Posted on June 29, 2020 at 11:59 AM
In the past month, there have been unprecedented long distributed denial-of-service (DDoS) attacks launched on enterprises and hosting providers. This suggested a shift in botnet and tooling among the most sophisticated professional threat actors.
On June 21, Amazon Web services Inc. Akamai Technologies provided details about how it stopped what is seen as the largest ever DDoS attack. The web service said the attack could have been the largest-ever recorded packet-per-second-based DDoS attack in history.
The attack intended to infiltrate and compromise its target with 809 million packets per second, and its target was a large European bank.
The attack sped up pretty fast, as it moved from normal traffic patterns reaching a peak volume in less than two minutes. It grew from normal traffic level to about 418 Gbps in seconds, before speeding up to its top level of 809 Mpps just within 2 minutes.
PPS attacks overwhelm infrastructure in different ways
Packed-based DDoS attacks use a similar principle as its more popular bits-per-second attacks, as both intend overwhelming the infrastructure of the target company. However, they try to achieve this goal in different ways.
While packets-per-second attack tries to overwhelm network resources, bits-per-second volume attacks try overloading the inbound pipeline.
Vice president of global security operations at Akama, Roger Barranco, said attackers have been focusing on higher packets per second attacks for the past one year.
According to him, they are probably looking for vulnerability in enterprise DDoS mitigation measures, usually more prepared for consistent bandwidth attacks.
DDoS attacks are usually volumetric and are usually measured in bits per second (bps). The main goal of the DDoS attacker is always to overwhelm the inbound internet network and send more traffic to a circuit than it was meant to carry.
On the contrary, PPS-centered attacks are usually meant to overwhelm network applications or gear cloud environments or customer’s datacenter. Both of these types of attacks are usually volumetric, however, PPs attacks do not affect the capacity of the circuits but exhaust the resources of the gear. Also, BPS is usually more common than the PPS attacks.
This latest DDoS attack was meant to overwhelm the DDoS mitigation system through high PPS load.
Source IP Explosion
The Akamai security team pointed out that there was something different about the delivered packets as there was an enormous increase in the level of sourced IP addresses observed.
The unique thing about the delivered packets was the enormous increase in the level of sourced IP addresses observed.
“The unique thing about the delivered packets was the enormous increase in the level of sourced IP addresses observed,” the team said.
The team reiterated that during the attack, there was a substantial increase in the number of source IPs that registered traffic to customer identification.
This indicated that the DDoS attack was highly distributed in nature. Compared to what was generally the norm in this type of attack, the Akamai team said the attack increased by more than 600% in the number of IPs per minute.
Most attack traffic was unprecedented
Apart from the volume of IP addresses, most of the attack traffic was the source from IPs previously not seen in any recent attacks. This shows that it’s an emerging botnet that was previously not existing.
Akamai usually traces several hundreds of thousands of source IPs used in DDoS attacks. The security firm has seen tens of thousands of this source IPs in multiple attacks.
It was unprecedented that about 96.2 percent of the source IPs were discovered for the first time, and have not been seen as part of any previous DDoS attacks.
But from the remaining 3.8 percent source IPs, there have been some familiar attack vectors. Several of the source IPs can be seen within the large ISPs through autonomous system (AS) lookups, which is a clear indication of compromised end-user machines.