For many years, the distributed denial-of-service (DDoS) threat landscape revolved around reflection/amplification attacks launched by malicious players hiding behind spoofed IP addresses. Around 2020, it all changed. The proliferation of IoT devices, many of which were insecure, coupled with the growing availability of gigabit (and even multi-gigabit) bandwidth, led to a wave of botnet-driven attacks. Things changed again in 2024 when we saw novel attacks featuring more automation, likely driven by increased usage of artificial intelligence (AI).
These automated DDoS attacks have placed an unprecedented burden on digital service providers across the internet ecosystem. From traditional communications service providers (CSPs) to cloud and internet exchange providers (IXPs), webscale companies and content delivery networks (CDNs), everyone is feeling the effects.
It’s not just the volume and sophistication of DDoS attacks that have risen sharply. The attacks are also happening much more frequently. Many service providers now see hundreds of significant security events in their networks every day. There’s a lot of “shapeshifting” happening, too. Attacks can be much shorter, focus on single or multiple targets, and use different attack vectors over time in a manner that can only be attributed to automation, likely facilitated by AI.
Fighting AI with AI
Many view AI and its sibling, machine learning (ML), as promising technologies for network security and improved network defense. More and more service providers are fighting AI with AI in an asymmetrical game that requires them to counter cheap and easy DDoS attacks with costly DDoS defense systems.
When it comes to DDoS and network security, AI can deliver many benefits, from easier, error-free configuration to improved operational agility through capabilities such as automated security information and event management (SIEM), or endpoint and extended detection and response (EDR/XDR).
For DDoS security, AI and ML are likely to bring their key benefits in faster, more accurate detection and scalable yet granular mitigation. These capabilities will protect network services and ensure uninterrupted connectivity for end users and customers.
Which AI is best suited for DDoS security?
Generative AI (GenAI) and large language models (LLMs) are great for applications where the vast knowledge residing in large data sets can create new, derived and generated content. For network security, including DDoS security, GenAI is well suited for configuration, reporting, incident correlation and problem resolution. Many security products and solutions already use GenAI for these purposes.
AI enables some of the notable GenAI use cases in SIEM or EDR/XDR products, focusing on improved incident analysis and response. For example, GenAI can quickly sift through logs and forensic data to pinpoint the root cause of a security incident. On the other hand, it can help service providers improve their operational agility by creating detailed incident response playbooks tailored to specific threats.
Predictive AI technology uses data analysis to identify patterns, anticipate trends and behaviors, and forecast and predict upcoming events. As such, predictive AI is an excellent choice for automating DDoS detection and mitigation to address the demands of a dynamic and evolving threat landscape. It can help service providers stay a step ahead of malicious actors by analyzing and correlating historical data on real-time DDoS security events and incidents, with a promise to excel at quick and accurate identification of DDoS patterns and trends and swift mitigation of emerging threats. For DDoS security, the most compelling capabilities of predictive AI include:
- Trend and pattern recognition: Fast, accurate identification of potential threats based on anomalies in traffic behavior, unusual traffic flows or new types of DDoS attacks detected globally.
- Automated mitigation: Surgical removal or blocking of malicious traffic in real time with minimal impact on legitimate network traffic.
- Dynamic security policy adjustments: On-the-fly generation or adaptation of security policies and mitigation strategies to respond to evolving or changing threats.
It is worth noting that many of the tasks presented to predictive AI technology can be achieved with sophisticated ML implementations, where super-fast processing of data in an “if-this-then-that” manner can yield significant benefits and improve both DDoS detection and mitigation.
AI models are what they eat
Data is the lifeblood of AI, and this is also true when it comes to implementing AI for DDoS security. Today, these implementations are largely done by DDoS security vendors and anti-DDoS service providers that have in-house AI tools.
A key requirement for using AI models for network security is explainability. In network security, it is imperative to be able to trace back and explain every decision. In other words, networking and security professionals must be able to answer questions like, “Why was this traffic flow flagged as DDoS?” and “Why was this mitigation strategy chosen to neutralize this DDoS attack?”
Access to high-quality DDoS-related data is critical for ensuring explainability and training AI models to do their jobs reliably. Super-large, highly relevant and highly confident data sets about DDoS events are must-haves. Relying on insufficient or misrepresented data sets can lead to invalid results and “house-of-cards” failures.
DDoS detection accuracy can be greatly improved by complementing DDoS-related knowledge related to a specific network with data about the larger internet security context, including common threats and repeat offenders. This knowledge often comes from third-party sources that collect and maintain information about common threats across a much larger attack surface. There are several industry initiatives aimed at obtaining and sharing this information; some focus on sharing among consortiums of service providers, while others focus on sharing via a national agency or a regulator or obtaining the wider security context directly from a vendor that may maintain a much larger knowledge base, sometimes with a global context. These augmented data sets can provide a highly effective foundation for training predictive AI models for DDoS detection.
Once we have good data, the next challenge is to train AI models. While the knowledge base and DDoS security-related data sets may not be as vast as those used to train well-known GenAI models, they are dynamic and growing. With each new attack and threat, the data sets for a predictive AI model present more information that can be used to distinguish good traffic from DDoS traffic in real time.
It’s important to emphasize that the human factor is still indispensable for making important decisions about DDoS detection. Highly experienced security professionals help to optimize and improve AI models so the models will better “understand” what constitutes a DDoS attack, especially for novel attacks (such as the NoName067(16) attacks that have affected many service providers in 2024). These domain experts play an essential role by identifying important contextual factors and providing insights about how patterns may shift over time. Vendors and service providers still need the humans-in-the-loop approach to enhance the real-world applicability of AI models for DDoS detection.
DDoS mitigation has a different set of requirements for AI. Here, we are concerned with using AI to optimize the mitigation strategy to remove as much malicious traffic as possible while minimizing the impact on legitimate traffic with an optimal or minimal set of network resources. The input for AI-optimized mitigation must consider the composition of a particular DDoS attack, which may encompass many concurrent attack vectors, as well as the network’s actual DDoS mitigation capabilities and limitations.
Figure 1 shows how an AI-optimized set of 1,609 filter entries mitigated a complex DDoS attack composed of many concurrent vectors, with over 100,000 source IP addresses and 256 target addresses.
Figure 1: Mitigation of a large DDoS attack using an AI-optimized set of filters
Walking through the fire
The true proof of the effectiveness of an AI model for DDoS security lies in its ability to quickly identify a threat or attack and trigger agile and granular removal of the DDoS traffic by a mitigation system. As Charles Bukowski wrote, “What matters most is how well you walk through the fire.”
While it is vendors who (most often) perform model training and fine-tuning, evaluation of the performance and effectiveness of a DDoS security solution is predominantly left to service providers. This is a challenging endeavor because many DDoS solution vendors offer unique ML algorithms, novel advanced countermeasures, specialized hardware and other capabilities that are technically challenging for service providers to evaluate.
In an industry filled with claims and counterclaims, the best way to determine and benchmark the value of a DDoS mitigation solution is to consider three key metrics:
- Mitigation speed and performance (including false positive and false negative ratios)
- Scalability
- Cost
Of course, the central metric for any DDoS solution is its ability to filter DDoS traffic. The key concern, however, is not whether 100% of DDoS traffic will be mitigated. A solution that blocks all network traffic will block all DDoS traffic and all legitimate traffic.
We need a mitigation solution that is both fast and selective.
Speed of mitigation has quickly become one of the most important metrics. This is sometimes expressed as “time to drop first (DDoS) byte,” but with the emergence of fast-changing, short-lived DDoS attacks, the emphasis has switched to how long it takes to mitigate the entire attack. Modern DDoS security solutions need to complete full detection and mitigation in well under one minute.
For selectiveness of mitigation, the important metric is the false positive rate—how much of the legitimate traffic was dropped. Historically, high false positive rates of 10% and even more have been tolerated and accepted, which translates to a lot of good network traffic wrongly identified as DDoS and removed. With AI technology coming to the rescue, we should demand and expect more: predictive AI models should be able to achieve much improved false positive rates—below 1% for basic amplification/reflection and under 5% for most vectors.
Similarly, the false negative rate is a metric that describes the percentage of traffic that was not identified as DDoS and, therefore, passed along as good traffic. However, this is harder to track because some emerging threats need time and repetition to be properly identified as attacks. You need to be aware of all threats, including those you missed.
Scalability and cost are somewhat interrelated. An effective AI-enabled DDoS solution needs to scale to terabit levels even though the network may not encounter that volume of traffic today. This scalability must be achieved at a fraction of the cost of legacy, non-AI-based DDoS mitigation systems, which sometimes range to thousands of dollars per Gb/s of protected/mitigated traffic.
What can we do better?
With the increasing size and complexity of the DDoS threat landscape, service providers are not alone in seeking better DDoS security. It is a shared responsibility and concern for all participants in the global internet service delivery chain—from domains where applications, content and services are created through intermediaries such as IXPs and CDNs to service providers and their end users and customers.
Here are three things we can all do to improve overall DDoS and network security.
First, sharing intelligence is a key element of the fight against DDoS attacks. If we all share more insights about attackers and their methods, we will be better equipped to defend ourselves. For predictive AI systems, it’s essential to share and use relevant and confident data that includes all important contextual features (e.g., time, geo-location, IP packet parameters) while observing privacy and complying with frameworks such as General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).
Second, continuous monitoring of AI models’ performance for DDoS detection and mitigation of novel threats and attacks is essential. This tracking will indicate when and how AI models may need to be updated or retrained or when new data sources and features need to be added.
Third, our industry needs to work on standardizing benchmarking and performance measurement of DDoS security solutions. Maybe it’s time to follow the good and decades-old network engineering practices established for interoperability and implementation testing of new networking features and protocols and do something similar for DDoS and network security. While it is a much more sensitive area than generic networking, imagine a public DDoS hackathon that evaluates the performance of anti-DDoS solutions in a round-robin or may-the-best-one-win approach.
In a time when automation and AI are everywhere and are increasingly deployed by malicious actors to bring networks down, we must embrace these technologies to improve network defenses, too. What matters most is how well we walk through the DDoS and network security fire, and this is a fire we must fight and walk through together.
About the Author
Alex Pavlovic is Director of Product Marketing at Nokia. Alex has spent over 25 years in the telecom industry in many environments: academia, regulatory, consulting, and Tier-1 hardware and software telecom vendors. Currently, Alex is a Director of Product Marketing at Nokia, focusing on the Nokia Deepfield portfolio of applications for network intelligence, analytics and DDoS security.
Alex can be reached online at LinkedIn, and
