Amazon reported sustaining a 2.3 Tbps DDoS attack in 2020 — here’s what to know about the largest DDoS attacks on record & how they’re measured
Move aside, GitHub — there’s a new DDoS attack that holds the heavyweight title of being the largest DDoS attack in history.
Amazon Web Services (AWS) reports that in February 2020, they defended against a 2.3 -terabit-per-second (Tbps) distributed denial of service (DDoS) attack! Previously, GitHub was recognized as sustaining the largest DDoS attack in history, which involved a 1.35 Tbps attack against the site in 2018. This virtual one-two punch was delivered without the help of a botnet. At the time, this made the GitHub attack the biggest DDoS attack in history.
In January 2019, Imperva announced a new contender for the title — although they were looking at DDoS attacks from a slightly different angle. This undesirable recognition was awarded to an unnamed client of Imperva, which experienced a DDoS attack in which 500 million packets per second (PPS) were directed at their network or website. And in April, Imperva reported an even larger PPS attack on another client that surpassed the January record — the newest attack peaked at 580 million PPS. Compare this to the GitHub DDoS attack, which peaked at 129.6 million PPS. This means we can now consider the April 2019 attack as the largest DDoS attack to date by packet volume.
But, wait, measuring an attack in terms of the amount of bandwidth used is not the same as measuring the intensity of an attack concerning the number of packets that are unleashed per second, and vice versa. Yes, you’re correct — these two avenues of attack are different, and one may be more difficult to recover from than the other. But how exactly are DDoS attacks really measured? And is one considered more method of attack more significant or challenging to recover from than another?
At Hashed Out, we’re not ones that like to hold any punches. Let’s take a look at the four most recent and biggest DDoS attacks in history (in terms of both forward rates and bit rates) as examples.
Let’s hash it out.
What Happened with the Most Recent (and Largest) DDoS Attack?
When we previously reported on this topic, our talking points focused on GitHub and Imperva’s two unnamed clients. In June 2020, we’ve updated the article to reflect the DDoS attack that AWS sustained in February 2020.
Amazon’s AWS Shield Observes and Mitigates a 2.3 Tbps Attack
Amazon reported that AWS Shield, their managed threat protection service, observed and mitigated a 2.3 Tbps DDoS attack on Feb. 17. Their research also indicates that there was a notable increase in the total number of events they reported in Q1 2020 over Q4 2019 (10%) and Q1 2019 (23%).
So, what do we know about the 2.3 Tbps attack? According to AWS’s Threat Landscape Report — Q1 2020:
“In Q1 2020, a known UDP reflection vector, CLDAP reflection, was observed with a previously unseen volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS. CLDAP reflection attacks of this magnitude caused 3 days of elevated threat during a single week in February 2020 before subsiding. Despite this observation, smaller network volumetric events are far more common. The 99th percentile event in Q1 2020 was 43 Gbps.”
Previously, the Attack Against Imperva’s Client
In the January 2019 attack, one of Imperva’s clients faced a SYN DDoS attack that resulted in a deluge of 500 million PPS. Each of the packets was thought to range from 800 to 900 bytes in size. While this sounds small, let’s take a moment to calculate this number with an example median number of 850 bytes per packet. That means that 500 million 850-byte packets would result in about 396 Gbps (425 billion bytes, or 3.4 trillion bits) of data targeting your network protocol every second to render it unresponsive.
“When we investigated, we realized the attack wasn’t generated using new tools, but two common older ones: one for the syn attack and the other for the large syn attack. Although both tools try to mimic legitimate operating systems, there are some odd, suspicion-raising differences. One tool randomizes various parameters but accidentally malforms the packet. The other tool uses a legitimate, almost identical packet, for the entire attack. One possible hypothesis is that these tools, although used in the same attack, were written by two different individuals and then combined to form an arsenal and launch the most intensive DDoS attack against Network infrastructure in the history of the Internet.”
This attack method differed from the method used in the GitHub attack, which used memcaching, we’ll get to that in a moment.
Previously, the GitHub DDoS Attack
GitHub is a developer platform that offers distributed version control and source code management for Git. Git is a version control system that tracks changes in computer files and helps coordinate collaboration between multiple people working on the same file. Basically GitHub is a repository for all kinds of code and the projects they come from. It also uses SHA-1 hashing as a check-sum — but that’s another topic for another day.
On Wednesday, February 28, 2018, GitHub got hit by the aforementioned DDoS attack. At the outset, GitHub had a little bit of trouble as it let a digital system assess the issue. After about ten minutes GitHub called Akamai, the company tasked with DDoS mitigation for GitHub.
Akamai began filtering the traffic through its own systems, acting as a de facto intermediary. Akamai pushed the data through what it refers to as “scrubbing centers” to strip malicious packets.
After about 8 minutes, the attackers relented.
“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. “So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence, it’s another thing to see it actually play out how you’d hope.”
The previous record for the largest DDoS attack of all time was the 2016 attack against Dyn. Dyn does a lot of things, but perhaps most importantly it’s a DNS service. That attack came in at 1.2 Tbps and sent the internet into a frenzy.
There are some key differences though. Dyn was hit by a botnet — a network of infected devices. The Github attack did not use a botnet, rather it used another increasingly popular method: memcaching.
What is Memcaching?
A Memcashed server refers to database caching systems, which work to speed up websites and networks. There are currently over 100,000 memcached servers that are exposed on the public internet. Obviously, that’s not good.
What the attackers did here was spoof their victim’s IP address. Because of the lack of authentication on these servers the attacker can send small queries that are designed to elicit much larger responses from the memcached server. 50 times larger to be exact.
This is a type of amplification attack.
The GitHub attack sent a number of internet service and infrastructure providers scrambling to harden their systems as a result of the increased prevalence of these kinds of attacks. Specifically that means blocking traffic from memcached servers.
Additionally, companies and organizations that have publicly exposed memcached servers were contacted and asked to take them offline and put them behind a firewall on an internal network.
What’s the Deal with DDoS?
To quickly recap: A DoS attack — a denial of service attack — is an assault that launches in rapid succession with a focus on making computer systems unresponsive and unavailable. It does this through an excess of connections, requests, and other data inputs that intends to overload the victim’s system. A DDoS attack takes this attack approach to another level by using multiple internet connections and devices to launch a series of simultaneous attacks — a distributed denial of service — rather than using a single computer or internet connection.
Kaspersky Lab research indicates that DDoS attacks jumped significantly in Q1 2019:
“This quarter has been dominated by the coronavirus pandemic, which has shaken up many things in the world, including the DDoS market. Contrary to our forecast in the last report, in Q1 2020 we observed a significant increase in both the quantity and quality of DDoS attacks. The number of attacks doubled against the previous reporting period, and by 80% against Q1 2019. The attacks also became longer: we observed a clear rise in both the average and maximum duration. The first quarter of every year sees a certain spike in DDoS activity, but we did not expect this kind of surge.”
On June 23, Imperva announced in its May 2020 Cyber Threat Index Report that there were “seven major application DDoS attacks over the previous month — two of which lasted 5-6 days.” Each of those seven attacks surpassed 150,000 requests per second (RPS). What makes the two longest attacks even more incredible is that they originated from 28,000 unique IP addresses in one case and 3,000 in the other.
More than four in five of the application DDoS attacks (82%) targeted just three industries:
- News (38%),
- Business (25%) and
- Financial services (19%).
But where were most of the attacks coming from? None other than China (26%), the United States (15%) and the Philippines (7%).
How DDoS Attacks are Measured: Packets vs Bandwidth
As you’ve seen in this article, many of the largest DDoS attacks are often measured in different ways — typically in terms of bandwidth/capacity, which is measured in bits per second (bps), or forwarding rate, which is measured in packets per second (PPS). The choice of terms used can significantly change the meaning of any blanket statements about what attacks would be in the running for the title of the biggest DDoS attack in history:
- The first, bandwidth or capacity, typically refers to the amount of data that can travel through an internet connection.
- The latter, the packet forwarding rate, refers to the number of packets that can be processed by network devices.
Large DDoS attacks often try to use both routes of attack, aiming to saturate their victims with high bps attacks (such as Gbps or Tbps) or crash their network devices with high PPS attacks.
How DDoS Attack Routes Are Defined
DDoS attack methods include amplification attacks (NTP, DNS, SSDP, etc.), floods (UPD, SYN, etc.), IP fragmentation, and zero-day attacks. DDoS attacks often focus on the victim’s network protocols, bandwidth, and/and application layer, and are typically measured in terms of packets per second, bits per second, and requests per second (RPS) depending on the area of focus.
In April 2020, Imperva shared that the most targeted network layer attack vectors for the gaming and financial services industries were UDP (36%), SYN (14%) and DNS response (13%).
DDoS attack methods are very distinct and approach the goal of disrupting services from different avenues. What makes it difficult about discussing DDoS attacks is that companies tend to use different terminology to refer to the same (or similar) concepts. For example, Cisco refers to DDoS attacks in terms of volumetric, application, and low-rate attacks. Imperva, on the other hand, categorizes DDoS attacks as the following:
- A packet per second attack is a DDoS attack that focuses on network protocols such as the transmission control protocol/internet protocol (TCP/IP). The more packets that are forwarded and your system must try to process, the longer it takes and the more resources and network hardware you’ll need. The idea here is that hackers want to thoroughly overwhelm server and intermediate communication equipment resources by making phony protocol requests. These types of PPS attacks include fragmented packet attacks, SYN floods, and “ping of death” attacks.
- A gigabit per second attack is volumetric in nature and uses reflection or amplification techniques (or a botnet of seemingly innocuous connected IoT devices such as baby monitors and security cameras) to “flood” the victim with DNS server responses. The idea here is to utterly saturate the victim’s bandwidth to prevent it from processing genuine traffic and can cause their server(s) to crash.
- A request per second (RPS) attack is an application layer attack and refers to the number of requests that are made of an application. It involves targeting an edge server that is responsible for application execution and overwhelms its CPU and memory to consume its resources so it can’t process anything else.
An attack that once would have been considered the largest DDoS attack on record is now becoming commonplace. Imperva’s research indicates that their company sees DDoS attacks that are surpassing 500 gigabits per second just about every week. In May 2019, Imperva shared that its DDoS protection service “detected and mitigated 9 massive DDoS attacks against our customers” and that one of the most recent attacked peaked at 652 million packets per second.
While this higher-packet attack rate could be considered the new norm, it doesn’t make it any less depressing or frustrating for companies that are facing these threats on a daily basis.
Bit to Packet Forwarding Rate Metric Conversion
Imperva shares that throughput and forward rates aren’t directly convertible. The reason for this is that there is no one-size-fits-all measurement for network packets — they come in a variety of sizes and are transmitted via different interfaces at varying speeds. This means that there is no way to say how many packets make a megabit or gigabit without first knowing the size of an individual network packet, which can range significantly depending on whether you’re calculating the size of a TCP packet versus an Ethernet packet.
Cisco tries its hand at providing a method of calculation to determine how many packets per second that a network link can support:
“To determine p/s, first convert bits to bytes. (There are eight bits in one byte.) Then consider how many bytes exist in each packet. The size of the packet does not have to be a fixed value, but administrators can bound the problem by recognizing that there are both minimum and maximum packet sizes. The minimum size is based on both the IP-defined minimum IP packet size and the Layer 2-defined minimum frame size. The maximum IP packet size is based on the link maximum transmission unit (MTU) for the Layer 2 technology.”
Now that you know what the most recent and largest DDoS attack is and how it was measured, here’s a historical perspective on some of the largest or most famous DDoS attacks in the past five years.
The List of the Most Famous DDoS Attacks — By Year and Month
Want to see some others who have unwittingly competed for the title of sustaining the largest DDoS attacks on record? Check out our timeline to see the progression of the largest and most famous distributed denial of service attacks that have occurred within the past six years (both traffic-based and packet-based attacks):
February — Amazon Web Services (AWS) reported in their TLR for Q1 2020 that they observed and mitigated a 2.3 Tbps UDP reflection vector DDoS attack. Not only is this the largest DDoS attack that AWS reports ever facing, but it’s also thought to be the largest DDoS attack in history on record in terms of bit rate.
April — Imperva reports one of their clients was able to thwart a DDoS attack that peaked at 580 million packets per second. To date, this is considered the largest DDoS attack by packet volume to date.
January — Another Imperva client sustained a 500 million packets per second DDoS attack.
March — NETSCOUT reported that its Arbor ATLAS global traffic and DDoS threat detection system confirmed a 1.7 Tbps memcached reflection/amplification attack on an unnamed U.S.-based service provider.
February — The GitHub DDoS attack inundated the company with 1.35 Tbps of data (129.6 million PPS) — the largest DDoS attack on record as of that time — via memcaching. This means that the attackers spoofed GitHub’s IP address to send small inquiries to several Memcached servers to trigger a major response in the form of a 50x data response.
October — The Czech statistical office websites relating to the Czech Republic’s parliamentary elections — volby.cz and volbyhned.cz — failed temporarily due to DDoS attacks during the vote count.
August — Web host company DreamHost, which was said to host the Nazi Daily Stormer website under its new name Punished Stormer, suffered a DDoS attack of unannounced proportion. This attack followed a Department of Justice request for visitor data relating to the stormer site.
June — Throughout the second half of the year, video game software developer Square Enix’s Final Fantasy XIV online role-playing game (RPG) sustained intermittent DDoS attacks via botnets. The attacks spanned the summer and another set of attacks occurred during the fall.
October — The Dyn DDoS attack, which measured in at 1.2 Tbps and was considered the largest DDoS attack at the time, brought down much of the internet across the U.S. and Europe. Using the Mirai botnet, the attack targeted Dyn, a company that controls much of the domain name system (DNS) infrastructure of the internet.
September — French web host OVH experienced a DDoS attack measuring in at nearly 1 Tbps. The attackers used a botnet of hacked IoT devices (CCTV cameras and personal video recorders) to launch their attack.
March — GitHub sustained a DDoS attack that was thought to be politically motivated because it focused on two GitHub projects that aimed to provide Chinese citizens with a way to circumvent Chinese state web censorship.
The website for Occupy Central in Hong Kong, which was campaigning for a more democratic voting system, experienced a 500 Gbps DDoS attack that was executed via five botnets. Also targeted were the online news site Apple Daily and PopVote, a mock election site, both of which supported OC’s message.
Have questions or want to share your thoughts about DDoS attacks? Feel free to do so below.
This article was originally written by Patrick Nohe in 2018, it was updated by Casey Crane for 2019 and, most recently, 2020.