Content
Volumetric DDoS attacks typically follow a clear pattern: a brief buildup followed by a sudden peak, often within seconds. The target is flooded with traffic until the attackers exhaust their resources, or a mitigation system takes over. However, in the incident described below, a different scenario unfolded.
Over the course of several hours, one actor attacked three endpoints: two in the same subnet and one in a different infrastructure. Rather than following a simple “fire at will” pattern, the attacks came in waves of short, sometimes inconspicuous peaks, followed by longer phases of relative calm and renewed, stronger surges. The attacker’s staying power was particularly striking. While many campaigns fizzle out after a few minutes, this attack lasted from mid-morning until late afternoon.
Key features of the incident
The analysis revealed several notable data points. Firstly, the attack involved continuous activity for around five to six hours and targeted three endpoints synchronously. The tactic was revealed to be adaptive. Firstly, small test waves were sent out, followed by their gradual escalation. UDP floods dominated in terms of the protocol, alongside TCP/HTTPS via port 443. Peaks ranged from tens to several hundred gigabits per second. This approach indicates an attacker with significant resources and one who is likely controlled by a botnet with automatic scaling.
Dynamics of the attack waves
The first wave of attacks seemed harmless enough, with peaks of around four gigabits per second. However, the situation gradually escalated. Over the following hours, the waves grew larger and more unpredictable, posing a significant threat to many systems. There were often peaks between 20 and 70 gigabits with isolated incidences exceeding this range. After hours of seemingly routine waves, peaks in the range of several hundred gigabits to one terabit were recorded towards the end of the attack.
Unlike the steady increase and subsequent sustained load typical of ramp-up patterns, the attacker repeatedly allowed the targets to “catch their breath,” only to return abruptly. These pauses seemed almost like tests. The attacker verified resistance and then increased the strike rate.
Learn more about a GDPR-compliant, cloudbased and patented DDoS Protection that delivers, what it promises.
Technical anomalies in detail:
When defending against DDoS attacks, it is important to consider both the volume and the patterns. The following were particularly noticeable:
- Packet counts: The number of packets per second was exceptionally high. Even with ample bandwidth, firewalls and routers can collapse under this load.
- Protocol mix: A large proportion of the traffic consisted of classic UDP floods. At the same time, TCP streams were observed on port 443, indicating the misuse of proxies or the compromise of web servers.
- Package sizes: The distribution was unusually mixed. Rather than exclusively small fragments, packets of various sizes appeared, which indicated the use of different attack tools or botnet components.
Origin and infrastructure used
The sources of the attack were widely scattered. Much of the traffic originated in China and India. Addresses from Europe also appeared, including those of well-known carriers and cloud providers. Notably, comparatively few IP addresses delivered large amounts of data. This suggests that powerful servers or compromised virtual machines, in addition to weak IoT devices, were also involved. Such “powerful bots” can generate tens of gigabits per second and quickly overwhelm traditional protection mechanisms.
Lessons for businesses
This attack demonstrates that DDoS actors do not rely solely on brute force; rather, they vary and test their methods over long periods of time. For businesses, this means their defence mechanisms must be flexible. It is also important to realize that defending against volumetric DDoS attacks is not a sprint but a marathon. This incident makes it clear that network resilience is not created by rigid walls, but by the ability to learn and adapt continuously – much like the attackers.
Would you like to know how prepared your company is for such attacks? Get in touch with us! We can help you analyse and develop customized defence strategies and practical plans.
Share this post
