DDoS attacks are usually ranked by the amount of bandwidth involved, such as the 2018 GitHub attack that peaked at 1.35 Terabits per second and is often cited as the largest DDoS attack ever.
From Imperva’s long history of successfully mitigating DDoS attacks, we know that the TRUE measure of attack intensity is something else — the absolute number of packets directed at a network or web site.
In an era where attack tools can easily multiply the size of packets – without actually making them more difficult to block – the amount of bandwidth doesn’t matter.
Rather, the volume of packets per second is the best measure of how difficult a DDoS attack is to block and recover from. Read my previous blog for a more technical explanation, including why tools that enable memcached amplification attacks are distorting DDoS statistics today.
We have just entered a new era of DDoS attacks of unprecedented potency. Over the past week, Imperva’s DDoS Protection Service has detected and mitigated 9 massive DDoS attacks against our customers.
All of these attacks surpassed rates of 500 Million packets per second (Mpps), which until earlier this year were the largest we had ever recorded, or are aware of being publicly disclosed by any other vendor.
That peaked with May 2nd’s attack, which lashed one of our customers at a peak rate of 652 million packets per second – or FIVE times more packets than last year’s GitHub attack. See our chart below showing attacks in the past week – each spike represents about 20 min of sustained attack:
Focusing on Mpps doesn’t mean that these attacks were small when measured by bandwidth, either – far from it. All of these attacks hit more than 500 Gbps, peaking at 713 Gbps on May 5th:
These DDoS attacks all appear to rely on a similar set of hacking tools that enabled the attackers to launch a coordinated botnet attack to quickly direct huge volumes of traffic against web sites. Fortunately, our DDoS service was able to automatically halt these attacks, which ended as quickly as they started, implying a central CnC (Command and Control) server.
Imperva was able to mitigate these attacks for our customers without human intervention, with absolutely no impact to our network or our infrastructure. This is in part due to a new infrastructure service called the SD-NOC which automatically shifted attack traffic away for optimal DDoS mitigation, all within a matter of seconds, and faster than our current 10-second SLA.
We continue to invest in automation because we believe our customers need quick, automated responses and can’t afford to wait for NOC/SOC personnel to manually act (as some other vendors do). We’re also evaluating further reducing our market-leading SLA.