The attack generated 809 million packets per second (Mpps), targeting a large European bank, and created a new industry record.

On June 21, 2020, technology firm Akamai detected the largest-ever packet per second (pps) distributed denial of service (DDoS) attack on its platform.

The attack generated 809 million packets per second (Mpps), targeting a large European bank, and created a new industry record for pps-focused attacks. This is well over double the size of the previous high-water mark on the Akamai platform, just one week after the firm had announced another a massive DDoS attack.

According to Akamai, looking holistically at DDoS activity since the onset of 2020, it is clear that large, sophisticated DDoS attacks are still a significant attack vector, and should be of concern for companies across many industry verticals.

BPS vs PPS DDoS approaches

DDoS attacks are almost always volumetric in nature, and are generally measured in bits per second (bps). The DDoS attacker’s goal is to overwhelm the inbound internet pipeline, sending more traffic to a circuit than it is designed to handle.

In contrast, packet-per-second (pps)-focused attacks are largely designed to overwhelm network gear and/or applications in the customer’s data center or cloud environment.

Both approaches are volumetric, but packet-per-second attacks exhaust the resources of the gear, rather than the capability of the circuits, and are much less common.

This latest attack was clearly optimized to overwhelm DDoS mitigation systems via a high pps load. As shown in the chart below, the packets sent carried a meager 1 byte payload (for a total packet size of 29 with IPv4 headers), making it appear like every other one of its several billion peers.

Source IP explosion

The unique nature of the packets being sent was the massive increase in the amount of source IP addresses observed.

The number of source IPs that registered traffic to the customer destination increased massively during the attack, indicating that it was highly-distributed in nature. Upwards of 600x the number of source IPs per minute were seen, compared to what was normally observed for this customer destination.

Beyond just the volume of IP addresses, the vast majority of the attack traffic was sourced from IPs that had not been recorded in prior 2020 attacks, indicating an emerging botnet. (Akamai tracks hundreds of thousands of source IPs leveraged in DDOS attacks, tens of thousands of which have been seen in multiple attacks.)

According to Akamai, it was highly unusual that 96.2% of Source IPs were observed for the first time (or at a minimum, were not being tracked as being part of attacks in recent history).  They had observed a number of different attack vectors coming from the 3.8% of remaining Source IPs, both matching the single attack vector seen in this attack and aligned to others. In this case, most of the source IPs could be identified within large Internet Services Providers via AS lookups, which is indicative of compromised end user machines.

Peak velocity

This attack was remarkable not only for its size, but also for the speed at which it reached its peak. The attack grew from normal traffic levels to 418 Gbps in seconds, before reaching its peak size of 809 Mpps in approximately two minutes. In total, the attack lasted slightly less than 10 minutes, and was fully mitigated by Akamai’s proactive controls.

While this attack was curbed, Akamai’s behavioral mitigation recommendation engine further analyzed additional attack dimensions. In this case, the attack showed swings in protocol, destination port, packet length, and geolocation. Three important facts could be discerned:

  1. Any of the highlighted methods (the orange colored area) could have effectively blocked the attack with no collateral damage.
  2. 0-second SLA controls already include these frequently seen attack vectors (bold).
  3. Due to the analysis of customer clean-traffic baselines and preparation, packet level and more complex mitigations were unnecessary.

Multiple industries targeted

This attack targeted a large European bank, Financial Services is a frequently-targeted industry vertical.

The following chart shows attacks by Gbps (Y axis) and Mpps (Z size of the circles) over time (X axis) by industry. Both record pps attacks in 2020 were levied against Financial Services companies, but the green circle to the right of the graph—last week’s record-setting Mbps attack—was levied against a large Internet & Telecom company (a hosting provider).

The Akamai team said that mitigating such large attacks requires planning and expert resources. The process starts by understanding a given customer’s traffic in depth in order to identify normal or baseline traffic patterns and volumes, and configuring proactive mitigation controls.

The goal is to ensure that malicious traffic can be detected and mitigated successfully, without impacting legitimate traffic.

Deploying proactive mitigation controls has proven to be an extremely effective way to increase mitigation effectiveness for a large segment of attacks. However, proactive mitigation is just one example of the many tools and capabilities that security operations control center (SOCC) teams need to continually improve DDoS detection times and mitigation effectiveness.