The Age of DDoScovery: An Empirical Comparison of Industry and Academic DDoS Assessments

TL;DR

A multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks - direct-path attacks and reflection-amplification attacks.

Abstract

Motivated by the impressive but diffuse scope of DDoS research and reporting, we undertake a multistakeholder (joint industry-academic) analysis to seek convergence across the best available macroscopic views of the relative trends in two dominant classes of attacks - direct-path attacks and reflection-amplification attacks. We first analyze 24 industry reports to extract trends and (in)consistencies across observations by commercial stakeholders in 2022. We then analyze ten data sets spanning industry and academic sources, across four years (2019-2023), to find and explain discrepancies based on data sources, vantage points, methods, and parameters. Our method includes a new approach: we share an aggregated list of DDoS targets with industry players who return the results of joining this list with their proprietary data sources to reveal gaps in visibility of the academic data sources. We use academic data sources to explore an industry-reported relative drop in spoofed reflection-amplification attacks in 2021-2022. Our study illustrates the value, but also the challenge, in independent validation of security-related properties of Internet infrastructure. Finally, we reflect on opportunities to facilitate greater common understanding of the DDoS landscape. We hope our results inform not only future academic and industry pursuits but also emerging policy efforts to reduce systemic Internet security vulnerabilities.

Figures (14)

• Figure 1: Three DDoS attack types: Direct-path spoofed (solid line), direct-path non-spoofed (dotted line), and typically spoofed reflection-amplification (dashed).
• Figure 2: Normalized weekly direct-path attack counts (to median of first 15 weeks as a baseline, highlighted in grey) show a growth in attacks over 4.5 years. Four observatories (ORION, UCSD, Akamai, Netscout) saw an upward trend in 2023 while one (IXP) saw a downward trend. Note y-axis scales differ.
• Figure 3: Normalized weekly reflection-amplification attack counts (to median of first 15 weeks as a baseline, highlighted in grey) show varying behavior over 4.5 years. The most striking similarity is the rise in attacks in 2020, and subsequent drop across 2021. Attacks rise again in 2023, except for Hopscotch. Red dashed lines mark DDoS takedowns by law-enforcement.
• Figure 4: Normalized weekly attack counts observed at our 10 vantage points. Direct-path (DP) attacks (top 5 rows) increased in 2022 while reflection-amplification (RA) attacks (bottom 5 rows) had highest intensities during 2020 and declined thereafter.
• Figure 5: The relative share of reflection-amplification (RA) and direct-path (DP) attacks observed by Netscout per week shows a shift toward DP attacks. The horizontal line indicates 50%, i.e., equal share. The dotted vertical line marks the latest crossing of the 50% mark.