It's been a while since we last wrote about Layer 3/4 DDoS attacks on this blog. This is a good news - we've been quietly handling the daily onslaught of DDoS attacks. Since our last write-up, a handful of interesting L3/4 attacks have happened. Let's review them.

Gigantic SYN

In April, John tweeted about a gigantic 942Gbps SYN flood:

It was a notable event for a couple of reasons.

First, it was really large. Previously, we've seen only amplification / reflection attacks at terabit scale. In those cases, the attacker doesn't actually have too much capacity. They need to bounce the traffic off other servers to generate a substantial load. This is different from typical "direct" style attacks, like SYN floods. In the SYN flood mentioned by John, all 942Gbps were coming directly from attacker-controlled machines.

Secondly, this attack was truly distributed. Normal SYN floods come from a small number of geographical locations. This one, was all over the globe, hitting all Cloudflare data centers:

Thirdly, the attack seem to be partially spoofed. While our analysis was not conclusive, we saw random, spoofed source IP addresses in the largest internet exchanges. The above Hilbert curve shows the source IP distribution in AMS-IX. As you can see we even saw the 127.0.0.0/8 block attacking us!

Lastly, it was a one-off. We have seen a couple of smaller SYN floods with similar characteristics before, but not after this event.

We believe the traffic was caused by Xor.DDoS malware. Others have investigated this botnet in the past.

SYN landscape

Apart from the gigantic one-off SYN floods, we are, as usual, the target of more common SYN floods coming mainly from Asia. Here is a chart from two days some time ago:

These kind of SYN floods, reaching 600-650 Gbps, we consider a normal part of operating in the internet.

Apart from SYN floods we regularly see amplification attacks. The specific techniques come into and go out of fashion. We're happy to report that both SSDP and memcached reflections seem to be on their way out.

The fall of SSDP

Last year we were worried about rising volumes of SSDP amplification attacks:

After that event, we saw much larger SSDP attacks, peaking at 400Gbps. But this was back in 2017 - this year we have rarely seen major SSDP spikes. Over the last 30 days we haven't seen one crossing 180Gbps (which is puny):

These attacks employ 60k-100k vulnerable IPs, which are mostly in Russia, China, the USA and Italy; here is per-country unique IP map:

The fall of memcached

Similarly, in late February we blogged about memcached-based amplification attacks:

Initially the attacks were scary, starting at 260Gbps when first reported, reaching a terabit a day later. But after the initial hype the attacks have weakened - the industry reacted rapidly and cleaned up the vulnerable servers. Nowadays, we don't see very large attacks of this type. Here is a chart for the last 30 days, with memcached reaching 80Gbps tops:

Multivector amplifications

About two months ago, we started observing a new interesting trend. Instead of trying to do much damage using one amplification type - like SSDP or memcached, attackers started pooling them. We saw attacks employing many different amplification categories hitting us all at once.

The industry calls this "multivector attacks", and while it's rather standard and has existed for years, we haven't seen it on this scale before. For example, here is one such an attack reaching a combined 800Gbps:

You can see all the different amplifications started and ended at the same time. The amplification types list is somewhat intriguing:

port 53 and port 0 (fragmentation) - DNS at 130 Gbps

port 111 - Portmap at 337 Gbps

port 123 - NTP at 16 Gbps

port 137 - NetBIOS Name Service at 31 Gbps

port 161 - SNMP at 115 Gbps

port 389 - LDAP at 10 Gbps

port 1900 - SSDP at 177 Gbps

We almost forgot about SNMP and Portmap amplifications - but there they are, together they compose a large part of the generated traffic.

Summary

It's important to keep a perspective on the Layer 3/Layer 4 attacks. About three years ago direct DNS attacks (like random prefix attacks) were a daily occurance. Attackers changed their techniques and today we don't see DNS spikes too often.

Two years ago, SYN floods were on the rise. Starting with about the Olympic Games in Rio in 2016, the frequency and volume decreased. For about a year after that, it was rather quiet. Recently major SYN floods started happening again and we are watching them carefully.

In the past we've described SSDP and memcached amplifications as significant threats. They still happen, but seem to be decreasing. Recently, we noticed that "multivector" amplifications had become more common. This is a sign that the attackers need to pool the techniques in order to generate substantial traffic.

We are optimistic. By and large, the Internet seems less violent these days. Volumetric attacks still happen, but on a smaller scale than couple of years ago. But when they do happen they are huge.