In the early morning hours of July 9 (UTC), a Distributed Denial of Service (DDoS) attack that peaked at 1.1 Tbps (terabits per second)/105.5 Mpps (mega packets per second) targeted a provider of internet and security services in the Asia Pacific region.
With an attack of that magnitude, the day could have unfolded in three possible ways:
- The attack effectively shuts down their website and network. Services to customers are disrupted or completely stopped. Users and staff can’t get online. The outage lasts hours, possibly days. Everything stops, except efforts to defeat the attack. Meanwhile, the attackers could be unleashing additional collateral attacks on data and other assets.
- The attack is managed (mitigated) with temporary disruption. The attack takes some time to detect and mitigation takes place, perhaps requiring some tuning for effectiveness. Attack defenses are in place, but rely on remote detection and diversion to begin actual mitigation.
- The attack is mitigated with no disruption. Everything just works. This is a characteristic of always-on protection from a cloud provider.
On this day, everything just worked. It was just another day in the office.
The attack was completely mitigated by UltraDDoS Protect, our cloud-based DDoS mitigation service. Moreover, because the company had chosen always-on protection, their traffic was already routed through our mitigation platform and did not have to be diverted before mitigation could begin.
As a result, mitigation started almost instantaneously and was handled entirely by the advanced automation incorporated in UltraDDoS Protect. The third-shift experts in our Security Operations Center, which is staffed 24/7, monitored the situation but did not have to intervene – although they were ready if the mitigation effort required it for any reason.
If your enterprise is going to receive an urgent reminder of the importance of excellence in DDoS mitigation, this is the outcome you want.
More on the attack.
It was truly massive, with a peak of 1.1 Tbps/105.5 Mpps and a second peak of 733.4 Gpps/64.2 Mpps, as shown in this profile.
The primary vector was UDP amplification, the most common volumetric vector for large attacks. The attacker utilized many high number UDP source ports and attempted to evade detection by targeting destination ports that did not correspond to actual traffic types. The secondary vector was a TCP ACK flood, designed to consume both additional customer and mitigation resources.
The attack was highly distributed, using approximately 30,000 sources distributed around the world, with the highest concentrations in the US, China, and Japan. Almost all the traffic was directed at a single IP address.
What if this attack had hit your company?
The outcome would depend on whether you have an active DDoS strategy – if not, all bets are off – as well as the technologies you have in place to mitigate attacks.
On premise solutions such as an overprovisioned network or DDoS mitigation appliances would have been swamped by an attack of this size. Even an enterprise with a substantial investment in mitigation appliances – and the staff expertise to employ them effectively – would be overwhelmed. The attack would saturate the bandwidth into its data centers.
Many companies contract with their ISP(s) for DDoS mitigation to supplement in-house protections, but an attack of more than 1 Tbps would almost certainly exceed their capacity to surgically mitigate. ISPs are limited by the unused capacity of their peering links to other providers, which typically allows them to mitigate attacks up to approximately 150 Gpbs without very blunt measures such as blackholing traffic. Beyond that, they risk serious performance degradations affecting many or all of their services as well as collateral damage to other customers.
The value of a specialist.
Mitigating an attack this large requires a third-party cloud-based DDoS scrubber such as Neustar Security Services. Only a dedicated DDoS mitigation provider offers the globally distributed capacity to handle such a massive attack. Our mitigation platform is provisioned with more than 15 Tbps of scrubbing capacity.
But it’s not just raw capacity that makes a DDoS mitigation specialist such a valuable addition to a DDoS defense strategy. Neustar Security Services, for example, offers a range of capabilities that are invaluable in delivering effective protection for your infrastructure against any type of DDoS attack:
- Advanced orchestration incorporating sophisticated automation to respond to an attack virtually instantaneously, as in the example in this post, while enabling active management of a defense in depth for complex, multi-vector attacks of long duration;
- Deep experience and practiced expertise best practices derived from over 10 years of mitigating countless DDoS attacks of different sizes, duration, and complexity;
- Flexibility in protection and configuration including always-on and on-demand services, as well as customized combinations for different assets or sub-networks; adjustable thresholds for automated traffic monitoring and countermeasure application; and options for both proxy and routing-based traffic redirect.
Final thought.
Don’t assume that massive attacks like the one in this case are unicorns that won’t hit your enterprise. We have seen and mitigated an increasing number of terabit plus attacks in the last two years, and in general attacks are growing in size and intensity.
If internet access is essential to your business revenue or operations, make sure your DDoS strategy and technologies are appropriate to counter the threats you could face.
We would be happy to discuss your DDoS protections, and help you evaluate whether UltraDDoS Protect would be a useful addition to your IT security posture. Contact us today for a consultative discussion of your strategy and options.
If you’re looking to level up on your cyber attack protection skills, turn to these helpful resources for some guidance on getting started:
