AWS hit by Largest Reported DDoS Attack of 2.3 Tbps
Attack Shows it is Imperative for a DDoS Zero-Trust Approach and Continued Diligence
We have reached another milestone with the largest Distributed Denial of Service (DDoS) attack on record being reported by Amazon Web Services (AWS) at 2.3 Tbps in Q1 2020. This surpasses the last record attack by a whopping 70 percent. The previous record holder was the Memcached-based GitHub DDoS attack which measured 1.35 Tbps on Feb 28th 2018.
Effectively, these headline-grabbing “performance gains” in DDoS attacks have been escalating steadily over the last four years, with a major high-profile attack every two years. This trend includes the watershed Mirai botnet attacks of 2016.
Arguably, Mirai represented the highest profile set of DDoS attacks with the “innovative” multi-vector botnet attack targeting security blogger, Brian Krebs, at 620 Mbps, and continued with the report the next month from the French hosting company OVH of 1.2 Tbps.
This DDoS attack, at over a terabit per second, was the first ever seen. The Mirai botnet attack code was open-sourced, and to attempt to unsuccessfully hide its authors, many variants were created. These still plague us today. Each of these record-setting DDoS attack have been different, but each can help us learn to develop better defenses.
Is this Really the Largest DDoS Attack?
So, is this the largest attack? No, we at A10, have had first-hand customer reports of DDoS attacks larger than this just last year. However, this is the largest publicly disclosed attack on record to date, and thus, it represents an important milestone. Many organizations do not publicly disclose the extend or volume of attacks they experience. As an example, one hosting customer we have showed statistics of DDoS detections and mitigations totaling over 25,000 in a 90-day period.
This is not typically disclosed, and the attacks are steadily absorbed into a well-planned DDoS defense infrastructure. With the increased focus on DDoS defense since the Mirai botnet attack, many organizations have deployed solutions to protect their users and networks, with most of the attacks mitigated and not reported. Preparation is key for anticipating the normal and seasonal attack types that your solution can handle, especially complex multi-vector attacks, and ensuring you have the latest information about the DDoS weapons that could threaten user experience and your brand. Ongoing threat research like A10’s DDoS Weapons Report, the AWS Shield Threat Landscape Report and others should be regular reading for DDoS defenders.
Takeaways from the CLDAP and mPPS
The reported AWS attack was based on a Connection-less Lightweight Directory Access Protocol (CLDAP) DDoS reflection attack, which combined with amplification attacks, are techniques expected for a high-volume attack. We continue to see reflection and amplification attacks as the weapon of choice, along with CLDAP and other common amplification attacks such as exposed UDP Portmap, DNS, NTP, SSDP, and SNMP UDP-based services. These attacks have two primary benefits: first, amplification of the attacker’s payload could generate 5x, 10x or 100x the traffic from their requests, and second, they can spoof to hide the attacker’s tracks while targeting the payloads at a specific target of their choice.
CLDAP is a known amplification tool, and while AWS does not offer many details in its report, we do know CLDAP is not one of the top DDoS weapons available today. The A10 threat research team analyzed information regarding the threat of CLDAP versus other DDoS weapons and it paints an interesting picture.
In the latest information from A10’s DDoS Weapons Report, CLDAP does not make the top-five DDoS weapons. It is far less prevalent as an available weapon to exploit. We can see the amount of open CLDAP servers compared to the top-five is a fraction. For every CLDAP weapon there are 116 Portmap weapons. So, while it is a smaller attack surface, it is still highly exploitable, as the AWS DDoS attack showed.
| DDoS Weapon | Number of Weapons | Weapons Frequency more than CLDAP |
|---|---|---|
| Portmap | 1,818,848 | 116x |
| SNMP | 1,673,070 | 107x |
| SSDP | 1,671,128 | 107x |
| DNS Resolver | 1,331,160 | 85x |
| TFTP | 1,054,330 | 67x |
| CLDAP | 15,651 | 0x |
When we look at the top-five countries for all DDoS weapons, we see over 2 million weapons in the United States, but in comparison, we only see 1,294 CLDAP weapons. This is just 0.13 percent of those weapons. The lower numbers are not a huge surprise. A couple of large cloud-hosting organizations, including Amazon, show a larger number of weapons than the typical high-profile networks (by ASN designation), which could point to the fact that these servers are inadvertently being advertised, and possibly not secured properly, by enterprise IT teams who have ported application workloads to the cloud.
Enterprises should tightly secure applications in multi-cloud environments using a zero-trust model, for example, to decide what should and should not be exposed. DDoS protection is another layer in a zero-trust model that can report on network anomalies, stop unwanted traffic, and mitigate attacks. In cloud environments, the shared-responsibility model should be employed as security is not just the provider’s responsibility. This, again, points to the need for a zero-trust security approach and mindset.
| Top-10 Countries for CLDAP Weapons | Top-5 Countries for DDoS Weapons | ||
|---|---|---|---|
| Country | Unique Sources | Country | Unique Sources |
| Poland | 2,122 | United States | 1,591,719 |
| Ukraine | 1,768 | China | 1,388,531 |
| United States | 1,294 | Korea | 776,327 |
| Brazil | 1,230 | Russia | 696,186 |
| Netherlands | 1,097 | India | 283,960 |
| Romania | 761 | ||
| Czechia | 644 | ||
| Russia | 544 | ||
| Bulgaria | 535 | ||
| Mexico | 437 | ||
While the throughput of the attack is often the focus as it is a big headline-grabbing number. However, the additional numbers from AWS Shield do also warn of other trends DDoS defenders need to plan for. We’ve often talked of mPPS (millions of packets per second) numbers as a key metric a DDoS solution should take into account. The Verizon Threat Report of 2014 showed alarming increases, and obviously those numbers are dwarfed now. That said, the steady increase is interesting. We see the CLDAP attack was a dramatic spike over the “largest bit rate (Tbps)” YoY/QoQ numbers by 188 percent and 283 percent respectively, but it’s also notable to look at the “largest packet rate (Mpps).”
Mpps increased a steady YoY/QoQ of 13 percent and 4 percent respectively. The real numbers come in for the periods of Q1 2019, Q4 2019, and Q1 2020, as 260.1M, 282.2M, and 293.1M. That is a lot of packets, and it is not abating. Now this was not necessarily because of the CLDAP attack, but the latest of these happened during the same quarter, reinforcing the need for a comprehensive DDoS protection strategy. Clearly, there are multiple peaks that must be conquered not just the headline-grabbing one.
What is CLDAP Attack and How to Protect Yourself
CLDAP, or Connection-less Lightweight Directory Access Protocol, is a UDP-based directory lookup protocol complementing the TCP-based LDAP protocol. CLDAP is designed to reduce the connection overheads at retrieving organizational resource information from a directory service database when using LDAP. As mentioned in the CLDAP RFC 3352, however, the CLDAP protocol was inherently designed with security vulnerabilities such as anonymous access, no integrity protection, and missing confidentiality protection.
If the CLDAP server is not properly configured and is exposed to the internet, it will respond to any requests even if the CLDAP client is spoofed. The CLDAP responses could be as high as 56 to 70 times the original CLDAP request. This is known as a high amplification factor. Because of its high amplification factor, CLDAP servers are often exploited by the DDoS attackers for UDP reflected amplification attacks. At the time of this blog posting, A10 weapons intelligence is tracking 15,651 CLDAP servers open to the internet that could be used to trigger gigabits, if not terabits, of amplification attacks.
How to Protect from a CLDAP DDoS Attack
Since the reflected CLDAP packets all come with UDP port 389 as the UDP source port, blocking or rate-limiting port 389 traffic from the internet is an effective DDoS protection method to mitigate the CLDAP reflection and amplification attack, especially if it is not expected to receive CLDAP responses from the internet. Alternatively, TCP or encrypted LDAP configurations can be used.
While CLDAP is the attack du jour, the largest attacks have all used different attack vectors, so the next record DDoS attack is unlikely to be CLDAP, but it is likely to be a DDoS amplification and reflection attack, based on the top DDoS weapons we see quarter after quarter. Thus, it’s important to ensure that you have baselines for your traffic, practice zero-trust DDoS defense best practices, and keep up to date on the latest DDoS attack trends. Proactively protect your network so you do not become the next DDoS headline.
How A10 Can Help
A10 Defend provides scalable and automated DDoS Protection powered by AI and advanced machine learning to help you combat the growing problem of multi-vector and IoT DDoS attacks, avoiding business downtime, lost revenue, and damaged reputation.