DDoS attacks are not only on the rise—they’re also bigger and more devastating than ever before. From independent websites to multinational banks, it seems like no one is immune.
In fact, a 2017 report from Cisco found that the number of DD0S attacks exceeding 1 gigabit per second of traffic will rise to 3.1 million by 2021, a 2.5-fold increase from 2016.
However, attackers aren’t the only ones who are capable of adapting. By examining five of the most famous DDoS attacks in recent history, you can learn how to better protect yourself in the future.
Let’s look at the most famous DDoS attacks and the lessons they have to offer.
What is a DDoS Attack?
Before we dive in to the five most famous DDoS attacks, let’s first review what is a DDoS attack.
DDoS stands for Distributed Denial of Service, which refers to the deployment of large numbers of internet bots—anywhere from hundreds to hundreds of thousands. These bots are designed to attack a single server, network or application with an overwhelming number of requests, packets or messages, thereby denying service to legitimate users such as employees or customers.
Usually, attackers begin a DDoS attack by exploiting a vulnerability in a single computer system. The attacker’s system then becomes the DDoS master and works to identify other vulnerable systems to turn them into bots.
The perpetrator directs those computer bots to attack through the use of a command-and-control server, or botnet. At that point, all the attacker has to do is tell the bots who to target.
Who would carry out a DDoS attack? As it turns out, the answer includes many different types of bad actors such as cyber-criminals or disgruntled employees. Perpetrators execute DDoS attacks for a variety of reasons, such as extortion, revenge, or politics.
DDoS attacks are measured by how many bits (binary digits) of traffic they send at the target per second—for example, a small attack might measure only a few megabits per second (Mbps), while larger attacks might measure several hundred gigabits per second (Gbps), or even more than one terabit per second (Tbps).
It’s important to note that not all DDoS attacks are bandwidth focused. For example, network protocol attacks are low bandwidth with many packets per second (PPS).
The Security Threat of a DDoS Attack
More importantly, in many cases a DDoS attack is merely designed to distract from other criminal activity, such as data theft or network infiltration. The attacker keeps its target busy fighting off the DDoS attack, to then sneak in a piece of malware.
Five Most Famous DDoS Attacks
In recent years, DDoS attacks have only been increasing in both frequency and severity. Here, we’ll examine five of the largest and most famous DDoS attacks.
1. GitHub: 1.35 Tbps
On Feb. 28, 2018, GitHub—a popular developer platform—was hit with a sudden onslaught of traffic that clocked in at 1.35 terabits per second. If that sounds like a lot, that’s because it is—that amount of traffic is not only massive, it’s record-breaking.
According to GitHub, the traffic was traced back to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.”
In this graph, you can see just how much of a difference there was between normal traffic levels and those of the attack:
What’s worse is that GitHub was not entirely unprepared for a DDoS attack—they simply had no way of knowing that an attack of this scale would be launched.
As GitHub explained in the incident report linked above, “Over the past year we have deployed additional transit to our facilities. We’ve more than doubled our transit capacity during that time, which has allowed us to withstand certain volumetric attacks without impact to users…. Even still, attacks like this sometimes require the help of partners with larger transit networks to provide blocking and filtering.”
2. Occupy Central, Hong Kong: 500 Gbps
The PopVote DDoS attack was carried out in 2014 and targeted the Hong Kong-based grassroots movement known as Occupy Central. The movement was campaigning for a more democratic voting system.
In response to their activities, attacker(s) sent large amounts of traffic to three of Occupy Central’s web hosting services, as well as two independent sites, PopVote, an online mock election site, and Apple Daily, a news site, neither of which were owned by Occupy Central but openly supported its cause. Presumably, those responsible were reacting to Occupy Central’s pro-democracy message.
The attack barraged servers with packets disguised as legitimate traffic, and was executed with not one, not two, but five botnets. This resulted in peak traffic levels of 500 gigabits per second.
3. CloudFlare: 400 Gbps
In 2014, security provider and content delivery network CloudFlare was slammed by approximately 400 gigabits per second of traffic. The attack was directed at a single CloudFlare customer and targeted servers in Europe and was launched with the help of a vulnerability in the Network Time Protocol (NTP), a networking protocol for computer clock synchronization. Even though the attack was directed at just one of CloudFlare’s customers, it was so powerful that it affected CloudFlare’s own network.
This attack illustrated a technique in which attackers use spoofed source addresses to send mass amounts of NTP servers’ responses to the victim. This is known as “reflection,” since the attacker is able to mirror and amplify traffic.
Shortly after the attack, the U.S. Computer Emergency Readiness Team explained NTP Amplification Attacks are, “especially difficult to block” because “responses are legitimate data coming from valid servers.”
4. Spamhaus: 300 Gbps
In 2013, a DDoS attack was launched against Spamhaus, a nonprofit threat intelligence provider. Although Spamhaus, as an anti-spam organization, was and is regularly threatened and attacked, this DDoS attack was large enough to knock their website offline, as well as part of their email services.
Like the 2014 attack on CloudFlare mentioned above, this attack utilized reflection to overload Spamhaus’ servers with 300 gigabits of traffic per second.
The attack was traced to a member of a Dutch company named Cyberbunker, who seemingly targeted Spamhaus after it blacklisted Cyberbunker.
5. U.S. Banks: 60 Gbps
In 2012, not one, not two, but a whopping six U.S. banks were targeted by a string of DDoS attacks. The victims were no small-town banks either: They included Bank of America, JP Morgan Chase, U.S. Bancorp, Citigroup and PNC Bank.
The attack was carried out by hundreds of hijacked servers, which each created peak floods of more than 60 gigabits of traffic per second.
At the time, these attacks were unique in their persistence: Rather than trying to execute one attack and then backing down, the perpetrator(s) barraged their targets with a multitude of methods in order to find one that worked. So, even if a bank was equipped to deal with a few types of DDoS attacks, they were helpless against other types.
How to Prevent DDoS Attacks
As you can see after examining the five most famous attacks, DDoS attacks aren’t going away. In fact, they’re only growing larger and more destructive. So, the best thing you can do to prevent being a victim of one yourself is learn from attacks that have already happened.
Here’s how you can start thinking about DDoS protection:
Choose a Deployment Mode
There are benefits to both proactive and reactive DDoS deployment modes, and which one you choose depends on your business goals.
A proactive mode delivers the highest resolution detection capabilities and is commonly used for real-time apps such as voice, video and gaming. With a proactive mode, detection is always on, and you’re provided with an inline tool that gives 100 percent visibility through packet analysis.
On the other hand, a reactive mode detects anomalies by analyzing metadata, as well as by leveraging the flow data available from switches and edge routers. A reactive mode is more cost-effective than a proactive one, but it doesn’t have the ability to respond in real-time.
Recommended Deployment Architecture for Business Objectives
|Volumetric attack protection||✔|
|Protect critical DNS services||✔|
|Protect real-time IMS infrastructure||✔|
|Protect internal hosted clients||✔||✔|
|Protect external hosted client||✔|
|Busines customer scrubbing service||✔|
|Managed security services||✔
DDoS Detection Methods
When it comes to DDoS detection, there are many different methods to choose from, such as:
- Flow Sampling: In flow sampling, the router samples packets and then exports a datagram that contains information about those packets. Nearly all routers support this type of technology, plus it’s highly scalable, making it a popular choice. However, this method only gives you a limited snapshot of your traffic and doesn’t allow for detailed analysis.
- Packet Analysis: When a high-performance DDoS mitigation device is deployed in-path, it can instantly detect and mitigate anomalies. This type of device continuously processing all incoming traffic and can also process all outgoing traffic—this is known as asymmetric and symmetric processing, respectively.
- Mirrored Data Packets: Although mirrored data packets don’t operate in the path of traffic, they provide the full detail for in-depth analysis, and can detect anomalies quickly. The only downside to this method is that it can be difficult to scale up.
Scalability of Analytics for your DDoS Defense
No matter which deployment mode and detection method you’ve chosen, it will all be for naught if you can’t scale up in order to adequately protect your entire network. After all, DDoS attacks work because of the sheer amount of traffic they can throw your way, so your mitigation system needs to be able to handle large numbers of packets.
You should also keep the scalability of your analytics infrastructure in mind. For example, a flow sampling method can be easily scaled, but it sacrifices granularity and mitigation speed. Meanwhile, mirrored data packets certainly provide granularity, but they don’t tend to scale well.
Choosing the Best DDoS Protection
With so many choices, it’s not always easy to choose a DDoS protection solution that’s right for both your company and budget.
Here are some things you should look for when selecting a solution:
- Precision: When protecting yourself against DDoS attacks, it may seem like a solution’s precision is secondary to its ability to batten down the hatches and weather the storm. However, that couldn’t be farther from the truth: In order to effectively defend your network, a solution must be able to precisely parse traffic in order to correctly distinguish attacking bots from legitimate users.
- Form factor: Some DDoS solutions are offered as a one-size-fits-all product, which is often cost-prohibitive for smaller organizations and inadequate for very large organizations. So, look for a solution that offers a variety of form factors.
- Scalability and breadth: Depending on what type of business you’re in, you may depend on your DDoS solution to protect many downstream business customers. Because of this, a good solution should be capable of protecting your customers as well as your infrastructure.
- Deployment flexibility: As mentioned earlier, there are two types of deployment modes: proactive and reactive. One is not inherently better than the other, and they can each serve a valuable purpose depending on your goals, so ensure that the solution you choose can utilize either mode.
- Automated escalation response: Efficiency is important in all aspects of business, so your DDoS solution should be efficient, too. This means that it should recognize the difference between peaceful, run-of-the-mill traffic and a full-out DDoS attack and adjust its mitigations accordingly.
- Programmable API: While it’s important for DDoS solutions to have easy-to-use, it’s equally important that they have a completely customizable application programming interface (API). A programmable API facilitates automation and the speedy delivery of defenses, applications and virtual infrastructures, which is crucial for organizations using agile SecOps or DevOps models.
If you hold out for a solution that meets all of those requirements, you’ll be much better protected against DDoS attacks. It’s clear that DDoS attacks are only becoming larger and more powerful as time goes on, but luckily, so are DDoS solutions.
How a major provider of data networking created a new revenue stream with an on-demand DDoS protection service.