DDoS (Distributed Denial-of-Service) attacks are evolving really fast. The biggest ones are already similar to carpet bombarding, but on the internet.
That is why the role of AI in mitigating DDoS (Distributed Denial-of-Service) attacks is also growing. Dev.ua had a chance to talk to William Manzione, product manager at RETN, the leading international data network platform that connects Europe and Asia in one network.
During the interview we have tried to focus on the cybersec questions specifically for Ukraine, with an emphasis on the war with Russia.
William explained how AI helps detect and respond to DDoS attacks by learning traffic patterns, quickly identifying anomalies, and filtering malicious traffic.
The conversation also touches on the increasing scale and sophistication of DDoS attacks, the use of botnets, and the affordability and scalability of AI-powered solutions.
— AI is like everywhere now, in each topic we are asking about AI. Everybody is talking about it and I’ve got to know from your colleagues that AI helps to prevent DDoS attacks. Pleale, tell me more about it.
— Yes, It’s a very powerful keyword right now. Everyone uses it. I’m from Italy so it’s for us — like the parmesan. You can put it anywhere.
— This is a very good comparison by the way. So the role of AI in DDoS mitigation — can you explain how AI is used to detect and prevent attacks?
— When we first started talking about AI, I was somewhat skeptical about how it could directly help with mitigating DDoS attacks. However, after a while I realized AI plays an essential role in improving detection accuracy and the overall speed of response. What makes AI so effective is its ability to learn from traffic patterns. Over a couple of weeks, AI learns the normal traffic flow for each customer, and from there, it can detect abnormal spikes or shifts in traffic—key indicators of a DDoS attack.
— How does the detection and mitigation process work once a DDoS attack is identified?
— After we detect an attack—using AI-driven pattern recognition, among other methods—the mitigation process kicks in immediately. The traffic is first redirected to one of our «scrubbing» devices, which filter out the malicious traffic. These scrubbing devices are in various locations worldwide, like Frankfurt, Riga, Budapest, Singapore and Taiwan. Once the attack traffic is filtered out, only the clean, legitimate traffic is allowed to pass through to the customer.
The entire process can happen within a matter of seconds to a few minutes, minimizing downtime and disruption.
— How scalable are these solutions, and what about the cost for your customers?
— We designed our DDoS mitigation platform to be both scalable and affordable. Initially, we were using a traditional system, which worked but wasn’t very scalable for large volumes of traffic. The new platform allows us to expand easily and offer protection at a lower cost, which is important for smaller companies and service providers that couldn’t previously afford such high-end protection. We’re aiming to make this kind of security a standard feature for all businesses, regardless of size, so it’s not just a luxury for the biggest corporations.
— How has the geopolitical situation in Ukraine impacted DDoS attacks in the region?
— DDoS attacks have been on the rise in Ukraine, especially with the ongoing geopolitical tension. We’re seeing these attacks become much more frequent, with many of them coming from countries that may have lower cybersecurity standards—where many devices are compromised and added to botnets. Some of the key countries responsible for these botnets are Russia, China, Indonesia, India, Vietnam, the Philippines, and others. In these countries, cybersecurity practices aren’t as rigorous, so many IoT devices—like routers, cameras, and even smart fridges—get hijacked and used for malicious purposes. This poses a huge risk, as these botnets can launch massive, distributed DDoS attacks.
— How big are these botnets? Do you have an estimate of their size, or is it something you’re not sure about?
— Well, I’d need to reference some data from larger providers for accuracy, but I can tell you that, for the first half of 2024, there were over 700,000 botnet nodes capable of launching attacks. And the thing is, it’s only growing. We’re also seeing more shady organizations offering DDoS attacks as a service.
Botnets can vary in size, but some of them are massive—consisting of millions of compromised devices.
These botnets typically consist of a mix of personal computers and IoT devices, such as smart TVs, security cameras, and even connected home appliances. Because these devices are often poorly secured, they are easy targets for cybercriminals. A single botnet can be used to launch a DDoS attack that overwhelms an entire network in a matter of minutes.
— Is it true that these DDoS attacks are usually fairly cheap to order?
— It depends on the type of attack. This is where I was getting at when you asked about what companies should do in Ukraine to improve their security.
Ten years ago, as a business owner, you might have thought, «I’ll never be a target of a DDoS attack,» and that was probably a reasonable assumption. Back then, it wasn’t as easy to become a target.
The problem now is that if you don’t have any network security, you’re exposed to even the simplest DDoS attacks. The most basic ones are UDP (User Datagram Protocol) volumetric attacks—they’re relatively easy to execute and also the cheapest. But if you’ve got even minimal security in place, these are easy to mitigate.
The more sophisticated attacks, like those targeting the application layer, are much harder to pull off. They require better coordination and more effort to generate significant damage, which makes them much more expensive. So, having at least basic security in place is crucial. Without it, you’re vulnerable to attacks, even the simple ones.
Those basic volumetric DDoS attacks—sending requests from a large number of hosts—are the cheapest ones. But once you move into more targeted attacks, especially at the application layer, things get more complicated and costly. The damage requires more effort, more planning, and better tools to execute.
So, the key takeaway here is that even a basic security solution is critical now because DDoS attacks don’t require much effort to execute. If you don’t have anything in place, you’re an easy target.
— Yeah, you can be affected by DDoS attacks without much effort if you don’t have defenses in place, right?
— Exactly. The recommendation is always to at least have some basic protection, because there are also shorter attacks that don’t cause much damage but serve as a kind of reconnaissance—an assessment of what security measures you have in place. They’re checking your defenses, getting ready for a bigger attack.
These are like «scouting» attacks to see what kind of protection you have. They prepare attackers for when they need to launch the real attack, the one that causes harm to your business.
— So, these are kind of reconnaissance attacks?
— Yes, they are.
–And you mentioned more sophisticated attacks—those usually target vulnerabilities in software, right?
— Yes, exactly. These attacks often exploit bugs or vulnerabilities in the software. Sometimes, attackers try to distract you by launching a DDoS attack that doesn’t cause much damage, but it requires your full attention, while they’re also running a side attack to take you down quietly. This tactic has become really popular lately.
In the past, DDoS attacks usually targeted a single resource or IP address, trying to take it offline. But now, with the increased capabilities of botnets, the attacks are often much broader—they target a whole range of hosts. This is especially common when service providers are involved, as they provide services to many customers.
So now, you have a «carpet bombing» type of attack where multiple targets are attacked across different resources. Instead of just one target, there’s a whole array of them, and the goal is to take down as many of them as possible. It’s like warfare, really— it’s like a bombardment across multiple fronts.
— That really sounds like war, a bombing campaign targeting everything.
— It’s exactly like that, and it can be extremely difficult to defend against. Even if you have good security measures in place, sometimes these kinds of attacks are too much for a single defense solution to handle.
We had a situation three months ago where a customer was hit by a carpet bombing attack—multiple targets, multiple sources. It took a lot of work from our engineers, not just because our solution is good, but because it was large and sophisticated enough to test the limits of any provider’s capabilities.
We had to intervene manually on the edge of the network to make sure that the attack didn’t cause damage to our customer or to other clients.
It was a 1.6 terabit attack—the biggest one we’ve had so far. It was incredibly challenging.
And it’s only going to get bigger. As these attacks grow in scale, it’s becoming increasingly difficult for any DDoS mitigation provider to handle them effectively.
— How does your system handle such large-scale attacks?
— Our system uses multiple layers of detection to handle large-scale attacks. First, the system detects traffic anomalies—such as sudden, unexplained spikes in traffic that are often indicative of a DDoS attack. If the system detects a potential threat, the AI-powered «smart detection» system kicks in. This AI learns from the customer’s unique traffic pattern, which helps reduce false positives. Once an attack is confirmed, the system automatically redirects the traffic to our scrubbing devices to filter out the malicious packets. The clean traffic is then sent back to the customer, minimizing downtime and ensuring that only legitimate traffic reaches the site.
— What challenges did you face in the early stages of implementing this AI-powered detection system?
— Initially, we encountered some difficulties with false positives. The AI wasn’t perfect right out of the gate, so we had situations where the system mistakenly identified normal, high-traffic events as DDoS attacks. This led to a few disruptions and some unnecessary intervention from our team. However, over time, as the AI adjusted to each customer’s traffic patterns, the system became much more accurate. It learned to better differentiate between real threats and normal spikes in traffic, which significantly improved its effectiveness. It’s not perfect yet, but it’s certainly much more reliable than it was in the beginning.
— Are your customers mainly service providers, or do you also have corporate clients?
— Our customer base in Ukraine is a mix of both service providers and corporate clients. We see a lot of demand from hosting companies, as well as smaller enterprises that may not have the internal resources to protect themselves from large-scale DDoS attacks. Given the geopolitical situation, even smaller companies are at risk of being targeted, so we’ve worked hard to make sure that our solutions are accessible to businesses of all sizes.
Our goal is to make DDoS protection available to anyone who needs it, without the hefty price tag that traditionally comes with high-level network security.
— Looking ahead, what do you see as the future of DDoS mitigation in regions like Ukraine?
— The future of DDoS mitigation in regions like Ukraine is promising but requires continuous innovation. As DDoS attacks grow more sophisticated, AI and machine learning will be key to staying ahead of the attackers. With countries like Russia, China, and others continuing to launch large-scale attacks, AI-driven solutions will play a central role in detection and mitigation. We’re also focusing on expanding our network to ensure that no matter where a customer is located, they can rely on a robust, real-time defense against DDoS attacks. Our aim is to make DDoS protection a default service for every business, not just a niche offering for large companies.
