A pattern of increasingly large DDoS attacks has emerged on the threat landscape this year, including a record-setting packet-per-second attack earlier this month.
Not only are they increasing, but they are also setting records for volume and speed, according to Akamai.
In a two-week span this month, Akamai Technologies mitigated two of the largest DDoS attacks ever seen on its platform.
The first took place in early June, when Akamai stopped the largest-ever attack at 1.44 terabits per second (Tbps), which targeted an internet hosting provider.
One week later, on June 21, Akamai mitigated the largest packet-per-second DDoS attack ever recorded on its platform: an 809 million packets per second (Mpps) DDoS attack against a large European bank. “The attack grew from normal traffic levels to 418 Gbps in seconds, before reaching its peak size of 809 Mpps in approximately two minutes. In total, the attack lasted slightly less than 10 minutes,” Tom Emmons, principal product architect, wrote in the report.
For a comparison, Akamai said the attack on the hosting provider earlier in the month generated just 358 Mpps.
While DDoS attacks themselves are common, and that particular bank gets attacked fairly regularly, the size of the attack was unusual, according to Roger Barranco, Akamai’s vice president of global security operations.
“We’ve seen this type of attack, but we’ve never seen it at this size and we’ve never seen it ramp up so fast. I think that’s something unique also. Within two minutes it was at full potential,” Barranco said. “To defend that, you have to have a significant amount of platform resources in front of you to be able to stop something that size.”
Over the last year, Akamai has observed a slight increase in the number of attacks that focus on packets per second versus the traditional bits per second, said Barranco.
“In the past, I would say that it was 95% of the attacks were bits-per-second-focused and it’s probably closer to 85% now. The big difference is the massive size of the most recent attack,” Barranco said.
One reason for the shift, says Barranco, is an improvement in defensive postures, which focus on defending against bits-per-second attacks.
“Packets per second is not seen as frequently and it exhausts the customer’s infrastructure in a different way. Attackers just chose another tactic to try because it’s less used,” Barranco said. “In this instance and what we’re seeing more of, is that these attacks are incredibly fast at getting to maximum rate. It doesn’t give the average group time to respond.”
Barranco attributes the ability to pull off attacks of this volume and speed to a new approach that has more access to more endpoints and devices that can launch the attack.
“I think what’s different is that these were new sets of IP, which means there’s probably some new tooling out there and that new tool has access to much more IoT. Those IPs haven’t been seen and you can say that for sure because this attack is not spoofed,” Barranco said. So those were not faked IP sources, they were known sources. Real sources.”
What’s also new is the risk of simultaneous attacks happening more frequently.
“We’re always fighting many attacks at the same time, but it’s unusual to see 400 [GBps] attacks coming in at the same time and that’s an indicator of the tool that’s available to the attacker,” Barranco said. “With the recent 1.44-terabyte attack, it looked very much there were multiple tools in use simultaneously and that’s how they were able to build such a high-volume type of attack.”
Other record-setting DDoS attacks
In 2018, GitHub broke the record for the largest DDoS attack previously set by the Mirai-based Dyn attacks in 2016. GitHub was taken offline briefly by a 1.35 Tbps DDoS attack, and was mitigated by Akamai.
In February of this year, Amazon disclosed in the company’s AWS Shield Threat Landscape report that it mitigated the largest DDoS attack it had ever recorded: a 2.3 Tbps attack.
Security vendor Kaspersky Lab has also observed an increase in DDoS attacks, just in the past year alone, some of which is attributed to the pandemic. “This is reflected in the goals of recent DDoS attacks, with the most targeted resources in Q1 being websites of medical organizations, delivery services and gaming and educational platforms. Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks,” Kaspersky wrote in the report.
Time and effort spent on defensive posture is important in protecting against DDoS attacks, Barranco said. “I’d rather have to mitigate in advance than to have to react to it.”