Sunday, 10 January 2016

How Big Can A DDoS Attack Be

On New Year's Eve 2015 the BBC's web domain was subjected to a DDoS attack.  It did cause significant disruption, and it was noticed by many users who took to social media in something of a mild panic. 

The attack interested me not just because the BBC was an unusual target but more particularly for what then followed: those claiming they were the attackers communicated with the BBC technology journalism team.

Part of that communication claims that the attack reached 600 GB/s data rates.

The largest data rates we have seen in DDoS attacks previously were something like 330 GB/s, which occurred when SpamHaus was attacked in 2014.  These sort of rates are extraordinary.  The only way so far found to mount these attacks are using reflection/amplification attacks such as I have described here previously (unless someone can tell me differently). The tool being used by these attackers was claimed to be BangStresser.  It even had its own website, and in an ironic twist was protected against DDoS attacks by Cloudflare.  Recently it has been taken down.

But, even with the most productive reflection attacks (DNS and NTP) just how high can these data rates go?  Some "back of the envelope" maths suggests that to reach 600 GB/s the attackers would have to be using a number of servers that I find it difficult to believe could be simultaneously engaged.

What is more, in their message to the BBC the attackers state that this was just a test: apparently one that got out of hand.  If they have found a way to mount DDoS attacks of this scale then this is something that we all need to take note of.  What would be really useful would be if the attackers provided further evidence as they seemed to suggest they would.  They claim that part of their success is due to using Amazon servers but that is really very surprising as Amazon claim to have facilities in place to prevent just this sort of misuse.

Meanwhile, DDoS is firmly back on the agenda.  With 3DoS and apparently increasing volumes signalling that this is not a form of attack that we yet have under control.

Update: 27/01/2016 A report out today from Arbor networks documents attacks increasing as discussed above and having reached speeds of 500 GB/s.