11th March, 2020
In terms of DDoS attacks, 2019 has started with a bang! At the end of January reports surfaced of a massive DDoS attack that generated over 500 million packets per second, which was significantly larger than last year’s GitHub attack, which peaked at 129.6 million packets per second. This most recent attack as reported by Imperva crossed the 500 million packets per second (PPS) mark, which differentiates this attack from other hyper scale DDoS attacks. When looking into this particular attack, the most interesting factor is the huge number of packets per second, making it difficult for NetOps and SecOps teams to respond to this anomalous network behaviour, as they need huge amounts of network hardware and specialist resources to mitigate against them.
This particular attack was reported as a SYN based flood attack, which was amplified by the attacker using larger SYN flood packets as well as normal SYN packets, estimated at around the 800-900 bytes mark. The strategy behind this attack was for the normal SYN packets exhaust server resources whilst the larger SYN flood packets saturate the network. A SYN flood attack attempts to overwhelm a target by sending in mass amounts of TCP connection requests (one of three stages of a TCP three-way handshake) hoping to render it unresponsive as it waits for a client reply, severely impacting upon network capacity, service delivery and compromising infrastructure.
The attackers, in this case, used a combination of two older common tools, highly randomised and spoofed source ports and addresses to launch the attack. While this attack in itself could be devastating if allowed to crash through the network unchecked, we do not know at this time if this episode was a master class in sleight of hand and was, in fact, masking an intelligent and stealthy multi-vector attack. This is why organisations must have intelligent tools sets that can not only detect and mitigate the obvious DDoS attack but also the not so overt attack vectors that use DDoS as a way into the network.
This attack is thought to be one of the largest ever recorded, is the start of a new era of colossal PPS DDoS attacks? If so, how do organisations dealing with huge amounts of data and daily attacks reduce their vulnerability and risk? The answer is to combine total network visibility, global threat intelligence, smart Anomaly Detection alert triaging and the ability to block cyber-attacks in real-time to create a proactive agile multi-layered security strategy that keeps day-to-day operations running smoothly and important data safe. Telesoft offers a number of cyber security products for flow monitoring and cyber threat visibility, talk to us to about detecting and blocking threats in your network