Massive Nine-Vector DDoS Attack Tops 470 Gbps

A 470 gigabits per second (Gbps) distributed denial of service (DDoS) attack launched earlier this month leveraged nine different payload (packet) types, security company Imperva Incapsula says.

The attack occurred on June 14 and targeted a Chinese gambling company and was the largest Imperva has mitigated to date, the security firm says. While Imperva said the attack didn’t have the “craftiness” of other DDoS threats seen, they explained that it was preceded by several other large-scale assaults that occurred daily in the week leading up to the massive DDoS attack.

The incident, Imperva explains, started at over 250 Gbps, which would have made it one of the largest incidents observed since the beginning of the year. However, researchers say that the attack slowly built up over the following hours, peaking at 470 Gbps and then fading out within the next 30 minutes. The attack lasted for four hours.

The attack was complex from a network layer perspective, as it used a mix of nine different packet types, with the bulk of the traffic generated first by SYN payloads, but then switching to generic UDP and TCP payloads. Imperva researchers explain that nine-vector attacks are very rare, as they accounted for only 0.2% of all network layer DDoS attacks against the company’s clients.

The main idea behind multi-vector attacks is to bypass mitigation services through making the switch between different payload types, and which is what the actor behind this DDoS incident attempted as well. They switched to smaller payloads to increase their assault packet per second (pps) rate, and managed to reach around 110 million packets per second (Mpps) shortly before the final stage of the attack.

“Using smaller payloads to reach extremely high packet forwarding rates was a common tactic in many large attacks we mitigated this year. Doing so helps perpetrators max out the processing power of current-gen mitigation appliances—one of their most common weak spots,” Imperva researchers explain.

To mitigate the attack, the security company rerouted the attack traffic through its scrubbing servers and then used deep packet inspection (DPI) to identify and filter out malicious traffic. In fact, the company notes that this is exactly the mitigation technique it uses for any DDoS attack, and those aren’t short to come by, it seems: they encounter a 50+ Mpps attack every four days and an 80+ Mpps roughly every eight days.

What Imperva does stress, however, is that even large DDoS attacks, such as the 600 Gbps assault that took down BBC.com in the beginning of this year, can be easily mitigated using this technique.

“We want to make clear that there isn’t much difference in mitigating 300, 400, or 500 Gbps network layer attacks. They’re similar threats, each dealt with in a similar manner. Large attack waves aren’t more dangerous than smaller ones. All you need is a bigger boat,” Imperva’s researchers say.

Even if the process of mitigating a DDoS attack is the same regardless of an attack’s size, it’s clear that perpetrators are looking to constantly increase the sophistication of assaults to bypass mitigation. While multi-vector attacks are on the rise, attackers are leveraging different protocols and techniques for reflection and amplification, and have started to abuse IoT devices such as CCTV cameras for DDoS attacks.

Related: Nitol Botnet Fuels 8.7 Gbps Layer 7 DDoS Attack

Related: Record Number of 100+ Gbps DDoS Attacks Hit in Q1 2016: Akamai