Thought leadership. threat analysis, news and alerts.
Amazon Records 2.3 Tbps DDoS Attack, Largest To Date
Amazon recently revealed that it detected and mitigated the largest distributed denial-of-service (DDoS) attack to date, targeting one of Amazon Web Services (AWS) customers.
In the "AWS Shield Threat Landscape Report – Q1 2020", Amazon said its threat protection service called "AWS Shield" detected and mitigated a DDoS attack in one of AWS customers with a previously unseen volume of 2.3 Tbps (terabytes per second). TBps refers to a data transmission rate equivalent to 1,000 gigabytes or 1,000,000,000,000 bytes per second.
In March 2018, NETSCOUT Arbor reported that it detected and mitigated the previous record holder for the largest DDoS attack which peaked at 1.7 Tbps, an attack targeted at a customer of a U.S. based service provider. The 1.7 Tbps DDoS attack came just heels after the previous record holder of the largest DDoS attack – an attack that specifically targeted GitHub in February 2018.
The AWS DDoS Attack
In a DDoS attack, multiple computers act as one unit to attack one target. Attackers often hijack and take control of vulnerable computers for the purpose of DDoS attacks by taking advantage of the security vulnerabilities or misconfigurations on these computers.
According to Amazon, the DDoS attack that targeted one of the company's AWS customers "caused 3 days of elevated threat during a single week in February 2020 before subsiding". Amazon said that the unnamed DDoS attacker or attackers utilized an amplification technique that takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP) in launching the DDoS attack.
CLDAP is a cross-platform protocol and often used on Microsoft Active Directory networks to retrieve server information. From October 2016 to January 2017, Akamai reported that it detected and mitigated a total of 50 CLDAP reflection attacks, 33 of which exclusively used CLDAP reflection.
On January 7, 2017, Akamai said it detected and mitigated the largest DDoS attack using CLDAP reflection as the sole vector at the time, reaching peak bandwidth of 24 gigabytes per second (GBps), and peak packets per second of 2 million packets per second. Akamai added that the CLDAP protocol allows DDoS attacks to amplify 56 to 70 times.
"The query payload is only 52 bytes ...," Akamai said regarding thisJanuary 7, 2017 CLDAP reflection DDoS attack. "This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x, although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x."
The DDoS attack detected and mitigated by NETSCOUT Arbor and the DDoS attack on GitHub in 2018, meanwhile, were launched by taking advantage of internet-exposed Memcached protocol – a general-purpose distributed memory-caching system. Attack vectors of the topmost DDoS attacks are often used by DDoS-for-hire services in launching DDoS attacks.
In the case of the DDoS attack on GitHub, the amplification factor reached up to 51 times, which means that for each byte sent by the DDoS attacker, up to 51KB is sent toward the target. At the time of the GitHub DDoS attack, Shodan – a search engine that allows users to find specific types of computers connected to the internet using filters – reported 88,000 internet-exposed memcached servers.
In 2018, DDoS-for-hire services took advantage of the close to 100,000 memcached servers exposed to the internet. Since 2016 also, DDoS-for-hire services have been taking advantage of exposed CLDAP protocol.
In taking advantage of vulnerable computers with higher amplification or reflection factor, significant attack bandwidth can be produced with fewer compromised computers. Taking advantage of servers using CLDAP protocol and memcached protocol for reflection/amplification DDoS attacks work the same by sending spoofed requests to a vulnerable server, which then responds with a larger amount of data than the initial spoofed request, amplifying the volume of traffic.
Preventive and Mitigating Measures Against DDoS Attacks
DDoS attacks that are taking advantage of the CLDAP protocol start with servers that are exposed to the internet with port 389 open and listening. DDoS attackers simply scan the internet for these open port 389 and add these to a list of amplifiers or reflectors.
Don't be a part of the bigger DDoS reflection/amplification problem. If your organization doesn't need the CLDAP protocol, close this DDoS amplification egress by not exposing this protocol to the internet, that is, by blocking port 389. In the case of DDoS attacks taking advantage of exposed memcached servers, one of the prevented measures in preventing attackers in hijacking memcached servers for DDoS attacks is by disabling UDP.
Most often, however, DDoS attacks don’t reach the terabyte. According to Amazon, most of the DDoS events involving CLDAP protocol in the first quarter of 2020 was 43 Gbps.
While many DDoS attacks are non-terabyte attacks, such attacks still disrupt normal business operations and denying legitimate users access to victims’ IT infrastructure. Imperva’s 2019 Global DDoS Threat Landscape Report showed that most DDoS attacks were short, with 51% lasting less than 15 minutes. While most DDoS attacks were short, Imperva reported that the vast majority of DDoS attacks were persistent and aimed at the same targets. “Attackers either launched DDoS assaults in short streaks – two-thirds of targets were attacked up to five times – or were ultra-persistent, with a quarter of targets attacked 10 times or more,” Imperva reported.
Steve E. Driz, I.S.P., ITCP