NETSCOUT Threat Intelligence Report
"It’s hard to express the scale of today’s cyber threat landscape, let alone its global impact." - Hardik Modi, Senior Director of Threat Intelligence Executive Summary In the past six months, there...
View ArticleAir APT
Executive Summary Airlines and the airport industry in general are highly lucrative targets for APT groups; they are rife with information that other countries would find useful. NETSCOUT data from...
View ArticleEmotet - What's Changed?
Executive Summary Emotet, a banking trojan turned downloader, continues to make waves in the downloader scene despite recent hibernations. Emotet is a modular malware, first reported in 2014 as a...
View ArticleNation State APT & The Business World
A recent article, which NETSCOUT had the opportunity to participate in, highlights the importance the corporate world holds for Nation State APT adversaries. As the article duly notes, there used to...
View ArticleDDoS Attack Vectors Live or Die
Executive Summary Dozens of known attack vectors ranging from obscure or little-used protocols (Citrix-ICA) to very common and vastly used protocols (DNS and NTP) give DDoS attackers a smorgasbord of...
View ArticleNETSCOUT Threat Intelligence Report—Powered by ATLAS
8.4 MILLION, that is the number of DDoS attacks NETSCOUT Threat Intelligence saw last year alone: more than 23,000 attacks per day, 16 every minute.
View ArticleAvailability in the Time of COVID-19
Overview The self-quarantine and social distancing guidance provided by governments around the world in response to the COVID-19 pandemic is leading to a rapid and wholesale switch to remote work for...
View ArticleEvolution of a New DDoS Technique
Summary In October of 2019, high-impact TCP reflection/amplification DDoS attacks hit organizations in Scandinavia and Southern Europe. These attacks leveraged servers belonging to organizations...
View ArticleMeasuring the Cruellest Month
Summary One of the more esoteric aspects of working in the DDoS defense space is the analysis of data. We look at data about attack bandwidth (bps) and throughput (pps); connections per second (cps)...
View ArticleUK in Focus
Summary Based on a case study in our most recent blog, the observed global DDoS attack count (frequency), bandwidth (BPS), and throughput (PPS) all saw significant increases since the start of the...
View ArticleLast Week in DDoS...
By all indications, the events of last week brought have brought the importance of DDoS defense into focus for many individuals and organizations. DDoS attacks aren’t something to be taken lightly...
View ArticleLucifer’s Spawn
ASERT researchers have uncovered new information about Lucifer, which is a cryptojacking and distributed denial of service (DDoS) bot, originally found to exploit and run on Windows based systems.
View ArticleHigh-Profile DDoS Extortion Attacks — September 2020
Starting in mid-August 2020, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks largely directed towards regional financial and travel-industry targets such as...
View ArticleDropping the Anchor
Trickbot has long been one of the key banking malware families in the wild. Despite recent disruption events, the operators continue to drive forward with the malware and have recently begun porting...
View ArticleLazarus Bear Armada DDoS Extortion Campaign — December 2020
DDoS Extortion Update: As previously reported, a relatively prolific threat actor initiated a global campaign of DDoS extortion attacks in mid-August 2020, largely directed towards regional financial...
View ArticleMicrosoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack...
Recently observed DDoS attacks leverage abusable Microsoft RDP service to launch UDP Reflection/Amplification attacks with an 85.9:1 amplification factor.
View ArticleCrossing the 10 Million Mark: DDoS Attacks in 2020
For the first time, we observed DDoS attacks rise above 10 million annually in 2020, nearly 1.6 million more attacks than seen in 2019.
View ArticlePlex Media SSDP (PMSSDP) Reflection/Amplification DDoS Attack Mitigation...
Amplified PMSSDP DDoS attack traffic consists of SSDP HTTP/U responses sourced from ports UDP port 32414 and/or UDP port 32410 on abusable Plex Media Server instances and directed towards attack...
View ArticleDatagram Transport Layer Security (D/TLS) Reflection/Amplification DDoS...
Datagram Transport Layer Security (D/TLS) is a variant of the TLS encryption protocol implemented atop User Datagram Protocol (UDP), it is utilized to secure datagram-based applications to prevent...
View ArticleTsuNAME Zone Cyclic Dependency-Induced Recursive DNS Query Cascade
In mid-May 2021, security researchers at SIDN Labs, InternetNZ, and USC/ISI released a research paper describing a sabotage-based DDoS attack methodology dubbed ‘TsuNAME’ that targeted authoritative...
View ArticleThe Beat Goes On
The beat goes on: Threat actors launched approximately 2.9 million DDoS attacks in the first quarter of 2021, a 31% increase from the same time in 2020.
View ArticleSession Traversal Utilities for NAT (STUN) Reflection/Amplification
Adversaries weaponize STUN servers by incorporating the protocol into DDoS-for-Hire services. Approximately 75k abusable STUN servers give DDoS attackers ample opportunity to launch single-vector STUN...
View ArticleFancy Lazarus DDoS Extortion Campaign
ASERT Threat Summary Date/Time: 17June2021 1300UTC Severity: Warning Distribution: TLP: WHITE Categories: Availability Contributors: Jon Belanger, Richard Hummel. Executive Summary In May 2021,...
View ArticleDHCPDiscover Reflection/Amplification DDoS Attack Mitigation Recommendations
DHCPDiscover, a UDP-based JSON protocol used to manage DVRs, can be abused to launch UDP reflection/amplification attacks when an internet-exposed DVR lacks any form of authentication.
View ArticleOur New DDoS Normal Isn’t All That Normal
Attack frequency has dropped, but we are nowhere near the numbers considered normal prior to COVID-19: Threat actors launched approximately 5.4 million DDoS attacks in the first half of 2021.
View ArticleHTTP Reflection/Amplification via Abusable Internet Censorship Systems
Learn more about this distributed denial-of-service (DDoS) attack vector which abuses middlebox systems for HTTP reflection/amplification.
View ArticleThe Long Tail of Adversary Innovation
Latest Threat Intelligence Report from NETSCOUT details extensive global impact of cyberattacks on private and public sector organizations.
View ArticleHigh-Profile DDoS Extortion Attacks Against SIP/RTP VoIP Providers
Beginning in September 2021, aggressive threat actors have targeted multiple Voice-over-IP (VoIP) communication providers with a campaign of high-impact DDoS extortion attack
View ArticleA Tale of Two Botnets
NETSCOUT's ASERT Team tracks Mēris and Dvinis DDoS Botnets. The blog covers the number of botted nodes observed, how they are propagating, and where they are distributed geographically. We also...
View ArticleMēris & Dvinis Botnets
Threat adversaries leverage exploitable Mikrotik routers with two different botnets, Mēris and Dvinis, to launch high request-per-second attacks against targets.
View ArticleWhat Happened in the Second Half of 2021?
Executive Summary The second half of 2021 finally saw much of the world returning to normal, at least until the recent Omicron variant sent us packing back home. The premature return to normal...
View ArticleThe Anatomy of the DDoS Attack Campaign Targeting Organizations in Ukraine
Overview Beginning on 13 February 2022, multiple governmental, military, and financial organizations within Ukraine reported that their public-facing Web sites, applications, and ancillary supporting...
View ArticleTP240PhoneHome Reflection/Amplification DDoS Attack Vector
A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch...
View ArticleDDoS Threat Landscape - Ukraine
The ongoing DDoS attack campaign against Ukraine increased significantly. We anticipate that DDoS activity targeting Ukraine will continue over the duration of the conflict, and will continue to...
View ArticleDDoS Threat Landscape - Russia
Since mid-February of 2022, the NETSCOUT Arbor Security Engineering and Response Team (ASERT) has been monitoring the situation in Russia and Ukraine. We recently published an update to our initial...
View ArticleRemembering SQL Slammer
Twenty years ago SQL Slammer Worm devastated the then known internet, resulting in widespread outages and disruptions. What happened? Why was it successful? Can it happen again? Follow along as...
View ArticleGlobal DDoS-for-hire Takedown
On December 15, 2022, The U.S. Federal Bureau of Investigation (FBI), in cooperation with several international law enforcement partners, seized 49 domain names and arrested six individuals for their...
View ArticleDDoS Attacks Targeting NATO Members Increasing
As the effects of COVID-19 and inflated numbers of DDoS attacks have settled into some semblance of normalcy, it has been all out DDoS war for Finland, Hungary, and Turkey.
View ArticleService Location Protocol (SLP) Reflection/Amplification Attack Mitigation...
With the computing power and internet transit capacity available to a substantial proportion of abusable SLP reflectors/amplifiers, attackers can potentially launch extremely high-volume, high-impact...
View Article100% Increase in DDoS Attacks Against India
Summary NETSCOUT and ASERT have observed massive increases in DDoS attacks against Indian targets. This near doubling of DDoS attacks since the beginning of 2023 has been fueled by a rallying call...
View ArticleBulletproof Hosting (BPH) Taxonomy
The phrase Bulletproof hosting suggests technical sophistication, infrastructure resiliency, and a platform with elaborate redundancy. However, for the internet security community its connotation is...
View ArticleHTTP/2 'Rapid Reset' Application-Layer DDoS Attacks Targeting Shared Cloud...
In a joint disclosure by several well-known cloud computing, SaaS, and CDN operators, a new HTTP/2 application-layer DDoS attack vector (CVE-2023-44487) has been described which has been used in the...
View ArticleThe Power of Names
Typically, application-layer protocols such as HTTP/s, QUIC, SIP, and others receive the lion’s share of attention in most discussions of internet traffic. But it’s the Domain Name System (DNS), the...
View ArticleAnonymous Sudan
Anonymous Sudan is a highly prolific threat actor conducting distributed denial-of-service attacks (DDoS) to support their pro-Russian, anti-Western agenda. Although the attacks attributed to this...
View ArticleUnprecedented Growth in Malicious Botnets Observed
NETSCOUT observed an unprecedented rise in compromised devices performing reconnaissance scans, signaling a dangerous new wave of large-scale cyberattacks leveraging weaponized cloud infrastructure.
View ArticleNoName057(16)
NoName057(16) relies heavily on HTTPS application-layer DDoS attacks, with many attacks repeatedly sourced from the same attack harness, networks, and targeting similar countries and industries.
View ArticleDDoS Attacks Against Poland Skyrocket In Wake of New Prime Minister’s Election
Since late December, Poland has been the target of several groups as new Prime Minister Tusk was sworn in. The most notable group targeting Poland is NoName057. They have targeted several types of...
View ArticleCarpet-Bombing
Carpet-bombing (Spread Spectrum, Subnet DDoS) attacks take place when an adversary targets a range of addresses or subnets simultaneously to saturate networks with garbage traffic while also avoiding...
View ArticleNuisance Network Traffic
While there are many obvious threats like hacktivists, nation-state adversaries and ransomware operators, there also lies a constant ever-growing undercurrent that we call nuisance traffic. The...
View ArticleThe Unbearable Asymmetry of DDoS
Because adversaries leverage compromised and abusable online resources belonging to legitimate organizations and individuals to launch DDoS attacks, the tangible cost to attackers is nil, while the...
View Article