On June 14, Imperva Incapsula mitigated a 470 gigabits per second (Gbps) distributed denial of service (DDoS) attack—the largest assault in our records to date.

While it lacked the craftiness of DDoS threats we usually describe in our blog, this brute of an assault set a new mark in the perpetual tug of war between mitigation providers and cyber criminals.

Attack description

Targeting a Chinese gambling company, the attack occurred on June 14 and lasted for over four hours. The company was also focused by several other large-scale assaults, occurring daily during the week leading up to the event in question.

Fig. 1 – A week long DDoS assault…

From its first moment, this attack burst reached above 250 Gbps. It then slowly built up over the following hours, peaking at 470 Gbps at 19:32.

After reaching this highpoint, attack traffic scaled back and completely resided within 30 minutes.

Fig. 2 – …peaked with a 470 Gbps burst

The assault was significantly complex by network layer standards, relying on a mix of nine different payload (packet) types. The bulk of the traffic was generated first by SYN payloads, then by generic UDP and TCP payloads.

Such nine-vector assaults are very rare in our experience. Putting things in perspective, in Q1 2016 they accounted for no more than 0.2% of all network layer DDoS attacks against our clients.

Usually a perpetrator’s goal in using multi-vector attacks is to switch between different payload types in an attempt to bypass a mitigation service. So it was in this case when, midway through, the perpetrators changed their approach—using smaller payloads to increase their assault packet per second (pps) rate.

As a result of this shift, the packet rate suddenly jumped at 17:57 to peak at ~110 million packets per second (Mpps), shortly before the attack hit its final note.

Fig. 3 – Packet per second rate increasing to 80Mpps, before peaking at ~110 Mpps

Using smaller payloads to reach extremely high packet forwarding rates was a common tactic in many large attacks we mitigated this year. Doing so helps perpetrators max out the processing power of current-gen mitigation appliances—one of their most common weak spots.

Quantifying this, in Q1 2016 we mitigated a 50+ Mpps attack every four days and an 80+ Mpps every eight days. More than a few of those barrages exceeded 100 Mpps.

Attack mitigation

With over two Tbps in total network capacity, and more than 100 Gbps capacity available on many of our 30 data centers, Incapsula’s ability to mitigate an attack of this size was never in question.

Our challenge came in mitigating an assault of this scale without impacting the millions of users moving through our network at any given time. To this end, our netops team anycasted the attack traffic between 21 of our more powerful data centers, letting them all participate in mitigation while retaining high capacity margins.

In each of those locations the attack traffic was routed through our BH (codename Behemoth) scrubbing servers, each of which can process up to 170 Gbps and 100 Mpps at an inline rate (read: no lag whatsoever).

Through a process of deep packet inspection (DPI), malicious traffic was identified by our scrubbing algorithm based on such factors as protocol type, content-length, and source IP. Cross-examination of these, and a few other variables, generated a profile for malicious network packets.

Following that, all packets that fit this profile were automatically filtered out before they could reach the target’s network. Later on, whenever the attackers shifted patterns, the algorithm readjusted to identify new common criteria for filtering.

The combination of agile network management, capable hardware and adaptive security software blocked the assault without a hitch. Our regular network traffic flow didn’t experience any ripples, nor was our daily routine affected.

Keep calm and get a bigger boat

We’ve seen multiple DDoS groups vie for “The largest DDoS attack to date” title over the past several years. The New World Hackers group, professing to have taken down BBC.com with a 600 Gbps assault, is the most notable example.

As was later revealed, those exaggerated numbers were another attempt at FUD marketing. Wanting to avoid doing the same, on a technical level we want to make clear that there isn’t much difference in mitigating 300, 400, or 500 Gbps network layer attacks. They’re similar threats, each dealt with in a similar manner.

Large attack waves aren’t more dangerous than smaller ones. All you need is a bigger boat.