By Michael Wetherbee
Visibility is critical to secure the enterprise across its digital ecosystems. This blog series explores best practices, intel, strategies, and trends to help power seamless visibility
My personal and professional objectives, like those of many other people, are centered around improving on how I get things done. Or, more importantly, about how to do things more efficiently. One of my favorite things to watch on the attention-sucking platform of TikTok or YouTube Shorts are life hacks. Life hacks are supposed to make tasks easier or more efficient to accomplish but, in many cases are simply more complicated.
This passion to improve how things are done more efficiently is not isolated to individuals; it spills over into all aspects of our community, including government, retail, service organizations, and the like. And although many of these attempts to be more efficient may help other people, there are also people out there striving to be more efficient in malicious activities.
The Bad Guys Want It Too
The bad actors in the distributed denial-of-service (DDoS) world are those people. The bad guys may be motivated by money, competition, or simply power within their specific community. The truth is, they will change their tactics, as we do, to make their actions more efficient, but in most cases, for much different and nefarious reasons.
The findings in the latest NETSCOUT DDoS Threat Intelligence Report demonstrate how sophisticated cybercriminals have become more efficient at bypassing defenses with new DDoS attack vectors and successful methodologies. 
“By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies,” says Richard Hummel, threat intelligence lead at NETSCOUT. “In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised new attack vectors, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources. In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications.”
TCP Flood Attacks Are Again the Most Popular Vector for DDoS Attackers
NETSCOUT’s Active Threat Level Analysis System (ATLAS) compiles DDoS attack statistics from most of the world’s ISPs, large data centers, and government and enterprise networks. This data represents intelligence on attacks occurring in more than 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs). NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) analyzes and curates this data to provide unique insights in its biannual report.
One key finding that continues a trend that started in early 2021: TCP-based flood attacks (SYN, ACK, RST) remain the most-used attack vector, comprising approximately 46% of all attacks (see Figure 1).
Figure 1: Top DDoS attack vectors during the first half of 2022.
State exhaustion attacks target stateful devices that are an integral part of the security stack, such as firewalls and VPN concentrators. These targets are attractive because the attacks can be smaller in size and designed to evade defenses meant for other threats.
Figure 2: State flood attacks trend upward.
Why You Need a Hybrid Defense Strategy
So how do you prevent and stop DDoS attacks or, specifically TCP flood attacks? The best practice for protecting your network in today’s ever-changing DDoS attack landscape is a hybrid approach.
Protection strategies of the past will suffice in some situations, such as in an attack designed to overwhelm your Internet circuit before traffic arrives on your site. However, attacks specifically designed to evade those protections, such as TCP state exhaustion, are the basis for the new attack landscape. Furthermore, the ability to respond quickly to attacks that dodge the cloud solution and hit the network edge or an Internet-facing service is imperative and having the agility to change defenses rapidly to adapt to subtle changes onsite is crucial.
Figure 3: NETSCOUT Omnis AED provides hybrid DDoS defense.
By implementing comprehensive DDoS defenses such as NETSCOUT’s Arbor Edge Defense (AED) at all edges of the network, network operators can overpower DDoS attack traffic as it enters the network edge (see Figure 3). With edge-based attack detection combined with cloud-scrubbing capacity, automated bilayer communication, indicators of compromise (IoC) analysis, command-and-control (C2) communication blocking, and current, actionable threat intelligence, operators can tackle any DDoS attack before it causes damage.
For more information on hybrid, dynamic, comprehensive DDoS protection, download the white paper “An On-Premises Defense Is the Cornerstone for Multilayer DDoS Protection.” 
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.