Qrator Labs protected the hosting Severs.com platform from high-speed DDoS attacks of new type

2019: Protection against DDoS attacks using one of TCP amplification vectors

On August 22, 2019 the Qrator Labs company specializing in counteraction to DDoS attacks and ensuring availability of Internet resources announced that it neutralized the DDoS attacks on the international hosting Servers.com platform lasting from August 18 to August 20. Among them there was a first-ever large-scale attack recorded in practice using one of TCP amplification vectors (replicated SYN/ACK flood), declared in Qrator Labs.

On August 18 malefactors began to attack network infrastructure of Servers.com, creating regular high-speed splashes in traffic. In several hours of Servers.com rose under protection of Qrator Labs, having connected to the Qrator Ingress service intended for protection of infrastructure of telecom operators and hosting providers against DDoS attacks.

Qrator Labs recorded several waves of the attack. For the organization of attack were generally used technology of LDAP amplification and SYN/ACK flood, at the same time also other types of UDP amplification were periodically identified.

As explained in Qrator Labs, technology of the attack like Amplification ("gain") is that on the vulnerable server, not suspecting party belonging to the third nothing, a request which this server repeatedly is replicated and goes to the website of the victim is sent. In this case for gain of the attack the LDAP and TCP protocols were used. The possibility of use of the TCP protocol for carrying out the large-scale attacks like Amplification was for the first time described in research of scientists from the Ruhr university (Germany) five years ago, but still day remained the theory, specified in the company.

Traffic of amplification of SYN/ACK reached peak values in 208 million packets per second, and the longest period of the attack with continuous bombing by "garbage" traffic was 11.5 hours. All attacks were neutralized by network of filtering Qrator Labs.

Search of the malefactors who organized the attack is extremely complicated in view of the fact that the recorded type of DDoS attacks practically does not give in to tracking because of the low level of application of methods of counteraction to spoofing (such as BCP 38). Implementation of these methods requires significant change of architecture of network.

The occurred incident — excellent demonstration of that how brittle the modern Internet is. There passed nearly five years since the research document describing the SYN/ACK amplification equipment was published. Nevertheless, no engineering efforts for solution during this time were made that as a result led to a series of the successful attacks with absolutely destructive effects — Alexander Lyamin, the founder and the CEO of Qrator Labs told. — We need more perfect protocols, infrastructure and technologies for prevention of the similar attacks in the near future. Creation of a management system for threats, drawing up plans for risk reduction and their adjustment at least once a year as today the situation with security risks changes very quickly is necessary.