Content distribution network Cloudflare has reported mitigating the largest distributed denial-of-service (DDoS) attack seen to date.
The attack by unknown perpetrators, observed in September, was part of a bigger campaign of more than 100 attacks that constantly exceeded three terabits per second (Tbps) and peaked at 3.8 Tbps, the highest value for a network layer DDoS attack that has been publicly reported.
“We have observed this attack campaign targeting multiple customers in the financial services, internet, and telecommunication industries, among others,” Cloudflare said. “This attack campaign targets bandwidth saturation as well as resource exhaustion of in-line applications and devices.”
Cloudflare described the September attacks as hyper-volumetric, meaning the attackers were focused on the number, or volume, of packets being sent rather than their size. They also said they were Layer 3 and Layer 4 attacks that primarily targeted one specific UDP port.
In the Open Systems Interconnection (OSI) model, Layer 3 refers to the network layer — the core IP stack — and Layer 4 to the transport layer, which covers data transmission protocols such as transmission control protocol (TCP) and user datagram protocol (UDP).
Most other communication protocols such as HTTP, FTP, and IMAP encapsulate their messages into UDP or TCP packets. These are known as application layer protocols, or Layer 7 in the OSI model.
DDoS attacks are also categorized as using this model in network layer attacks (L3/L4) and application layer attacks (L7), exploiting features of the application protocols. The volume of network layer attacks is expressed in either packets per second or the bandwidth consumed in megabits, gigabits, or terabits per second. Application layer attacks are usually expressed in requests per second (rps).
Many of the L3/L4 attacks seen by Cloudflare in September exceeded two billion packets per second (Bpps) and three terabits per second (Tbps) and originated from both compromised web servers and IoT devices such as MikroTik routers and digital video recorders (DVRs). The biggest number of devices sending the rogue traffic were located in Vietnam, Russia, Brazil, Spain, and the US.
The number of packets received by a system can saturate its CPU resources because processing every single packet and reading its header to determine to which interface or service to send it consumes some CPU cycles.
If all available CPU resources are busy processing an unusually large number of bad packets, legitimate packets will be dropped, leading to a denial-of-service condition. Similarly, if the generated bandwidth exceeds the ingress bandwidth available to the target, legitimate traffic will no longer reach the system.
“Defending against attacks that can saturate network bandwidth can be difficult because there is very little that can be done if you are on the downstream side of the saturated pipe,” the Cloudflare researchers said.
“There are really only a few choices: you can get a bigger pipe, you can potentially find a way to move the good traffic to a new pipe that isn’t saturated, or you can hopefully ask the upstream side of the pipe to stop sending some or all of the data into the pipe.”
As the number of vulnerable or poorly secured IoT devices connected to the internet keeps growing, so does the size of DDoS attacks. The more devices that can be enslaved as part of IoT botnets, the more packets per second and bandwidth can be generated. This can further be combined with reflection and amplification techniques that certain protocols allow.
In 2016, one of the internet’s first IoT botnets, called Mirai, was responsible for an attack against French cloud computing company OVH that peaked at 620 Gbps, making it the biggest DDoS attack recorded until then. That was a sign of things to come.
As companies started moving their infrastructure to the cloud and as the number of IoT botnets replicating Mirai increased, so did the size of DDoS attacks. In 2018, the GitHub repository was the target of a 1.3 Tbps DDoS attack, while in 2020 AWS mitigated an attack that peaked at 2.3 Tbps. In 2021, Microsoft Azure was targeted by a DDoS attack peaking at 3.47 Tbps.
“Many cloud services with insufficient capacity, as well as the use of on-premise equipment, are not sufficient to defend against DDoS attacks of this size, since the high bandwidth utilization that can clog up Internet links and due to the high packet rate that can crash in-line appliances,” the Cloudflare team said.
“Organizations are advised to protect their internet properties with an in-line, always-on, automated DDoS protection service with sufficient global coverage and capacity to absorb and mitigate these hyper-volumetric attacks alongside peak legitimate traffic — whilst avoiding impact to user experience and performance.”