Content
The biggest threat to many companies is not the actions of a single hacker, but a network of compromised devices controlled from a remote location. A constant stream of data packets is hurled at your systems by thousands of attackers from all over the world. One of our customers was subjected to this threat in the form of a massive DDoS attack. This attack deserves special attention due to its size, speed and complexity.
The escalation of the attack
The attack lasted for several days and was characterized by unprecedented speed and intensity. As the following graph shows, the data rate rose from 25 Mbit/s to an impressive level of 163,000 Mbit/s in just two minutes. This rapid escalation can overwhelm even high-performance networks and illustrates the increasing complexity and professionalism of cyber attacks.
Geographic distribution and complexity
The geographic distribution of the attack across 146 countries, with a particularly high proportion from Russia (21%), suggests a well-organized and far-reaching botnet. The distribution of attack traffic across various scrubbing centers, including locations in Asia and North America, illustrates the complexity of the attack routes. The fact that even less busy locations such as Hong Kong and New York were involved in the attack itself suggests a high degree of planning and coordination.
The geographic diversity makes it difficult to analyze the origin of the attack and makes it difficult to identify the exact motives of the attackers. The strikingly wide distribution of attacks (large proportion from “other” sources) suggests that the attackers deliberately tried to cover their tracks. Nevertheless, the geographical distribution of the attack could be an indication that this could have been a politically motivated attack.
The technical details of the attack were as follows:
UDP floods, in which a large number of UDP packets are sent to random or specific ports with the aim of overloading network connections and server resources. The User Datagram Protocol (UDP) is a connectionless protocol that does not require confirmation of receipt. A high rate of packet loss, difficult processing of legitimate packets and the risk of a potential service crash can be observed.
DNS amplification: fake DNS queries were sent to public DNS resolvers with a fake source IP. This directed a large amount of response data to the target. An exponential increase in data traffic and an overload of the target and potentially also of the DNS resolvers can be observed.
IP fragmentation to make packet filtering more difficult. To do this, large data packets were split into smaller fragments. This results in increased CPU utilization on the target system and makes it more difficult to detect attack patterns.
Learn more about a GDPR-compliant, cloudbased and patented DDoS Protection that delivers, what it promises.
The botnet
Analysis of the attack patterns suggests that this is a highly organized botnet with over 70,000 compromised devices. The immense number of infected machines, distributed across numerous Internet service providers worldwide, underscores the professional nature of the attack. The highly diversified origin of the attack vectors makes identifying and isolating the botnet considerably more difficult. It can be assumed that the attackers have access to an extensive infrastructure that enables them to maintain their activities over a longer period of time and to conceal their identity.
Possible motives and challenges
The reasons for this large-scale attack are varied and could be financially or politically motivated. Possible scenarios include:
- Blackmail: The attacker may have tried to force the victim to pay a ransom.
- Competition: A competitor may have tried to damage the victim’s business.
- Political motivation: Russia’s involvement in the attack raises speculation about possible political motives.
Conclusion
Defending against this attack posed a significant challenge. The combination of UDP floods, DNS amplification and fragmentation of data packets made it difficult to isolate and block the attack. The use of numerous smaller packet sizes also made it difficult to filter legitimate traffic. The attackers apparently tried to overload the defense systems and create the broadest possible attack surface. The distribution of attacks across different countries and the use of a large number of IP addresses illustrate the complexity of the attack and the difficulties in identifying the attackers.
This DDoS attack illustrates the increasing threat of cyber attacks. Consequently, companies are obliged to continuously adapt their security measures to current conditions and invest in robust DDoS protection solutions. Close cooperation with experienced security experts is essential.
Do you want to effectively protect your company from DDoS attacks? We offer comprehensive solutions to secure your IT infrastructure. Contact us today for a personalized consultation.
Share this post
