an average enterprise in these critical sectors faces attacks delivering up to 1Gbps and more than 330kpps of attack traffic that was not mitigated by an upstream service provider or cloud scrubbing center. The attacks include more than just DDoS, requiring defenders to be prepared for complex, multifront confrontations.
Although many smaller attacks, such as those around 1Gbps, often bypass detection and mitigation by upstream providers due to being below configured thresholds, they can still severely impact enterprises. In some cases, attacks volumes can reach more than 100Gbps, requiring upstream providers to mitigate the attack.
Five regional internet registries (RIRs) assign ASNs to networks or local registries. In the first half of 2024, more than 3,100 new ASNs were assigned. The RIPE region (primarily covers Europe, the Middle East, and parts of Central Asia geographically) led with slightly more than one-third of all new assignments, while AFRINIC (covers Africa geographically) had the fewest, with under 100 new assignments. However, assignments only tell part of the story. One-third of newly assigned ASNs were seen originating routes in the first half of 2024.
The average time for newly assigned ASNs to originate routes is roughly 40 days. How soon do new ASNs appear in our DDoS attack telemetry? To answer this, we looked at the cumulative distribution function (CDF) of DDoS attacks and emergent ASNs.
On average, it takes 42 days after announcement before a new network experiences its first DDoS attack. Some networks are attacked almost immediately, while others may not see attacks for several months. Nevertheless, the majority—approximately 75 percent—of new route-originating ASNs in the first half of 2024 were involved in DDoS attacks, either as targets or as participating sources. The mean time until a new network becomes a source in attacks is even shorter.