Imperva has just released the DDoS Threat Landscape Report Q1 2022. Download it now to familiarize yourself with new threats and get detailed information about current DDoS attack patterns and their potential impact on your business.
So far, 2022 has been a brutal year for DDoS attacks and we see the attack landscape becoming more problematic going forward. As we consider the changing threat landscape worldwide, let’s look at the top three DDoS attacks that Imperva has stopped to gain a bit of insight into the shape of future attacks.
- February 2022 – A Layer 7 Application DDoS Attack measuring over 2.5 million rps
- July 2021 – A Network DDoS attack with a throughput of 1.02 Tbps
- October 2020 – The Largest Network DDoS attack of almost 1 Tbps
The October 2020 attack
In the fall of 2020, we observed a rise in the number of DDoS attacks against our customers where both the volume of attacks and their level of intensity has increased significantly. One such attack (mentioned above) peaked at nearly 1 terabyte per second (Tbps), a level of intensity that at the time broke Imperva’s record for attack mitigation to date.
It wasn’t just the scale of the attack that made it interesting and somewhat terrifying, it was also its sophisticated nature compared to other attacks of this size, which commonly consisted of amplification vectors.
Two waves of Large SYN and TCP
In this case, the attackers combined two separate vectors, Large SYN and TCP, which they leveraged in two waves. The first consisted of a 90-second burst of Large SYN flood – basically a SYN flood with a large payload, unrecognized by the RFC, the document that describes a SYN packet. A SYN flood consumes server resources by creating endless half-open TCP connections. The combination of server exhaustion by SYN flood with a volumetric attack is what makes a large SYN vector so harmful. This initial burst was so powerful that it peaked at 674 Gbps and 148 million packets per second (Mpps) in under five seconds, emphasizing how important it is to start mitigation within seconds. Furthermore, this type of attack would be impossible to mitigate with an on-premise or hybrid DDoS approach where the upstream connectivity would be overwhelmed.
What’s also interesting about this particular attack is that the attackers used a tool similar to that seen in the largest packets per-second attack Imperva mitigated in 2019. The tool attempts to conceal the attacking packets as legitimate traffic by mimicking an Operating System. However, the tool apparently contains a bug because it ends up sending malformed packets.
The second wave of the attack consisted of a TCP ACK flood aimed at port 443, which mimicked the customer’s legitimate traffic by using large HTTPs packets. Despite the customer owning multiple IP ranges, the entire attack targeted only a handful of IPs – in this case, those hosting the customer’s main services. This suggests that a certain amount of research and reconnaissance had been undertaken by the attacker in advance, enabling them to identify the most vulnerable target IPs and carry out a more sophisticated attack.
We concluded that this wasn’t a random DDoS attack. The attackers had done their research, enabling them to carry out a highly sophisticated and targeted attack tailored to the customer. We suspect more to come in 2022.
The July 2021 attack
In July 2021, Imperva mitigated its largest attack to date as a provider of DDoS protection, and one of the largest DDoS attacks overall that year. The attack lasted for 40 minutes and generated a massive throughput of 1.02 Tbps and 155 million packets per second (Mpps). Imperva also mitigated a large layer 7 DDoS attack in July 2020 which, as with the most recent attack, targeted services hosting online gambling sites making it difficult to rule out a link to the Olympic Games.
The attackers began by launching a volumetric DNS amplification attack on multiple sources in addition to a high rate SYN flood attack on port 80. The first wave of the attack reached 192 gigabytes per second (Gbps) and 33 million packets per second (Mpps). After only several minutes the attack reached its peak of 1.02 Tbps and 155 Mpps and at that time consisted of a combination of vectors including SYN flood, large SYN, UDP flood and DNS amplification.
In the days following this event, Imperva also mitigated a second sizable attack which peaked at a bandwidth of 858 Gbps and 225 million PPS. This time the attack was longer, lasting two hours, and targeted a specific network prefix (/24 C-Class address) with the attack spanning the entire range of IPs.
The February 2022 attack
This case was a ransom DDoS attack on a single website that reached a rate of 2.5 million requests per second (Mrps). And while ransom DDoS attacks are not new, they appear to be evolving and becoming more interesting with time and with each new phase.
Throughout the course of a single day the targeted company was hit by several DDoS attacks; the largest that we just mentioned measured 2.5 Mrps, was on a single site and lasted less than one minute, which is the current mitigation record for Imperva. In addition to that, multiple sites from the same company came under attack, with one site sustaining an attack lasting around 10 minutes. The attackers applied sophisticated tactics to avert mitigation with the ransom messages and attack vectors changing constantly. At the same time, to shock the target, the payment amounts demanded kept increasing in size. Despite these tactics, Imperva successfully mitigated all of the attacks and demonstrated how important it is to have a fast, accurate, and automated DDoS solution in place. The story did not end there for the customer as the attacks continued for several days; sometimes lasting up to several hours and in 20 percent of cases reaching a size of between 90 and 750 thousand requests per second (Krps) as the chart below shows.
The attacks originated from 34,815 sources and looking at the number of requests per source, there were 2 million requests per IP sent from the top sources during the attack. The top source locations for the 2.5 Mrps attack were Indonesia followed by the United States. And we have seen a pattern emerging of almost identical source locations for different attacks indicating that the same botnet was used many times.
We have a strong indication that the Meris botnet played a role in these attacks. Although CVE-2018-14847 was published a while ago, attackers can still take advantage of it. The CVE refers to a MikroTik vulnerability where thousands of internet of things (IoT) devices, in this case a huge number of MikroTik routers, were manipulated to create a botnet network that can still be used to carry out DDoS and other forms of attack.
Get the DDoS protection you need now
Why are we taking this stroll down (bad) memory lane? More than anything, we want to help our customers and prospective customers to be aware of current and future DDoS risks so they have the capacity to mitigate them should a large attack come. As we consider the dynamic and concerning threat landscape that we have already observed this year, now is as good a time as ever to urge every organization to assess readiness and if necessary, take action.
Try Imperva for Free
Protect your business for 30 days on Imperva.