European Bank Targeted in Massive Packet-Based DDoS AttackAkamai Describes Unusual Approach Taken in This Incident
A massive distributed denial-of-service attack generating 809 million packets per second was recently directed against a large European bank, according to the security firm Akamai.
Akamai researchers call the incident a strong indicator that DDoS attacks are still an important attack vector for cybercriminals and should remain a top security concern for companies.
The previous known record for this type of DDoS attack is 500 million packets per second in a January 2019 incident, according to Imperva.
In the European bank incident, which was launched against an Akamai customer that the company didn’t identify, analysts were surprised at how fast the attack scaled, jumping from a normal traffic level of 418 GB per second to 809 million packets per second in just two minutes, with the entire attack lasting for less than 10 minutes, according to the report.
Akamai helped the bank mitigate the attack, so there was no disruption to the bank's network or services and no damage to its infrastructure, says Roger Barranco, vice president of Akamai's global security operations.
One unusual aspect of this attack was the botnet army used against the bank's network appeared to be new. Akamai notes that over 96% of the IP addresses utilized against the bank had not been used in other recent attacks.
"We had observed a number of different attack vectors coming from the 3.8% of remaining source IPs, both matching the single attack vector seen in this attack and aligned to others. In this case, most of the source IPs could be identified within large internet service providers via autonomous system lookups, which is indicative of compromised end-user machines," Thomas Emmons, a principal product architect with Akamai, notes in the report.
PPS vs. BPS
In the bank incident, the attackers used a packet per second, or PPS, method instead of the more commonly used bits per second, or BPS, method.
In the BPS approach, the attacker's goal is to overwhelm the inbound internet pipeline, sending more traffic to a circuit than it’s designed to handle, according to the report.
Akamai believes the attackers went with a PPS attack to overwhelm the target's DDoS mitigation systems via a high PPS load.
A PPS attack is designed to overwhelm a network's gear and applications in the customer’s data center or cloud environment, the report notes. A PPS attack exhausts the resources of the gear, rather than the capability of the circuits – as in a BPS attack.
"One way to think about the difference in DDoS attack types is to imagine a grocery store checkout,” Emmons explains. “A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out. However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it."
The European bank DDoS attack used packets of just 1 byte, each sent with a massive increase in the number of source IP addresses, the report notes.
"The number of source IPs that registered traffic to the customer destination increased substantially during the attack, indicating that it was highly distributed in nature. We saw upward of 600x the number of source IPs per minute, compared to what we normally observe for this customer destination," according to the Akamai report.
Past DDoS Attacks
The largest DDoS attack ever recorded struck Amazon Web Services in February. The company's infrastructure was hit with a 2.3 TB per second - or 20.6 million requests per second - assault, according Amazon, which posted a report about the incident.
Earlier in June, Akamai reported a DDoS attack of 385 million packets per second launched against an internet service provider that used nine attack vectors and multiple botnet attack tools, according to a company blog.
The massive Mirai DDoS attacks took down large portions of the internet in October 2016 by taking advantage of vulnerabilities in hundreds of thousands of compromised internet of things devices (see: Mirai Botnet Pummels Internet DNS in Unprecedented Attack).