Recently we at EHN got a mail from incapsula telling us to read a blog post about a very interesting DDOS attack they analyzed.
Usually a DDOS needs a sizable botnet to succeed ,even the DNS amplification attacks we saw in the recent months need bots who can make a large amount of requests to work.
Usually a DDOS needs a sizable botnet to succeed ,even the DNS amplification attacks we saw in the recent months need bots who can make a large amount of requests to work.
But incapsula recently analyzed an attack that reached the speed of 4Gbps from a single computer/network.They were able to trace it to a single source because the TTL value was always the same, hence suggesting that all the attacks come from the same point as they all pass through the same amount of routers to reach the target and the TTL was a constant.
Even more worrisome is the fact that even Authoritative Name Servers seem to be used in this attack hence the attacker no longer needs to exclusively use open DNS servers.So the attacker has more points to attack from and also the attacks will get harder to defend against.
What is known about the source:
- It is either a customized computer, or a cluster of computers sharing the same network. It is almost impossible for a single machine to generate this kind of traffic
- It could silently utilize 4Gbps of upstream bandwidth.
The analysis also points out that the attack could easily have taken speeds over 200 Gbps if it had used a DNS amplification attack with amplification factor of 50.
We guess there will be more of these sort of attacks in the future,it is up to us people in computer security to come up with a permanent solution on how to handle and stop such attacks.