Incident Response, TDR

Incapsula mitigates multi-vector DDoS attack lasting longer than a month


From the middle of June to nearing the end of July, security company Incapsula helped a targeted video game company withstand a nonstop distributed denial-of-service (DDoS) attack utilizing numerous vectors.

The attack peaked at more than 110 Gbps and more than 90 million packets per second, according to a Wednesday post.

Mitigating the attack, which began on June 21 and did not subside until July 27, is a testament to Incapsula's ‘Behemoth' scrubbing servers, which were able to filter out more than 50 petabits – or more than 51,000 terabits – of malicious traffic, the post indicates.

All of that traffic came from multiple DDoS attack vectors that never let up for a second and were often happening at the same time, Igal Zeifman, researcher and product evangelist at Incapsula, told in a Wednesday email correspondence.

“In this case the attackers were, simultaneously, sending [a] SYN flood of small and large-sized packages, while also attacking with massive DNS floods and employing DNS and NTP amplification techniques,” Zeifman said. “At some point, the offenders also tried to hack the site using SQL injections and launched several HTTP flood (Layer 7) attacks.”

Incapsula could not reveal the identity of the targeted video game company, but speculated in the post that the attacker was a rival company, particularly because 80 percent of the DDoS traffic came from the same 20 percent of IPs – meaning the attacker was using powerful resources.

Incapsula captured a lot of source IP data, but that data can be spoofed in the case of Layer 3 and Layer 4 DDoS attacks, Zeifman said. Even if the data was real, he explained that tracing back the IPs would only lead to the resources that were used, which are typically controlled from remote command-and-control servers that never interacted with the target or Incapsula mitigation services.

“This is the longest lasting DDoS attack we've mitigated so far,” Zeifman said, going on to add, “To sustain such a massive attack, for such a long period of time, requires a lot of high quality network resources, the kind you wouldn't normally expect DDoS offenders to have.”

The result is that organizations need to be prepared to deal with these types of large-scale events, particularly in a way that does not affect the clients, the business, the brand, and other day-to-day operations, Zeifman said.

Although the post indicates that massive DNS floods are becoming a go-to for DDoS attackers, Zeifman added that Incapsula is seeing a lot of SYN floods, many of which use large SYN packages. The first quarter of 2014 also saw an increase in NTP amplification attacks, he added.

“We also see more and more Layer 7 attacks, with constantly evolving bots specifically designed to avoid common DDoS mitigation mechanisms[; for example,] bots that can hold cookies and execute JavaScript,” Zeifman said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.