1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

6/20/2020

0 Comments

Amazon Records 2.3 Tbps DDoS Attack, Largest To Date

 
Picture

Amazon Records 2.3 Tbps DDoS Attack, Largest To Date

Amazon recently revealed that it detected and mitigated the largest distributed denial-of-service (DDoS) attack to date, targeting one of Amazon Web Services (AWS) customers.

In the "AWS Shield Threat Landscape Report – Q1 2020", Amazon said its threat protection service called "AWS Shield" detected and mitigated a DDoS attack in one of AWS customers with a previously unseen volume of 2.3 Tbps (terabytes per second). TBps refers to a data transmission rate equivalent to 1,000 gigabytes or 1,000,000,000,000 bytes per second.

In March 2018, NETSCOUT Arbor reported that it detected and mitigated the previous record holder for the largest DDoS attack which peaked at 1.7 Tbps, an attack targeted at a customer of a U.S. based service provider. The 1.7 Tbps DDoS attack came just heels after the previous record holder of the largest DDoS attack – an attack that specifically targeted GitHub in February 2018.

The AWS DDoS Attack

In a DDoS attack, multiple computers act as one unit to attack one target. Attackers often hijack and take control of vulnerable computers for the purpose of DDoS attacks by taking advantage of the security vulnerabilities or misconfigurations on these computers.

According to Amazon, the DDoS attack that targeted one of the company's AWS customers "caused 3 days of elevated threat during a single week in February 2020 before subsiding". Amazon said that the unnamed DDoS attacker or attackers utilized an amplification technique that takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP) in launching the DDoS attack.

CLDAP is a cross-platform protocol and often used on Microsoft Active Directory networks to retrieve server information. From October 2016 to January 2017, Akamai reported that it detected and mitigated a total of 50 CLDAP reflection attacks, 33 of which exclusively used CLDAP reflection.

On January 7, 2017, Akamai said it detected and mitigated the largest DDoS attack using CLDAP reflection as the sole vector at the time, reaching peak bandwidth of 24 gigabytes per second (GBps), and peak packets per second of 2 million packets per second. Akamai added that the CLDAP protocol allows DDoS attacks to amplify 56 to 70 times.

"The query payload is only 52 bytes ...," Akamai said regarding thisJanuary 7, 2017 CLDAP reflection DDoS attack. "This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x, although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x."

The DDoS attack detected and mitigated by NETSCOUT Arbor and the DDoS attack on GitHub in 2018, meanwhile, were launched by taking advantage of internet-exposed Memcached protocol – a general-purpose distributed memory-caching system. Attack vectors of the topmost DDoS attacks are often used by DDoS-for-hire services in launching DDoS attacks.

In the case of the DDoS attack on GitHub, the amplification factor reached up to 51 times, which means that for each byte sent by the DDoS attacker, up to 51KB is sent toward the target. At the time of the GitHub DDoS attack, Shodan – a search engine that allows users to find specific types of computers connected to the internet using filters – reported 88,000 internet-exposed memcached servers.

In 2018, DDoS-for-hire services took advantage of the close to 100,000 memcached servers exposed to the internet. Since 2016 also, DDoS-for-hire services have been taking advantage of exposed CLDAP protocol.

In taking advantage of vulnerable computers with higher amplification or reflection factor, significant attack bandwidth can be produced with fewer compromised computers. Taking advantage of servers using CLDAP protocol and memcached protocol for reflection/amplification DDoS attacks work the same by sending spoofed requests to a vulnerable server, which then responds with a larger amount of data than the initial spoofed request, amplifying the volume of traffic.

Preventive and Mitigating Measures Against DDoS Attacks

DDoS attacks that are taking advantage of the CLDAP protocol start with servers that are exposed to the internet with port 389 open and listening. DDoS attackers simply scan the internet for these open port 389 and add these to a list of amplifiers or reflectors.

Don't be a part of the bigger DDoS reflection/amplification problem. If your organization doesn't need the CLDAP protocol, close this DDoS amplification egress by not exposing this protocol to the internet, that is, by blocking port 389. In the case of DDoS attacks taking advantage of exposed memcached servers, one of the prevented measures in preventing attackers in hijacking memcached servers for DDoS attacks is by disabling UDP.

Most often, however, DDoS attacks don’t reach the terabyte. According to Amazon, most of the DDoS events involving CLDAP protocol in the first quarter of 2020 was 43 Gbps.

While many DDoS attacks are non-terabyte attacks, such attacks still disrupt normal business operations and denying legitimate users access to victims’ IT infrastructure. Imperva’s 2019 Global DDoS Threat Landscape Report showed that most DDoS attacks were short, with 51% lasting less than 15 minutes. While most DDoS attacks were short, Imperva reported that the vast majority of DDoS attacks were persistent and aimed at the same targets. “Attackers either launched DDoS assaults in short streaks – two-thirds of targets were attacked up to five times – or were ultra-persistent, with a quarter of targets attacked 10 times or more,” Imperva reported.

When you need help, our team of experts is a phone call away. To mitigate the risks of DDoS attacks, call today 1.888.900.DRIZ (3749) or contact us online.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit