By Steven Ferguson and Cameron Tickner
On August 25th 2024, Global Secure Layer mitigated the largest packet rate DDoS attack recorded against our platform, targeted towards a Minecraft gaming customer with peak packet rate reaching 3.15 Gpps (billion packets per second), and with a relatively low bitrate of 849 Gbps. Our team has cross verified this attack size with tier one providers and internet exchange operators to confirm border packet rate capacity has matched reported device telemetry. When contrasted with historically reported records, this size outpaces these headlines at a factor of 3.2 - 3.5x. This puts this packet rate attack as the largest ever reported to the public.
A day prior, the attackers launched an assault against the same customer, but with a much shorter attack duration, and only towards a single prefix of the victim. This attack peaked at 1.7 Gpps with a duration of 20 seconds, and had no impact on end users. This is thanks to the target prefix having pre-emptive security configurations on Creatia, our DDoS management platform, resulting in sub 100 millisecond mitigation time.
Creatia is the control plane for Goliath, our in-house DDoS mitigation platform. Goliath has been built by our team in-house and has been rolled out in over 33 of our global points of presence worldwide. This solution is available for all transit customers at a modest security stance, providing general purpose protection by default.
The purpose of this first attack run was likely to scope out any weak points before carrying out more prolonged assaults against the customer. Distraught, the attackers came to their senses and planned a full attack towards the victim network, carpet bombing all advertised prefixes in a full back-to-back campaign. This attack is where the full throughput of this botnet was revealed, peaking at a staggering 3.15 Gpps.
Frustrated, the attackers continued their hits, alternating between prefixes and attack vectors to find any weak points in the security configuration. By this point, the attack was overwhelming PNIs between Korea Telecom and major tier 1 providers. On the victim network, prefixes with a less strict mitigation stance saw limited impact isolated to New York during the first 20 minutes. The attackers persisted in their efforts, launching several 1.1 - 1.5Tbps volumetric hits, including several packet rate hits peaking between 1.89 and 2.20 Gpps over the course of an hour. Surprisingly, the volumetric hits had a slightly different geographic distribution compared to the packet rate hits, indicating potentially two distinct botnets at play.
The packet-heavy botnet saw Russia, Vietnam, and Korea as the top three sources, while the volumetric-heavy botnet saw Russia, Ukraine, and Brazil respectively. Within 15 minutes of the initial onset of attacks, the targeted prefixes were re-configured to a stronger security stance, posing no further impact to the end customer. By this point, the attackers have run out of their bag of tricks, with the full campaign lasting just over an hour.
Normally for attacks we observe, the source countries are typically well distributed with no one country being more than 7% of total attack traffic. In this case, Russia, Vietnam, and Korea comprise 42.8% of the total volume. Traffic from these sources were predominantly scrubbed in Frankfurt and Singapore.
On the ASN side, Korea Telecom shares a significant majority of the packet rate volume. Upon investigating the individual sources of Korea Telecom, we found MAX-G866ac devices comprising a significant majority of the attack sources, which is related to CVE-2023-2231, an authentication manipulation attack leading to remote code execution.
Upon filtering for this signature across internet surveying databases, we found 5,253 vulnerable devices in Korea Telecom’s network alone. Globally, our borders saw a total of 42,209 sources participating in the packet rate campaign.
Following the packet rate attacks, the attackers persisted with group B, the volumetric botnet, which had several hits after group A. Attacks on this group of prefixes were pre-configured with optimal security definitions on Creatia, leading to no leakage to the end customer.
On the volumetric side, our borders saw a slightly reduced bot count compared to the packet rate, at 38,681 sources, with the peak size being 1516 Gbps. While slightly lower, we saw no mixture of amplification attack traffic in this campaign, further illustrating botnet prowess was the factor at play. Unlike the packet rate campaign, Russia, Vietnam, and Brazil were the main sources with DrayTek Vigor and Hikvision IP cameras being a majority of the composition.
The events showcased in this week’s attack further illustrate the sustained trajectory in attack sizes within the industry. As attackers continue to scope out network pain points, the need for DDoS defenses to remain on pace with this momentum cannot be understated. Mitigating attacks of this size requires careful planning in network border and backbone capacity, as well as a deep understanding of the end customer clean traffic profile to ensure a pre-emptive security stance in the face of formidable attacks of this caliber.
GSL employs a patent-pending heuristics anomaly detection engine including full state tracking capabilities which operates on all scrubbing devices within our network. This allows baseline customer traffic to be sampled and understood before an attack reaches the end customer, resulting in sub 100ms mitigation time. Combined with our technical domain expertise, GSL remains an industry leader in rapid detection and mitigation for large scale DDoS attacks.
If you or your organization are undergoing crippling DDoS attacks, or seeking a proactive security stance for your network, please inquire for a quote from our sales team at sales@globalsecurelayer.com.