What happened
In March 2023, NSFOCUS security team blocked the worst DDoS attack of the year. The attack was targeted at an Internet service provider customer located in Brazil, with a peak attack traffic of 386.5 Gbps and astonishing total attack traffic of 1184.4 Tbps.
This large-scale DDoS attack lasted for 8 days, posing huge risks and challenges to customers’ core business and network infrastructure. Fortunately, the customer has deployed the NSFOCUS Cloud DDoS Protection Service (NSFOCUS DPS) in advance and was able to effectively avoid malignant consequences to the business.
Through Anycast technology, NSFOCUS Cloud DPS quickly diverted DDoS attack traffic to the nearest cleaning node to the customer, bringing an “unawareness” protection experience to the customer with minimal network latency. Immediately after attack mitigation, NSFOCUS security team provided an intuitive report and recommendations to the customer’s Network Operations Center (NOC) so that they could conduct further analysis and reinforce protection.
Attack analysis
NSFOCUS security team conducted a comprehensive analysis of the whole attack event after completed. The following findings were noted:
1. This DDoS attack lasted for a long time. The attacker started to attack multiple service IP addresses of the customer on March 1st and ended on the evening of March 8th, lasting for 8 days in total.
2. Packet capture analysis indicated that the attack packets are mainly UDP protocol, accounting for 99.72% of the attack traffic, accompanied by a small amount of other types of attack traffic. This fits well with the DDoS attack posture stated in the NSFOCUS 2022 Global DDoS Attack Landscape report. According to the report, UDP attacks account for about 60% of large-traffic attacks larger than 100 Gbps recorded in 2022, and the reasons behind them may be closely related to the resource expansion of botnets.
3. According to the traceability analysis of attack traffic, attack sources of this attack include the United States, Brazil, China, Ukraine, Sweden, etc. The United States is the most, accounting for about 47% of the total attack traffic.
How we stopped the attack
NSFOCUS security team paid close attention throughout the attack. The initial spike of this attack occurred on March 2nd, and since the default protection policy was being utilized at that time, the cleaning efficiency was 78.2% only. By analyzing captured traffic and communicating with the customer about the involved business, NSFOCUS security team promptly optimized the protection policy and cleaning efficiency improved to 89.1% in the next wave of the sustained attack with a traffic peak of about 100 Gbps on March 4th. Through continuous fine-tuning of the protection policy and thresholds based on uninterrupted monitoring and attack trend analysis, the cleaning efficiency reached 93.2% and 99.6% in attack waves on March 6th and March 8th, respectively, successfully blocking the attack traffic without affecting the customer’s business.
In this case, the customer is very satisfied with the fast response, accurate attack analysis and excellent protection capability and is very confident with NSFOCUS’s Anti-DDoS solution.
Some protection recommendations
The ever-increasing threat of massive DDoS attacks poses persistent risks to organizations around the world. The following suggestions may help you to optimize your network security:
1. Screen system vulnerabilities and close unnecessary services and ports, which will greatly reduce the possibility of vulnerable services being compromised and minimize the losses caused by attacks.
2. Apply proper protection policies. For example, you can configure specific protection policies for vulnerable services, such as portal websites, DNS, and APIs, to minimize the probability of misoperation prevention and leakage prevention.
3. Deploy an on-premises DDoS protection solution. The on-premises DDoS protection solution should be capable of building a traffic model baseline through traffic learning, AI-based analysis, behavior analysis and other up-to-date technologies and generating protection policies fit for business with maximized protection efficiency.
4. To protect against the increasingly commonly seen large-scale DDoS attacks, cloud-based DDoS protection service can supplement the on-premises protection capability. The hybrid DDoS solution — a combination of cloud and on-premises security — can provide multiple protections. When a volumetric DDoS attack occurs, you can rely on the traffic scrubbing service on the cloud to mitigate attack traffic, thus ensuring the availability of your organization’s bandwidth. Once the traffic is cleaned and injected back into the original path, the on-premises DDoS protection devices will filter the traffic again to deal with the application layer attack threats that are difficult to detect.