On June 21, 2020, Akamai mitigated the largest packet per second (PPS) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform. The attack generated 809 million packets per second (Mpps), targeting a large European bank.
We believe this is a new industry record for PPS-focused attacks, and well over double the size of the previous high-water mark on the Akamai platform, just one week after Akamai announced another massive DDoS attack. Looking holistically at DDoS activity since the onset of 2020, it is clear that large, sophisticated DDoS attacks are still a significant attack vector, and as we’ll show later in this writeup, a concern for companies across many industry verticals.
BPS vs. PPS
DDoS attacks are almost always volumetric in nature, and generally measured in bits per second (bps). The DDoS attacker’s goal is to overwhelm the inbound internet pipeline, sending more traffic to a circuit than it is designed to handle. In contrast, PPS-focused attacks are largely designed to overwhelm network gear and/or applications in the customer’s data center or cloud environment. Both are volumetric, but PPS attacks exhaust the resources of the gear, rather than the capability of the circuits — and these are much less common than BPS attacks.
One way to think about the difference in DDoS attack types is to imagine a grocery store checkout. A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out. However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it.
This latest attack was clearly optimized to overwhelm DDoS mitigation systems via high PPS load. As you can see in the packet capture below, the packets sent carried a meager 1 byte payload (for a total packet size of 29 with IPv4 headers), making it appear like every other one of its several billion peers.
Source IP Explosion
What was unique about the packets being sent was the massive increase in the amount of source IP addresses we observed.
The number of source IPs that registered traffic to the customer destination increased substantially during the attack, indicating that it was highly distributed in nature. We saw upward of 600x the number of source IPs per minute, compared to what we normally observe for this customer destination.
Beyond just the volume of IP addresses, the vast majority of the attack traffic was sourced from IPs that we have not recorded in prior 2020 attacks, indicating an emerging botnet. Akamai tracks hundreds of thousands of source IPs leveraged in DDoS attacks, tens of thousands of which have been seen in multiple attacks.
It was highly unusual that 96.2% of source IPs were observed for the first time (or at a minimum, were not being tracked as being part of attacks in recent history). We had observed a number of different attack vectors coming from the 3.8% of remaining source IPs, both matching the single attack vector seen in this attack and aligned to others. In this case, most of the source IPs could be identified within large internet service providers via autonomous system (AS) lookups, which is indicative of compromised end-user machines.
The June 21 attack was remarkable not only for its size, but also because of the speed at which it reached its peak. The attack grew from normal traffic levels to 418 Gbps in seconds, before reaching its peak size of 809 Mpps in approximately two minutes. In total, the attack lasted slightly less than 10 minutes.
While this attack was fully mitigated by Akamai’s proactive mitigation controls, we were able to leverage our behavioral mitigation recommendation engine to further analyze additional attack dimensions. In this case, the attack showed swings from clean traffic baseline norms in protocol, destination port, packet length, and geolocation, and we found three key takeaways:
- Any of the highlighted methods could have effectively blocked the attack with no collateral damage
- Our featured 0-second SLA controls already include these frequently seen attack vectors
- Due to our analysis of customer clean traffic baselines and preparation, packet level and more complex mitigations were unnecessary
Multiple Industries Targeted by Large DDoS Attacks
This attack targeted a large European bank, and as seen in the pink bubbles in the graph below, Financial Services is a frequently targeted industry vertical. The graph shows attacks by Gbps (Y axis) and Mpps (Z size of the circles) over time (X axis) by industry. Both record PPS attacks in 2020 were levied against Financial Services companies, but as you can see in the green circle to the top right of the graph, last week’s record-setting Mbps attack was levied against a large Internet & Telecom company — a hosting provider, in that example.
Successfully mitigating these large attacks requires planning and expert resources. The process starts by understanding a given customer’s traffic in depth, in order to identify normal or baseline traffic patterns and volumes, and configure proactive mitigation controls. The goal is to ensure that malicious traffic can be detected and mitigated successfully, without impacting legitimate traffic.
Deploying proactive mitigation controls has proven to be an extremely effective way to increase mitigation effectiveness for a large segment of attacks. However, proactive mitigation is just one example of the many tools and capabilities that Akamai’s Security Operations Command Center (SOCC) team employs to continually improve DDoS detection times and mitigation effectiveness.
Akamai continues to detect and successfully mitigate DDoS attacks with an industry-leading SLA. We have been able to mitigate the largest attacks due to our unique combination of technology, people, and processes. From Akamai’s perspective, and specifically for our SOCC team, yet another large DDoS attack is just another day at work — where a combination of automatic and human mitigation makes the internet a safer place.