On June 21, 2020, Akamai Technologies mitigated what it says “the largest ever packet per second (PPS) distributed denial of service (DDoS) attack on the Akamai platform. The attack generated 809 million packets per second (Mpps), targeting a large European bank.
The content delivery network, cybersecurity, and cloud service company said this is a new industry record for PPS-focused attacks, and well over double the size of the previous high watermark on the Akamai platform.
“Looking holistically at DDoS activity since the onset of 2020, it is clear that large, sophisticated DDoS attacks are still a significant attack vector, and as we’ll show later in this writeup, a concern for companies across many industry verticals,” the company said in a media advisory.
PPS-focused attacks are largely designed to overwhelm network gear and/or applications in the customer’s data center or cloud environment. PPS attacks exhaust the resources of the gear, rather than the capability of the circuits.
DDoS vs PPS-based
According to Akamai, this latest attack was clearly optimized to overwhelm DDoS mitigation systems via high PPS load. Beyond just the volume of IP addresses, the vast majority of the attack traffic was sourced from IPs that we have not recorded in prior 2020 attacks, indicating an emerging botnet. Akamai tracks hundreds of thousands of source IPs leveraged in DDoS attacks, tens of thousands of which have been seen in multiple attacks.
“It was highly unusual that 96.2% of source IPs were observed for the first time (or at a minimum, were not being tracked as being part of attacks in recent history),” the company said. “We had observed a number of different attack vectors coming from the 3.8% of remaining source IPs, both matching the single attack vector seen in this attack and aligned to others. In this case, most of the source IPs could be identified within large internet service providers via an autonomous system (AS) lookups, which is indicative of compromised end-user machines.”
Akamai considers the June 21 attack as “remarkable” not only for its size but also because of the speed at which it reached its peak. The attack grew from normal traffic levels to 418 Gbps in seconds, before reaching its peak size of 809 Mpps in approximately two minutes. In total, the attack lasted slightly less than 10 minutes.
“While this attack was fully mitigated by Akamai’s proactive mitigation controls, we were able to leverage our behavioral mitigation recommendation engine to further analyze additional attack dimensions,” the company said. “In this case, the attack showed swings from clean traffic baseline norms in the protocol, destination port, packet length, and geolocation.”
Akamai said mitigating these large attacks requires planning and expert resources.
“The process starts by understanding a given customer’s traffic in-depth, in order to identify normal or baseline traffic patterns and volumes, and configure proactive mitigation controls. The goal is to ensure that malicious traffic can be detected and mitigated successfully, without impacting legitimate traffic.”
Deploying proactive mitigation controls has proven to be an extremely effective way to increase mitigation effectiveness for a large segment of attacks. However, proactive mitigation is just one example of the many tools and capabilities that Akamai’s Security Operations Command Center (SOCC) team employs to continually improve DDoS detection times and mitigation effectiveness.