The most recent The Gcore Radar report and its aftermath highlighted a dramatic increase in DDoS attacks across many industries. At the beginning of 2023, the average strength of the attacks reached 800 Gbps, but now, even a peak as high as 1.5+ Tbps is not surprising. To try and break Gcore’s defenses, the perpetrators made two attempts at two different strategies. Read on to find out what happened and learn how the security provider stopped attackers in their tracks without affecting end users’ experiences.
A Powerful DDoS Attack
In November 2023, one of Gcore’s customers from the gaming industry was targeted by two massive DDoS attacks, peaking at 1.1 and 1.6 Tbps respectively. The attackers deployed different techniques in an unsuccessful attempt to compromise the Gcore protection mechanism.
Attack #1: 1.1 Tbps UDP-based DDoS
In the first cyber attack, the attackers sent a barrage of UDP traffic to a target server, peaking at 1.1 Tbps. Two methods are used:
- By using random UDP source portsthey hope to bypass conventional filtering mechanisms.
- Attackers hide their true identity by design of source IP addresses.
This is a classic flooding (or volumetric) attack, where the attackers hope to use all the available bandwidth in or on a data center or network, flooding the target servers with traffic. and makes it unavailable to legitimate users.
The graph below shows customer traffic during the attack. The peak of 1.1 Tbps indicates an aggressive but short-lived attempt to flood the data network. The green line (“total.general.input”) shows all incoming traffic. The other colored lines on the graph represent the network’s responses, including steps to filter and drop malicious traffic, as the system handles the deluge of data.
|The attack consisted of a short but intense peak of 1.1 Tbps around 22:55
Attack #2: 1.6 Tbps TCP-based DDoS
|The constant amount of traffic in the attack was 700 Mbps and at the beginning it increased to 1600 Mbps
This time, the attackers tried to take advantage of the TCP protocol with a mixture SYN floodPSH, and ACK traffic.
In a SYN flood attack, many SYN packets are delivered to the target server without ACK packets. This means that the server creates a half-open connection for each SYN packet. If successful, the server will eventually run out of resources and stop accepting connections.
The PSH, ACK phase of the attack rapidly transmits data to the target system. The ACK flag indicates that the server has received the previous packet. It forces the system to handle data quickly, wasting resources. SYN flood attack using PSH, ACK packets are more difficult to defend than a SYN flood, because the PSH flag causes the server to process the contents of the packet immediately, which can use more resources.
As before, the goal is to overload the customer’s servers and make their services inaccessible to authorized users. This SYN flood has a peak volume of 685.77 Mbps and PSH, ACK has a magnitude of 906.73 Mbps.
Gcore Defensive Strategies
Gcore’s DDoS Protection effectively neutralizes both attacks while preserving regular service for customer end users. The general approach to combating DDoS security threats includes several techniques, such as Gcore’s front-line defenses:
- Dynamic traffic shaping: Dynamically adjusted traffic rates effectively reduce the impact of an attack while ensuring the continuity of critical services. To prioritize real traffic while slowing down harmful transmissions, adaptive thresholds and rate restrictions are used.
- Anomaly detection and quarantine: Machine learning-based models analyze behavior to detect anomalies. When an anomaly occurs, automated quarantine mechanisms redirect the erroneous traffic to isolated segments for further analysis.
- Regular expression filters: To block malicious payloads from interfering with legitimate traffic, regular expression-based filtering rules are implemented. Their continuous improvement ensures optimal protection without false positives.
- Collaborative threat intelligence: Gcore actively participates in the exchange of threat intelligence with industry peers. Collective insights and real-time threat feeds guide Gcore’s security techniques, allowing a rapid response to evolving attack vectors.
By using these strategies, Gcore was able to effectively mitigate the impact of DDoS attacks and protect their customer’s platform from disruption, negating potential reputational and financial loss.
DDoS attacks of 1.5+ Tbps volume pose an increasing threat to the entire industry, with attackers using imaginative techniques to try and bypass protective services. In the course of 2023, Gcore registered increases in the same and maximum number of attacks, and these two connected attacks reflect that trend.
In the attacks covered in the article, Gcore was able to prevent any damage through a combination of dynamic traffic shaping, anomaly detection, regular expression filtering, and collaborative threat intelligence. Assess DDoS protection options to secure your network against the ever-evolving DDoS threats.