NETSCOUT warns of AI-driven DDoS attacks, threatening critical infrastructure and amplifying cybersecurity risks
NETSCOUT Systems has outlined the rapidly evolving landscape of distributed denial-of-service (DDoS) attacks and defense strategies. Designed to provide actionable intelligence, the report offers insights critical to maintaining secure network operations and guiding long-term strategic planning. DDoS attacks are increasingly surpassing traditional cyber threats, transforming into precision-guided digital weapons capable of disrupting critical infrastructure at pivotal moments.
Hackers are now augmenting low-power IoT botnets with high-performance enterprise servers and routers, significantly amplifying the scale and impact of their attacks. The integration of AI-driven automation, proxy-based application-layer floods, and widely available DDoS-for-hire services, equipped with reconnaissance and orchestration tools, has made these campaigns more persistent, scalable, and accessible than ever before.
Although law enforcement operations like Operation PowerOFF have targeted these services, their takedowns offer only temporary relief before new threats emerge. As the threat environment continues to accelerate, traditional defensive measures are proving insufficient. NETSCOUT emphasizes the need for organizations to adopt proactive, intelligence-driven security strategies to effectively mitigate these evolving risks and maintain operational resilience.
Designed to quickly equip readers with actionable intelligence, the report delivers insights critical for ongoing network operations and strategic planning, these DDoS attacks are outpacing many traditional cyberthreats. They are precision-guided digital weapons, capable of disrupting infrastructure at critical moments.
“In 2024, Mirai-powered attacks against service providers surged 360 percent, while politically motivated attacks spiked more than 2,844 percent in countries such as Israel and 1,478 percent in Georgia,” NETSCOUT disclosed in its 2H2024 DDoS Threat Intelligence Report. “This is proof that DDoS is no longer just a cybercriminal tool but a dominant geopolitical weapon.”
Throughout the year, DDoS attacks were intricately tied to social/political events, including Israel experiencing a 2,844 percent surge tied to hostage rescues and political conflicts, Georgia enduring a 1,489 percent increase during the lead-up to the passage of the ‘Russia Bill,’ Mexico having a 218 percent increase during national elections, and the U.K. experiencing a 152 percent increase on the day the Labour Party resumed session in Parliament.
NETSCOUT maps the DDoS landscape through passive, active, and reactive vantage points, providing unparalleled visibility into global attack trends. NETSCOUT protects two-thirds of the routed IPv4 space, securing network edges that carried global peak traffic of over 700 Tbps in the second half of 2024. It monitors tens of thousands of daily DDoS attacks by tracking multiple botnets and DDoS-for-hire services that leverage millions of abused or compromised devices.
“DDoS has emerged as the go-to tool for cyberwarfare,” Richard Hummel, director for threat intelligence at NETSCOUT, said in a media statement. “NoName057(16) continues to be the leading actor for politically motivated DDoS campaigns targeting governments, infrastructure, and organizations. In 2024, they repeatedly targeted government services in the United Kingdom, Belgium, and Spain.”
Threat actors exploited civil unrest to intensify attacks. Kenya experienced a 465 percent surge during protests against a finance bill, while Mexico saw a 218 percent increase in the lead-up to national elections. Since 2022, DDoS attacks have become a standard tactic in socio-political conflicts, frequently deployed during elections, public protests, and contentious policy debates. The group NoName057(16) has emerged as the leading threat actor behind geopolitical DDoS campaigns. Their operations have primarily targeted government websites in the United Kingdom, Belgium, and Spain.
Other findings included modern DDoS platforms now incorporating AI-powered CAPTCHA bypassing. Automation capabilities are evolving toward behavior mimicry and real-time attack adaptation, making attacks more effective and harder to detect. The use of APIs and automation tools has enabled multitarget, low-supervision DDoS campaigns. This has significantly enhanced attack efficiency and scale. Attackers are leveraging advanced techniques such as carpet-bombing, IPv6 abuse, ISP masking, and geo-spoofing. These methods expand the reach of attacks and help bypass traditional defenses.
The report also noted that carpet-bombing attacks are designed for maximum disruption while flying under the radar, striking entire subnets instead of single hosts. Many target /24 blocks, which have become the new default for DDoS-for-hire services, allowing attackers to sidestep traditional defenses. While individual IPs see minimal impact, the combined traffic can cripple entire networks. Also, application-layer DDoS attacks are evolving, with attackers increasingly leveraging proxy infrastructure to amplify and disguise their impact. As DNS and HTTPS floods surge, the use of cloud and residential proxies allows adversaries to evade traditional defenses, making mitigation more challenging than ever.
NETSCOUT recognized that geopolitical unrest is increasingly driving DDoS attacks, with attackers exploiting moments of vulnerability during elections, protests, and policy changes to overwhelm critical infrastructure. These attacks are bypassing service provider networks, requiring automated detection and mitigation, which is provided by Arbor Sightline and TMS.
It added that next-generation DDoS-for-hire services now incorporate AI-powered CAPTCHA bypassing and automation, making attacks more scalable and efficient. Countering these automated attacks requires AI-driven defense systems. Botnets are also becoming more sophisticated, using high-power servers, application-layer attacks, and proxies. Arbor’s hybrid protection, combining on-premises and cloud-based solutions, offers comprehensive defense against these evolving threats.
Furthermore, carpet-bombing attacks, which generate widespread network strain with minimal impact on individual hosts, are increasingly used. Arbor Sightline and TMS deliver automated, intelligent protection with advanced threat intelligence to mitigate these attacks. Additionally, attackers are leveraging proxies to amplify and disguise their attacks, evading traditional defenses. Arbor Sightline’s continuously updated AIF and adaptive DDoS protection help identify and stop these proxy-based DDoS campaigns.
Related
