AWS hit by Largest Reported DDoS Attack of 2.3 Tbps

Attack Shows it is Imperative for a DDoS Zero-Trust Approach and Continued Diligence

We have reached another milestone with the largest Distributed Denial of Service (DDoS) attack on record being reported by Amazon Web Services (AWS) at 2.3 Tbps in Q1 2020. This surpasses the last record attack by a whopping 70 percent. The previous record holder was the Memcached-based GitHub DDoS attack which measured 1.35 Tbps on Feb 28th 2018. Effectively, these headline-grabbing “performance gains” in DDoS attacks have been escalating steadily over the last four years, with a major high-profile attack every two years. This trend includes the watershed Mirai botnet attacks of 2016.

Arguably, Mirai represented the highest profile set of DDoS attacks with the “innovative” multi-vector botnet attack targeting security blogger, Brian Krebs, at 620 Mbps, and continued with the report the next month from the French hosting company OVH of 1.2 Tbps. This DDoS attack, at over a terabit per second, was the first ever seen. The Mirai botnet attack code was open-sourced, and to attempt to unsuccessfully hide its authors, many variants were created. These still plague us today. Each of these record-setting DDoS attack have been different, but each can help us learn to develop better defenses.

Is this Really the Largest DDoS Attack?

So, is this the largest attack? No, we at A10, have had first-hand customer reports of attacks larger than this just last year. However, this is the largest publicly disclosed attack on record to date, and thus, it represents an important milestone. Many organizations do not publicly disclose the extend or volume of attacks they experience. As an example, one hosting customer we have showed statistics of DDoS detections and mitigations totaling over 25,000 in a 90-day period. This is not typically disclosed, and the attacks are steadily absorbed into a well-planned DDoS defense infrastructure. With the increased focus on DDoS defense since the Mirai botnet attack, many organizations have deployed solutions to protect their users and networks, with most of the attacks mitigated and not reported. Preparation is key for anticipating the normal and seasonal attack types that your solution can handle, especially complex multi-vector attacks, and ensuring you have the latest information about the DDoS weapons that could threaten user experience and your brand. Ongoing threat research like A10’s DDoS Weapons Report, the AWS Shield Threat Landscape Report and others should be regular reading for DDoS defenders.

Takeaways from the CLDAP and mPPS

The reported AWS attack was based on a Connection-less Lightweight Directory Access Protocol (CLDAP) DDoS reflection attack, which combined with amplification attacks, are techniques expected for a high-volume attack. We continue to see reflection and amplification attacks as the weapon of choice, along with CLDAP and other common amplification attacks such as exposed UDP Portmap, DNS, NTP, SSDP, and SNMP UDP-based services. These attacks have two primary benefits: first, amplification of the attacker’s payload could generate 5x, 10x or 100x the traffic from their requests, and second, they can spoof to hide the attacker’s tracks while targeting the payloads at a specific target of their choice.

CLDAP is a known amplification tool, and while AWS does not offer many details in its report, we do know CLDAP is not one of the top DDoS weapons available today. The A10 threat research team analyzed information regarding the threat of CLDAP versus other DDoS weapons and it paints an interesting picture.

In the latest information from A10’s DDoS Weapons Report for Q2 2020, CLDAP does not make the top-five DDoS weapons. It is far less prevalent as an available weapon to exploit. We can see the amount of open CLDAP servers compared to the top-five is a fraction. For every CLDAP weapon there are 116 Portmap weapons. So, while it is a smaller attack surface, it is still highly exploitable, as the AWS DDoS attack showed.

 

DDoS Weapon Number of Weapons Weapons Frequency more than CLDAP
Portmap 1,818,848 116x
SNMP 1,673,070 107x
SSDP 1,671,128 107x
DNS Resolver 1,331,160 85x
TFTP 1,054,330 67x
CLDAP 15,651 0x

When we look at the top-five countries for all DDoS weapons, we see over 2 million weapons in the United States, but in comparison, we only see 1,294 CLDAP weapons. This is just 0.13 percent of those weapons. The lower numbers are not a huge surprise.  A couple of large cloud-hosting organizations, including Amazon, show a larger number of weapons than the typical high-profile networks (by ASN designation), which could point to the fact that these servers are inadvertently being advertised, and possibly not secured properly, by enterprise IT teams who have ported application workloads to the cloud.

Enterprises should tightly secure applications in multi-cloud environments using a zero-trust model, for example, to decide what should and should not be exposed. DDoS protection is another layer in a zero-trust model that can report on network anomalies, stop unwanted traffic, and mitigate attacks. In cloud environments, the shared-responsibility model should be employed as security is not just the provider’s responsibility. This, again, points to the need for a zero-trust security approach and mindset.

 

Top-10 Countries for CLDAP Weapons Top-5 Countries for DDoS Weapons
Country Unique Sources Country Unique Sources
Poland 2,122 United States 1,591,719
Ukraine 1,768 China 1,388,531
United States 1,294 Korea 776,327
Brazil 1,230 Russia 696,186
Netherlands 1,097 India 283,960
Romania 761
Czechia 644
Russia 544
Bulgaria 535
Mexico 437

While the throughput of the attack is often the focus as it is a big headline-grabbing number. However, the additional numbers from AWS Shield do also warn of other trends DDoS defenders need to plan for. We’ve often talked of mPPS (millions of packets per second) numbers as a key metric a DDoS solution should take into account. The Verizon Threat Report of 2014 showed alarming increases, and obviously those numbers are dwarfed now. That said, the steady increase is interesting. We see the CLDAP attack was a dramatic spike over the “largest bit rate (Tbps)” YoY/QoQ numbers by 188 percent and 283 percent respectively, but it’s also notable to look at the “largest packet rate (Mpps).”

Mpps increased a steady YoY/QoQ of 13 percent and 4 percent respectively. The real numbers come in for the periods of Q1 2019, Q4 2019, and Q1 2020, as 260.1M, 282.2M, and 293.1M. That is a lot of packets, and it is not abating. Now this was not necessarily because of the CLDAP attack, but the latest of these happened during the same quarter, reinforcing the need for a comprehensive DDoS protection strategy. Clearly, there are multiple peaks that must be conquered not just the headline-grabbing one.

What is CLDAP Attack and How to Protect Yourself

CLDAP, or Connection-less Lightweight Directory Access Protocol, is a UDP-based directory lookup protocol complementing the TCP-based LDAP protocol. CLDAP is designed to reduce the connection overheads at retrieving organizational resource information from a directory service database when using LDAP. As mentioned in the CLDAP RFC 3352, however, the CLDAP protocol was inherently designed with security vulnerabilities such as anonymous access, no integrity protection, and missing confidentiality protection. If the CLDAP server is not properly configured and is exposed to the internet, it will respond to any requests even if the CLDAP client is spoofed. The CLDAP responses could be as high as 56 to 70 times the original CLDAP request. This is known as a high amplification factor. Because of its high amplification factor, CLDAP servers are often exploited by the DDoS attackers for UDP reflected amplification attacks. At the time of this blog posting, A10 weapons intelligence is tracking 15,651 CLDAP servers open to the internet that could be used to trigger gigabits, if not terabits, of amplification attacks.

How to Protect from a CLDAP DDoS Attack

Since the reflected CLDAP packets all come with UDP port 389 as the UDP source port, blocking or rate-limiting port 389 traffic from the internet is an effective DDoS protection method to mitigate the CLDAP reflection and amplification attack, especially if it is not expected to receive CLDAP responses from the internet. Alternatively, TCP or encrypted LDAP configurations can be used.

While CLDAP is the attack du jour, the largest attacks have all used different attack vectors, so the next record DDoS attack is unlikely to be CLDAP, but it is likely to be a DDoS amplification and reflection attack, based on the top DDoS weapons we see quarter after quarter. Thus, it’s important to ensure that you have baselines for your traffic, practice zero-trust DDoS defense best practices, and keep up to date on the latest DDoS attack trends. Proactively protect your network so you do not become the next DDoS headline.

The A10 Thunder® Threat Protection System (TPS) provides scalable and automated DDoS Protection powered by AI and advanced machine learning to help you combat the growing problem of multi-vector and IoT DDoS attacks, avoiding business downtime, lost revenue, and damaged reputation.

This blog features data from a few sources. Thanks to Rex Chang for data on mitigating CLDAP attacks; Babur Khan for data and discussion from the Q2 2020 DDoS Weapons Report; Ahmed Abdelhalim for Thunder TPS customer trend insights; and, of course, Rich Groves and the A10 threat research team for the detailed information that empowered us to draw these conclusions.


|

June 24, 2020

About Paul Nicholson

Paul Nicholson brings 24 years of experience working with Internet and security companies in the U.S. and U.K. In his current position, Nicholson is responsible for global product marketing and strategy at San Jose, Calif.-based application networking and security leader A10 Networks. Prior to A10 Networks, Nicholson held various technical and management positions at Intel, Pandesic (the Internet company from Intel and SAP), Secure Computing, and various security start-ups. READ MORE