Amazon Web Services Inc. today revealed that it managed to mitigate a 2.3 terabytes-per-second distributed denial-of-service attack in February, the largest DDoS attack ever recorded.
Detailed in the AWS Shield Threat Landscape Report- Q1 2020, the attack lasted three days, with those behind it unsuccessful in knocking Amazon cloud services offline.
The attack was a so-called Connection-less Lightweight Directory Access Protocol reflection-based attack. A CLDAP reflection attack involves an attacker sending a CLDAP request to a LDAP server with a spoofed sender IP address — the target’s IP address. The server mounts a bulked-up response to the target’s IP address, causing the reflection attack, hence the name.
The ultimate aim, as with all DDoS attacks, is to flood the target with a massive amount of data to disrupt normal traffic, making the website or app hosted on the server unresponsive.
While specifically mentioning the attack, the AWS report notes that smaller network volumetric events are far more common. The 99th percentile events in the first quarter of 2020 is said to have been 43 gigabytes per second.
The report also notes that after CDLAP reflection attacks, the second-most common DDoS vector observed by AWS in the first quarter were SYN flood attacks. A SYN flood is a form of DoS attack in which an attacker sends repeated SYN packets to every port on a targeted server often using a fake IP address.
According to Imperva, the server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port, eventually causing the server’s connection overflow tables to fill and thus denying access to legitimate clients.
The previous known record for a DDoS attack was an attack that targeted GitHub Inc. in March 2018, which peaked at 1.2 Tbps.
With computing power growing, so too are the size of DDoS attacks. If not for the AWS 2.3Tbps DDoS attack, the new record would actually involve a web host supported by Akamai Technologies Inc. in June.
A new report published by Fahmida Y. Rashid at Duo Security details a DDoS attack targeting a website hosted by a hosting provider that peaked at 1.44 Tbps, the largest Akamai has ever seen. The main attack lasted for an hour and a half with smaller attacks targeting the website later.
Similar to the AWS report, these attacks involved volumetric attacks and floods of ACK, SYN, UDP, NTP, TCP reset and SSDP packets, multiple botnet attack tools and CLDAP reflection.