Large-scale attacks designed to bring down Internet services by sending them more traffic than they can process keep getting bigger, with the largest one yet, measured at 7.3 terabits per second, being reported Friday by Internet security and performance provider Cloudflare.
The 7.3Tbps attack amounted to 37.4 terabytes of junk traffic that hit the target in just 45 seconds. That's an almost comprehensible amount of data, equivalent to more than 9,300 full-length HD movies or 7,500 hours of HD streaming content in well under a minute.
Indiscriminate target bombing
Cloudflare said the attackers “carpet bombed” an average of nearly 22,000 destination ports of a single IP address belonging to the target, identified only as a Cloudflare customer. A total of 34,500 ports were targeted, indicating the thoroughness and well-engineered nature of the attack.
The vast majority of the attack was delivered in the form of User Datagram Protocol packets. Legitimate UDP-based transmissions are used in especially time-sensitive communications, such as those for video playback, gaming applications, and DNS lookups. It speeds up communications by not formally establishing a connection before data is transferred. Unlike the more common Transmission Control Protocol, UDP doesn't wait for a connection between two computers to be established through a handshake and doesn't check whether data is properly received by the other party. Instead, it immediately sends data from one machine to another.
UDP flood attacks send extremely high volumes of packets to random or specific ports on the target IP. Such floods can saturate the target’s Internet link or overwhelm internal resources with more packets than they can handle.
Since UDP doesn't require a handshake, attackers can use it to flood a targeted server with torrents of traffic without first obtaining the server's permission to begin the transmission. UDP floods typically send large numbers of datagrams to multiple ports on the target system. The target system, in turn, must send an equal number of data packets back to indicate the ports aren't reachable. Eventually, the target system buckles under the strain, resulting in legitimate traffic being denied.
A much smaller portion of the attack, measured at just 0.004 percent, was delivered as reflection attacks. Reflection attacks direct malicious traffic to one or more third-party intermediaries, such as Network Time Protocol services for syncing server clocks. The attacker spoofs the sender IP of the malicious packets to give the appearance they’re being delivered by the final target. When the third party sends a response, it's delivered to the target rather than the destination of the original source of the traffic.
Reflection attacks provide multiple benefits to attackers. For one, such attacks cause the DDoS to be delivered from a wide variety of destinations. That makes it harder for targets to defend against the onslaught. Additionally, by choosing intermediary servers known to generate responses that are in some cases thousands of times bigger than the originating request, attackers can magnify the firepower available to them by a thousandfold or more. Cloudflare and other players routinely advise server administrators to lock down servers to prevent them from responding to spoofed packets, but inevitably, many don't heed the advice.
Cloudflare said the record DDoS exploited various reflection or amplification vectors, including the previously mentioned Network Time Protocol; the Quote of the Day Protocol, which listens on UDP port 17 and responds with a short quote or message; the Echo Protocol, which responds with the same data it receives; and Portmapper services used identify resources available to applications connecting through the Remote Procedure Call.
Cloudflare said the attack was also delivered through one or more Mirai-based botnets. Such botnets are typically made up of home and small office routers, web cameras, and other Internet of Things devices that have been compromised.
DDoS sizes have continued a steady climb over the past three decades. In March, Nokia reported that a botnet dubbed Eleven11bot delivered a DOS with a peak of 6.5Tbps. In May, KrebsonSecurity said it came under a DDos that peaked at 6.3Tbps.
“I knew they would”: H3’s Ethan Klein sues 3 streamers for copyright infringement over reaction videos. Viewers think he was trying to “bait” Hasan Piker