ANALYSIS: Although a 665Gbps attack is considered an outlier today, there will likely come a day when it is not looked at that way
This past week, the largest-ever internet distributed denial-of-service (DDoS) attacks were reported, targeting popular security blogger Brian Krebs and internet service provider OVH in Europe.
On Sept. 20, Krebs tweeted that his site was hit with a DDoS attack of 665G bps. A day later, on Sept. 21, Octave Klaba, founder of OVH tweeted that his network was affected on Sept. 20 by simultaneous DDoS attacks approaching 1T bps. The peak attacks came in at 191G bps and 799G bps.
Krebs’ blog was being protected by content delivery network and DDoS provider Akamai, which had previously reported that the top DDoS it had seen in the second quarter of 2016 was 363G bps. Other DDoS providers have also seen high-bandwidth attacks.
Roland Dobbins, principal engineer at Arbor Networks, told eWEEK that the largest attack of which his company has direct knowledge was 579G bps.
Massive DDoS attacks
Akamai decided on Sept. 22 to drop support for Krebs, who had been a pro bono customer on the platform. An Akamai spokesperson said that decision to drop support for Krebs wasn’t made lightly, but the costs and impact of defending against the large DDoS were non-trivial.
John Graham-Cumming, CTO of CloudFlare, which also provides DDoS mitigation, told eWEEK that his company has reached out to offer its help to Krebs. CloudFlare first gained notoriety in 2013, when it helped mitigate what at the time was the largest DDoS to hit the internet, a 120G-bps attack against Spamhaus.
Andy Ellis, chief security officer at Akamai, told eWEEK that the 665G-bps attack was the largest that Akamai has ever seen for a DDoS. While the actual analysis of the attack is still ongoing, he emphasized that it wasn’t an everyday type of DDoS. Many DDoS attacks today make use of reflection techniques to amplify traffic. With a DDoS reflection, a misconfigured service is abused to then amplify and reflect traffic toward a target.
According to Ellis, initial indications are that the 665G-bps attack used a large volume of internet of things devices, including cameras. Ellis added that many of the common attributes the make typical DDoS attacks simple to defeat were not present in the 665G-bps attack.
“It’s a botnet that is using direct traffic, so it’s not reflecting off anything; it’s sending legitimate requests,” Ellis said. “So it’s not malformed traffic; it all looks like legitimate users coming out of IP address spaces that have legitimate traffic.”
While it’s not yet clear if the attacks against OVH and Krebs are from the same DDoS attack group, it does appear to be likely. Ellis noted that Akamai has spoken with other organizations that have been impacted by similar attacks to see if the attacks are the same adversary with the same botnet.
Regardless of the source, Akamai’s security intelligence research team is looking for lessons learned from the attack to see what sorts of actions need to be taken to help defend against future attacks, Ellis said.
“On our platform engineering team, we conduct ongoing exercises in adversarial resilience,” Ellis said. “That’s where we’re looking at how we protect Akamai and understanding how as attacker capabilities change, what we need to do to harden our planetary-scale infrastructure.”
Although a 665G-bps attack is currently considered an outlier, there will likely come a day when it is not.
“Three years from now, we’ll probably be looking back and saying everyone is doing 600G-bps DDoS attacks, so we better be able to handle it in a scalable and effective fashion,” Ellis said.
Originally published on eWeek