'Largest ever' DDoS attack targets European bank

Akamai claims to have prevented the largest-ever distributed denial of service (DDoS) attack, measured in packets-per-second (pps), targeting a large European bank.

The attack, which the networking and security company registered at 809 million PPS, was recorded on 21 June, just days after AWS announced it had blocked the largest ever DDoS attack in terms of bits per second (bps).

The incident took place in February, hitting 2.3Tbps, smashing the previous record of 1.7Tbps, with the peak of the attack 44% larger than anything the services had seen before. The nature of the attack AWS recorded, however, is different from that registered by Akamai.

This latest DDoS attack, which Akamai claims is the most intense ever recorded, aimed to overwhelm network gear and applications in the victim’s data centre or cloud environment. This is against the aim of conventional high bps DDoS attacks, which aim to overwhelm the inbound internet pipeline.

While both types of attack are volumetric in nature, pps attacks are much rarer and are designed to exhaust the resources of the networking gear.

“One way to think about the difference in DDoS attack types is to imagine a grocery store checkout,” said Akamai principal product architect Tom Emmons.

“A high-bandwidth attack, measured in bps, is like a thousand people showing up in line, each one with a full cart ready to check out. However, a PPS-based attack is more like a million people showing up, each to buy a pack of gum. In both cases, the final result is a service or network that cannot handle the traffic thrown at it.”

The attack was optimised to overwhelm DDoS mitigation systems by deploying a high pps load, Emmons added. What made the incident unique, moreover, was the massive increase in the amount of source IP addresses the attack relied on.

The number of source IPs registering traffic to the victim increased substantially during the attack, suggesting the DDoS attack was highly distributed in nature. There were more than 600-times the number of source IPs per minute against what is normally observed.

The vast majority of these IP addresses, meanwhile, were not previously recorded in attacks during 2020, suggesting a novel botnet, with 96.2% of source IPs not seen before.

Akamai added the attack reached a peak of 418Gbps within seconds, before reaching its peak size of 809 million pps within two minutes, with the track lasting slightly under ten minutes in total. The incident was fully mitigated at the time.