Radware Mitigates 1.1Tbps DDoS Attack

11
10326

As more businesses migrate critical resources and applications to the public cloud, attackers are adapting their tactics and techniques to match the scale of public cloud providers. Last week, this trend played out as reality for one of the world’s largest service providers when it was hit by a 1.1 Tbps DDoS attack (Figure 1) that lasted approximately 36 hours. Here’s how this U.S. provider’s story unfolded.

1.1 Tbps attack mitigated by Radware Cloud DDoS Solution
Figure 1* Radware 2021–2022 Global Threat Analysis Report

The First Wave

The clock started ticking when this U.S. service provider noticed a service impact. At first, the service provider, which serves millions of businesses worldwide, intended to mitigate the attack using its on-premise solution as it usually does. However, a decision was quickly made to route all traffic through Radware’s Cloud DDoS Protection Service when the high-volume, multi-vector attack was too complex to handle locally.

Within a few minutes after the first call to Radware’s Emergency Response Team (ERT) hotline, the service provider’s assets were onboarded to Radware Cloud DDoS Protection Service and mitigation started.

During the first five hours of the attack, traffic peaked at 150 Gbps. The top attack vectors included UDP flood, UDP fragmentation flood, fragmented ACK and PSH flood, and NTP reflection (Figure 2). With UDP flood attacks, the attacker intends to saturate the victim’s internet pipes by sending large UDP packets to a single destination or to a random port. With fragmented ACK and PSH flood attacks, on the other hand, the attacker uses very small byte packets to hog the target network’s bandwidth using only a moderate packet rate. Radware’s ERT security experts worked in collaboration with the new customer to understand normal traffic patterns and immediately applied the relevant mitigation to fully block the first wave of the attack.

Figure 2: Top attack vectors and services utilized by the attacker
Figure 2: Top attack vectors and services utilized by the attacker

[You may also like: Top Things to Look for in DDoS Protection]

The Second Wave

Six hours into the incident, the second wave of the attack began, with traffic peaking at over 300 Gbps. Based on evidence gathered primarily from indicators of compromise, the attack traffic appeared to have originated primarily from Japan, the United States, Taiwan, and South Korea (Figure 3).

Figure 3: Top source countries, generating the attack traffic
Figure 3: Top source countries, generating the attack traffic

At this point, the unrelenting attack continued. Trying to disrupt service to the provider, approximately 150Gbps of traffic lasted for an additional three hours, before peaking at 1.1 Tbps.

The barrage of attack traffic was fully mitigated leveraging the capacity of only four of the scrubbing centers in Radware’s global network. The scrubbing centers were located in the United States and EMEA (Figure 4).

Figure 4: Total traffic managed by Radware’s scrubbing centers during the 1.1 Tbps peak
Figure 4: Total traffic managed by Radware’s scrubbing centers during the 1.1 Tbps peak

Post Peak

Post peak, approximately 800 Gbps of attack traffic continued for more than nine hours until the attacker’s resources were exhausted by Radware’s Cloud DDoS Protection mitigation and ERT experts.

As of the time of this blog, no hacktivist organization has assumed responsibility for the attack.

[You may also like: DDoS Protection in the Age of 5G Networks, Edge Computing and Explosive Bandwidth Growth]

Is this just the beginning?

It is impossible to ignore the wave of hyper-volumetric DDoS attacks that have been recorded in 2022. While 2021 saw only a few 1Tbps attacks, attacks of 1Tbps and more are becoming a new reality this year.

As bandwidths and resources increase for legitimate businesses, they also increase for threat actors. It is only fair to assume that bad actors can scale as fast and high as their targets. Organizations need to be aware that DDoS attacks are a part of their threat landscape, irrespective of geography or industry.

Radware’s Cloud DDoS Protection Services protect organizations of all sizes from a wide variety from sectors, ranging from education, e-commerce, retail, and global financial services to worldwide governments, and leading service providers and carriers. It is safe to say that no organization, regardless of what they do or where they are located, are immune from attack.

[Like this post? Subscribe now to get the latest Radware content in your inbox weekly plus exclusive access to Radware’s Premium Content. ]

11 COMMENTS

  1. Just curious, is the target Russian government or associated with Russian government site?
    If yes, help to protect them is immoral.

  2. A successful hybrid cloud strategy balances risk mitigation with operational efficiency so that your organization can remain agile while keeping data secure.

  3. In order for your firm to stay flexible while maintaining data security, a good hybrid cloud strategy strikes a balance between risk reduction and operational effectiveness.

  4. In order for your firm to stay flexible while maintaining data security, a good hybrid cloud strategy strikes a balance between risk reduction and operational effectiveness.
    I hope you’ll keep writing insightful posts like this one and others for us to everyone to read!

LEAVE A REPLY

Please enter your comment!
Please enter your name here