top of page

News & Views

NETSCOUT IH2022 DDoS Threat Report

Findings from NETSCOUT’s ( latest DDos Threat Intelligence report for the first half of 2022 ( reveals how TCP-based, DNS water-torture, and carpet-bombing attacks dominate the DDoS threat landscape Ireland, India, Taiwan, and Finland battered by DDoS attacks resulting from the Russia/Ukraine war.
“By constantly innovating and adapting, attackers are designing new, more effective DDoS attack vectors or doubling down on existing effective methodologies,” says Richard Hummel, threat intelligence lead, NETSCOUT.  “In the first half of 2022, attackers conducted more pre-attack reconnaissance, exercised a new attack vector called TP240 PhoneHome, created a tsunami of TCP flooding attacks, and rapidly expanded high-powered botnets to plague network-connected resources.  In addition, bad actors have openly embraced online aggression with high-profile DDoS attack campaigns related to geopolitical unrest, which have had global implications.”

Key findings from the 1H2022 NETSCOUT DDoS Threat Intelligence Report reveals that there were 6,019,888 global DDoS attacks in first half of 2022; TCP-based flood attacks (SYN, ACK, RST) remain the most used attack vector, with approximately 46% of all attacks continuing a trend that started in early 2021; and DNS water-torture attacks accelerated into 2022 with a 46% increase primarily using UDP query floods, while carpet-bombing attacks experienced a big comeback toward the end of the second quarter.  In addition, the new TP240 PhoneHome reflection/amplifications DDoS vector was discovered in early 2022 with a record-breaking amplification ratio of 4,293,967,296:1; swift actions eradicated the abusable nature of this service; and malware botnet proliferation grew at an alarming rate, with 21,226 nodes tracked in the first quarter to 488,381 nodes in the second, resulting in more direct-path, application-layer attacks.

NETSCOUT’s Active Level Threat Analysis System (ATLAS™) compiles DDoS attack statistics from most of the world’s ISPs, large data centres, and government and enterprise networks.  This data represents intelligence on attacks occurring in over 190 countries, 550 industries, and 50,000 autonomous system numbers (ASNs).  NETSCOUT’s ATLAS Security Engineering and Response Team (ASERT) analyses and curates this data to provide unique insights in its biannual report.

In addition to publishing the DDoS Threat Intelligence Report, NETSCOUT also presents its highly curated real-time DDoS attack data on its Omnis Threat Horizon ( portal to give customers visibility into the global threat landscape and understand the impact on their organizations.  This data also fuels NETSCOUT’s ATLAS Intelligence Feed (AIF) which continuously arms NETSCOUT’s Omnis and Arbor security portfolio.  Together with AIF, the Omnis and Arbor products automatically detect and block threat activity for enterprises and service providers worldwide.
bottom of page