Distributed denial-of-service attacks competing with records continue to arrive, with two mitigation services reporting that they encountered some of the largest data bombardments ever made by threat actors whose tactics and techniques are constantly evolving.
On Monday, Imperva said it defended a customer from an attack that lasted more than four hours and peaked at over 3.9 million requests per second (RPS).
In all, attackers targeted 25.3 billion requests with an average rate of 1.8 million RPS. Although DDoSe greater than 1 million RPS are becoming more common, they typically occur in shorter bursts that measure within seconds or at most minutes.
A huge botnet
“[The] attackers used HTTP / 2 multiplexing, or the combination of multiple packets into one, to send multiple requests simultaneously on single connections, “wrote Imperva’s Gabi Stapel.” This technique can shrink servers using limited resources and such attacks are extremely difficult to detect. “
Stapel said the attack would likely have peaked at an even faster rate had it not been thwarted by Akamai’s mitigation service. The DDoS target was a Chinese telecommunications company that was attacked earlier.
The attack originated from a botnet of compromised routers, security cameras and servers connected to nearly 170,000 different IP addresses. IP addresses were found in more than 180 countries, with the United States, Indonesia, and Brazil the most common. Some of the botnet devices were hosted on various public clouds, including those offered by security service providers.
The arms race continues
Last week, Akamai said it recently defended a customer in Eastern Europe from a record attack of 704.8 million packets per second. The same customer, Akamai said, had already set a record in July when he suffered a DDoS at 659.6 Mpps from the same threat actor.
The latest attack sprayed packages in six global locations that the target maintains, from Europe to North America.
“The command and control system of the attackers was quick to activate the multi-target attack, which increased in 60 seconds from 100 to 1,813 active IPs per minute,” wrote Akamai’s Craig Sparling. “These IPs were spread across eight distinct subnets in six distinct locations. Such a distributed attack could drown a security team unprepared for alerts, making it difficult to assess the severity and extent of the intrusion, let alone combat the attack.”
DDoS attacks can be measured in a number of ways, including the volume of data, the number of packets, or the number of requests sent every second. Current records include 3.4 terabits per second for volumetric DDoSe, which attempt to consume all available bandwidth for the destination, 809 million packets per second, and 17.2 million RPS. The last two records measure the power of application layer attacks, which attempt to deplete the compute resources of a target’s infrastructure.
The ever-increasing numbers underscore the arms race between attackers and defenders as each attempts to outdo the other. These record numbers are unlikely to stop anytime soon.