DDoS Attack Vectors Evolve as Overall Number of Attacks Declines
In terms of DDoS attacks, 2019 has started with a bang! At the end of January reports surfaced of a massive DDoS attack that generated over 500 million packets per second, which was significantly larger than last year’s GitHub attack, which peaked at 129.6 million packets per second. This most recent attack as reported by Imperva crossed the 500 million packets per second (PPS) mark, which differentiates this attack from other hyper scale DDoS attacks. When looking into this particular attack, the most interesting factor is the huge number of packets per second, making it difficult for NetOps and SecOps teams to respond to this anomalous network behaviour, as they need huge amounts of network hardware and specialist resources to mitigate against them.
This particular attack was reported as a SYN based flood attack, which was amplified by the attacker using larger SYN flood packets as well as normal SYN packets, estimated at around the 800-900 bytes mark. The strategy behind this attack was for the normal SYN packets exhaust server resources whilst the larger SYN flood packets saturate the network. A SYN flood attack attempts to overwhelm a target by sending in mass amounts of TCP connection requests (one of three stages of a TCP three-way handshake) hoping to render it unresponsive as it waits for a client reply, severely impacting upon network capacity, service delivery and compromising infrastructure.
The attackers, in this case, used a combination of two older common tools, highly randomised and spoofed source ports and addresses to launch the attack. While this attack in itself could be devastating if allowed to crash through the network unchecked, we do not know at this time if this episode was a master class in sleight of hand and was, in fact, masking an intelligent and stealthy multi-vector attack. This is why organisations must have intelligent tools sets that can not only detect and mitigate the obvious DDoS attack but also the not so overt attack vectors that use DDoS as a way into the network.
This attack is thought to be one of the largest ever recorded, is the start of a new era of colossal PPS DDoS attacks? If so, how do organisations dealing with huge amounts of data and daily attacks reduce their vulnerability and risk? The answer is to combine total network visibility, global threat intelligence, smart Anomaly Detection alert triaging and the ability to block cyber-attacks in real-time to create a proactive agile multi-layered security strategy that keeps day-to-day operations running smoothly and important data safe. Telesoft offers a number of cyber security products for flow monitoring and cyber threat visibility, talk to us to about detecting and blocking threats in your network
You may also like
400GBPS FlowProbe: Network Traffic Monitoring
Monitor real time traffic information and network performance whilst using anomaly detection to maintain cyber security with our ultra high performance 4x 100GbE network traffic monitor.
100GBPS CERNE: INTRUSION DETECTION
100 Gbps IDS engine and alert driven packet recorder that enables 24/7 real-time network threats monitoring and access control.
400GBPS TRITON: CYBER WARFARE SIMULATION
Prove and enhance your cyber security posture with our Cyber Warfare Simulation tool and our world class SLA and advanced on-site/ off-site support.
TDAC: Digital Forensics
Unlocks network visibility and threat identification