Distributed Denial of Service Attacks are getting larger in terms of bandwidth almost every month. But the month of July was unusual. Akamai Technologies, a provider of CDN, Internet security and cloud services, claims to have blocked the largest ever DDoS attack recorded in Europe. The DDoS attacks, which targeted an Eastern Europe customer 75 times last month over a 30-day period, were conducted by a sophisticated and well-coordinated global botnet of high-bandwidth IoT devices. The attackers had complete control of the attack and could evenly distribute the traffic across the botnet, to create high traffic volume.
A DDoS attack uses a botnet comprising thousands of compromised devices, to send malicious network traffic to a targeted server or online resource. The intent is to overwhelm the target with traffic so that it is unable to accept legitimate requests from users, and becomes inaccessible to the public.
Akamai said the attacks peaked on July 21; over a 14-hour period, it peaked twice: 659.6 Mpps at 4:44 AM UTC and 853.7 Gbps at 6:40 PM UTC. Akamai declined to name the customer or the industry.
Dean Houari, director of security technology and strategy – APJ, Akamai Technologies said the reach of these attackers is global and that these attacks were conducted through a distributed botnet of “high bandwidth” IoT devices. He said it was a sustained attack over a 30-day period.
“The attackers were able to evenly distribute the traffic attack volume across their botnet. This contributed to creating record-high traffic volume. We have attackers leveraging botnets but these attacks had complete control on how traffic is generated and distributed across the world,” said Houari.
On its blog post, Akamai said the victim was targeted with horizontal attacks consisting of UDP, UDP fragmentation, ICMP flood, RESET flood, SYN flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood, among others. It said UDP was “the most popular vector” observed in both record spikes.
Houari said the attack was well distributed across all Akamai’s DDoS “scrubbing centers” around the world such that none of these centers received more than 100 Gbps of traffic – indicating that the attacker had full control of the IoT devices on the botnet across the world, enabling such a record high volumetric attack.
A scrubbing center is a centralized data cleansing station where traffic is analyzed and malicious traffic directed from DDoS and other types of attacks is removed. Scrubbing centers are typically used by ISPs and Cloud providers.
See also: How to Block a Massive DDoS Attack
Previous DDoS Attacks
DDoS attacks became frequent this year. In June, Cloudflare, a content delivery network and DDoS mitigation company, reported that a botnet named Mantis was targeting its customers with “record-breaking attacks” of 26 million requests per second. And in April, Cloudflare reported that it mitigated a previous record-breaking attack of 15.3 million requests per second, then one of the largest HTTPS DDoS attacks on record.
Last September, the Mēris botnet was responsible for hitting Russian internet giant Yandex with 21.8 million RPS (requests per second).
Omer Yoachimik, Product Manager, Cloudflare said the quantity of DDoS attacks tend to be seasonal, aligned with geopolitical events around the world and also correlates to the rise of new botnets.
“While it’s hard to say for sure, because of the distributed nature of DDoS attacks, it may well be tied to events such as the war in Ukraine and additional global events such as elections and even new online game releases,” said Yoachimik.
In April, Kaspersky released a report saying that DDoS attacks hit an all-time high in the first quarter of 2022, jumping 46% quarter-over-quarter, with the number of targeted attacks increasing 81%. This is a 4.5-fold rise compared to the same period last year. Kaspersky said the expanding DDoS landscape during the first quarter was influenced by Russia’s invasion of Ukraine.
“In the Ukraine-Russia cyberspace, we can see that the war on the ground is accompanied by attacks targeting the spread of information. DDoS attacks target media outlets and publishing companies on both sides of the war to try and stop the spread of information,” said Yoachimik.
Kaspersky researchers say in their report that it is “highly unlikely that we will see a decline in DDoS activity before the end of hostilities in Ukraine.”
