In early January, Gcore faced an incident involving multiple L3/L4 DDoS attacks with peak volumes of 650 Gbps. The attackers exploited his over 2000 servers belonging to one of his top 3 cloud providers in the world and targeted clients who were using his free CDN plan. However, due to Gcore’s distributed infrastructure and large number of peering partners, the attack was mitigated and the client’s web application remained available.
Why was mitigating these attacks so important?
1. These attacks were significant as they were over 60 times the average bandwidth of similar attacks. The attacks carried out relate to volume-based attacks aimed at saturating and overflowing the bandwidth of the application being attacked. We typically aggregate these attacks by measuring the total volume (bps) rather than the number of requests.
The average bandwidth for this type of attack is typically tens of Gbps (approximately 10 Gbps). So a particular attack (650 Gbps) is 60x above average. Attacks of this magnitude are rare and of particular interest to security professionals.
Moreover, this value (650 Gbps) is comparable to the record DDoS attack against the largest Minecraft server (2.4 Tbps), only four times smaller.
2. Attacked clients were using CDN plans without additional DDoS protection. If the client uses Gcore’s CDN (as part of the edge network), the malicious traffic of the L3/L4 attack directly impacts only the infrastructure of the targeted client, not the server (acting as a filter To do). The negative impact extends to infrastructure capacity and connectivity, if the CDN is strong enough, it can protect clients from her L3/L4 attacks even when accessed using the free plan.
What were the technical specifications of the attack?
The incident lasted 15 minutes and peaked at over 650 Gbps. A possible reason the incident took so long is that the attackers weighed the ineffectiveness of the attack (the client application kept running) against its high cost.
This incident consisted of three attacks with different vectors. In the diagram below, they are marked by traffic peaks.
- UDP flood attack (~650 Gbps). Hundreds of millions of UDP packets were sent to the target server, consuming application bandwidth and rendering the application unusable. This vector of attacks takes advantage of the lack of requirements for establishing UDP connections. An attacker can send packets with arbitrary data (increase in volume) and spoof her IP address (makes it harder to find the sender).
- TCP ACK flood attack (~600 Gbps). A large number of packets with the ACK flag were sent to the target server and overflowed. Attacks of this vector are based on the fact that junk TCP packets do not contain any payload, but the server is forced to process them, and it is sufficient to handle requests from real end users. resources may not be available. A CDN’s protection system can filter packets and prevent them from being forwarded to a server if they do not contain a payload and are not bound to an open TCP session.
- Mixed TCP and UDP (~600 Gbps). A custom variation of the previous two attacks.
This incident was characterized by the attacks being carried out from multiple unspoofed IP addresses. This allowed experts to identify that the attacker used 2,143 servers in 44 different regions, all belonging to a single public cloud provider. By utilizing Anycast, Gcore was able to absorb his 100% of attacks on peering connections with this provider.
Sankey diagram showing attack sources and flow. The location name in the first column is associated with his one of the top three cloud his providers.
Why didn’t the attack affect clients?
1. Gcore’s connectivity by peering with many locations played a key role in mitigating the attack. Gcore has over 11,000 peering partners (ISPs) that use cables to connect networks and provide each other with access to network-originated traffic. These connections allow you to bypass the public internet and absorb traffic directly from your peering partners. Moreover, this traffic is either free or much cheaper than traffic on the public Internet. This low cost allows the free plan to protect your customers’ traffic.
In the context of the DDoS attacks that occurred, the level of connectivity contributed significantly to the effectiveness of mitigation. Since Gcore and the cloud provider used to launch the attack are peering partners, Gcore was able to ingest most of the traffic through the cloud provider’s private network during the attack. This greatly reduced the amount of traffic that the public internet had to handle.
Private peering also enables more precise filtering and better attack visibility, leading to more efficient attack mitigation.
2. Gcore’s large capacity by placing servers in many data centers also played a role. Gcore’s edge servers are located at over 140 points of presence and are based on high-performance 3rd Gen Intel® Xeon® Scalable processors.
Overall network capacity exceeds 110 Tbps. With over 500 servers in data centers around the world, the company is able to withstand massive DDoS attacks. So 650 Gbps of traffic can be spread across the network and each particular server he can only receive 1-2 Gbps which is a negligible load.
security trends
According to Gcore’s experience, DDoS attacks will continue to increase year by year. In 2021 attacks he reached 300 Gbps, and in 2022 increased to 700 Gbps. Therefore, even small businesses should use distributed content delivery networks such as CDNs and clouds to protect against DDoS attacks.
