DDoS attacks hit a record breaking 1.7Tbps

09 March 2018 | Natalie Bannerman

Distributed denial-of-service (DDoS) attacks hit its peak this month with the two biggest recorded attacks to date.

Code repository GitHub was the first platform to be attacked this year. On 1 March a staggering 1.35Tbps of traffic hitting the site at once. According to Wired GitHub experienced a few intermittent outages once the attack began but within 10 minutes it had automatically called for help from Akamai Prolexic its DDoS mitigation service. Prolexic then took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centres to weed out and block malicious packets. After eight minutes, attackers relented and the attacks stopped.

“We modelled our capacity based on five times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told Wired. “So I would have been certain that we could handle 1.3Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence. It’s another thing to see it actually play out how you’d hope."

Speaking exclusively to Capacity, Archana Kesavan, senior product marketing manager at ThousandEyes, the network intelligence start-up, said: “The attack was exceptional in the history of DDoS attacks. It was the most powerful DDoS attack recorded, with 1.3 Tbps of attack traffic. However, within 24 hours, GitHub was struck with another DDoS attack. And based on seeing a wider geographic impact, it seems to have had an even broader impact on user communities.”

akamai ddos attack graph 2018
Source: Akamai

A few days later on 5 March and Netscout Arbor reported an even bigger DDoS attack against unnamed US service provider. Said provider underwent an attack that reached 1.7Tbps in traffic. Speaking to eWEEK, Carlos Morales, vice president of Arbor's Security Engineering and Response Team, said: "The attack was targeted to a single customer of the service provider. There is no indication that there were any demands."

Both of the attacks were down to improperly configured memcached servers that reflected attack traffic, amplifying the total volume. Memcached is a caching system that optimises websites that rely on external databases. The attacks involve spoofing a target's IP address to the default User Datagram Protocol (UDP) port on available memcached amplifiers, which return much larger responses to the target.

Arbor peak attack size graph
Source: Arbor Networks

Speaking to Zdnet, Morales believes that memcached attacks in general won't go away because of the aforementioned exposed memcached servers. "While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit," he explained.

As the number of DDoS attacks continue to rise Kesavan says that businesses need to get a better picture of how their services work and what the root causes of these attacks are in order to properly fight against them.

“DDoS attacks are becoming more frequent and ever more powerful. While the GitHub attack had minimum service interruption and showcased a well-executed mitigation process, not all DDoS attacks are created equally. With the increasing frequency of these attacks, businesses need to gain a view of how mitigation services are truly working, along with how user experience is holding up under attack. Without tracking all service dependencies and outcomes, you're operating blind to root causes as well as ultimate impact on your business,” said Kesavan.

To learn more about the growing number of DDoS, click here to read our latest feature on the subject in our January/February issue of Capacity.

Topics: DDoS, GitHub, Akamai Prolexic, Josh Shaul, Archana Kesavan, ThousandEyes, Netscout Arbor, Carlos Morales, Memcached