By Bryant Rump CISSP, Principal Security Architect and Michael Smith, Field CTO
At Neustar Security Services (NSS), we believe in having complementary security technologies and architectures to defend against various attacks. One great example is how we use UltraDDoS Protect to defend UltraDNS and UltraWAF when they receive DDoS attacks that are bigger than their capacity. Specific to UltraDNS, we configure all our 30 Points of Presence (PoPs) to block non-DNS traffic at their edge and to divert traffic on-demand to UltraDDoS Protect during a large attack. We also have 15 of our UltraDNS nodes in the same physical location as UltraDDoS Protect, which allows us to scrub traffic and return the clean traffic via a cross-connect that doesn’t require an ISP circuit and has effectively no latency. UltraDNS2, our recently launched second global anycast network, also includes on-demand routing to UltraDDoS Protect.
With this protection and architecture in place, on Friday, October 14th, the NSS SOC successfully and automatically mitigated the largest attack to date on UltraDNS with no impact on the availability or performance of UltraDNS. The targeted UltraDNS networks automatically diverted to UltraDDoS Protect, where the attack traffic was mitigated. Legitimate queries were then passed to UltraDNS for resolution. This record-setting attack on UltraDNS did not impact the service due to the preconfigured automation NSS has put in place between the global 15-node, 15Tbps UltraDDoS Protect solution and the highly-scalable, 30-node UltraDNS service that prioritizes availability and performance.
Some highlights of the attack:
Two peaks were observed during an 8-hour attack period.
The 1st peak, 511.5Gbps/48.47Mpps, started at 1452 UTC and lasted approximately 15 minutes.
The 2nd peak, 700.87Gbps/70.74Mpps, started at 2141 UTC and lasted for approximately 24 minutes.
The attack vector was UDP Fragmentation caused by several UDP Amplification attack vectors (DNS Reflection, NTP Amplification).
Secondary vectors of TCP SYN and TCP ACK Floods were also used.
Multiple destination IP addresses within UltraDNS were targeted.
The attack came from 94,000 unique source IP addresses.
The largest source of attack traffic was Russia followed distantly by Brazil, Ukraine, Indonesia and the United States.
Several botnets were likely used in the attack.
The attack traffic originated from telecoms headquartered in Russia, Latin America, Asia, and a number of other source networks in a widely-distributed attack
The attack is consistent with recent anti-US, anti-NATO, and anti-Ukraine DDoS activity sourced from Russia
It is important to note that in the cases of UDP traffic, along with other traffic types like SYN floods, source IP addresses can be spoofed, faked, or forged because there is no two-way handshake
An attack of this magnitude would have caused an outage for DNS platforms not protected by a robust, global cloud-based DDoS mitigation platform. Our customers were protected and experienced no downtime, service degradation, or latency due to the viability of UltraDDoS Protect and the resilience of the UltraDNS platform.
If being online is critical for your business, you must ensure you have the right platform for your business. Neustar Security Services is the choice for the most prominent online brands in the world. Contact us today to discuss how we can help your enterprise thrive online.