NETSCOUT has published its 1H2023 DDoS Threat Intelligence Report, revealing a sharply rising threat landscape for distributed denial of service (DDoS) attacks.
During the first half of 2023, cybercriminals launched approximately 7.9 million DDoS attacks, a 31 percent increase compared with the same period last year. This growth reflects both shifting geopolitical tensions and expanding network technologies that attackers exploit.
Geopolitical events—most notably the Russia-Ukraine conflict and NATO-related activity—have been significant drivers of ideologically motivated DDoS campaigns. In 2022, Finland endured sustained attacks from pro‑Russian hacktivists during its NATO accession process, while Turkey and Hungary faced targeted incidents opposing Finland’s bid. In 2023, Sweden experienced intense targeting during its NATO application, including a single large-scale 500 Gbps attack in May.
Those state- and ideology-driven campaigns have not been isolated to Europe. The United States, Ukraine, Russia and multiple other countries have also been affected by similar waves of activity.
Another concerning trend identified in NETSCOUT’s research began in the second half of 2022: attacks against wireless telecommunications providers surged globally by 79 percent in 2H2022 and continued through 1H2023. Wireless providers in the Asia‑Pacific region were especially hard hit, with DDoS incidents rising by 294 percent. NETSCOUT links this pattern to the growth of fixed wireless access services—particularly 5G deployments—and the migration of broadband activities such as online gaming onto these networks, creating new high-value targets for attackers.
NETSCOUT’s findings are drawn from its ATLAS sensor network, built through years of collaboration with internet service providers. The ATLAS platform analyzes an average of 424 Tbps of internet peering traffic—an amount that grew 5.7 percent since 2022—providing a broad view of global DDoS trends.
Key technical trends in the report include a 500 percent increase in HTTP/S application-layer attacks since 2019 and a 17 percent rise in DNS reflection and amplification volume during 1H2023. NETSCOUT also documents a sharp resurgence in two specific techniques: carpet‑bombing attacks rose by 55 percent, while DNS water‑torture attacks increased by nearly 353 percent.
“While world events and the expansion of 5G networks have driven the surge in DDoS attacks, adversaries are continually evolving their tactics, utilising bespoke infrastructure like bulletproof hosts and proxy networks to launch their attacks. The persistence of these adversaries to find and weaponise new methods is evident, with DNS water torture and carpet-bombing attacks becoming more prevalent.”
— Richard Hummel, Senior Threat Intelligence Lead, NETSCOUT
Industries across the board have been targeted, including wired and wireless telecommunications, data processing and hosting, e-commerce and mail-order companies, insurance agencies and brokerages. Higher education institutions and government organizations have also been frequent targets. The report highlights how attackers commonly abuse open infrastructure—open proxies, misconfigured services and leased “bulletproof” host environments—to amplify and hide their campaigns.
The research further notes that a relatively small number of persistent nodes account for a disproportionate share of attacks. These sources show low IP churn—around 10 percent—indicating that attackers repeatedly reuse compromised or abusable infrastructure rather than continually changing their footprint.
For organizations and public-sector entities, the report underscores the need for strengthened DDoS preparedness, including robust visibility into network traffic, layered mitigation strategies, and coordination with service providers to identify and harden commonly abused infrastructure.
NETSCOUT’s 1H2023 DDoS Threat Intelligence Report provides a detailed, data-driven view of evolving attack methods and target patterns, offering actionable insights for defenders confronting an increasingly aggressive and sophisticated DDoS landscape.
See also: Microsoft: UN treaty creates ‘ideal conditions’ for cybercrime
Want to learn more about cybersecurity and the cloud from industry leaders? Attend Cyber Security & Cloud Expo events in Amsterdam, California, and London. The event series is co‑located with Digital Transformation Week.
Explore other upcoming enterprise technology events and webinars powered by TechForge.