F5 Silverline Mitigates Record-Breaking DDoS Attacks
Overview
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
As the frequency of these attacks and the cost of outages continue to escalate, the importance of a holistic, layered defense to mitigate these attacks is now mission-critical. Businesses around the world need advanced cloud-based mitigation armed with the technical resources, infrastructure, and sophisticated defense tools to win this continuously evolving battle.
DDoS Attacks Continue to Escalate
It’s clear from F5 Labs’ “DDoS Attack Trends for 2020” article that the capabilities needed to launch large-scale, volumetric distributed denial-of-service (DDoS) attacks are continuing to change at an unprecedented pace. Over the years, F5 Silverline has witnessed a steady rise in the size of DDoS attacks, with multiple records of attacks peaking around 500 gigabits per second (Gbps). Since early 2020, the frequency of large attacks has increased. And in June 2021, a new record was set, with an attack mitigation recorded at 840 Gbps.
In 2021, malicious actors have leveraged an average of 2.7 attack vectors per DDoS attack, according to data collected by F5 Silverline. Top DDoS attack vectors include:
- TCP/SYN Flood
- UDP DNS Reflection
- UDP Flood
- IP/UDP Fragmentation
- CHARgen Reflection
Given the rapidly increasing ease of launching large-scale, multi-vector DDoS attacks, the June 2021 record did not last long. In July 2021, F5 Silverline successfully mitigated multiple attacks. In total, these attacks peaked at approximately 1.2 terabits per second (Tbps). The largest of these DDoS attacks peaked at approximately 1.15 Tbps, as illustrated in the graph below:
Real-Time DDoS Protection
Today’s DDoS attacks rapidly scale to unforeseen volumes and come without warning. As a result, rapid response, communication, and granular visibility to customers—with minimal false-positive results—are critical to mitigating these incidents.
This record-breaking 1.15 Tbps attack was primarily generated through a UDP Flood for volumetric impact and simultaneously targeted every IP in the customer’s /24 Class C subnet. The F5 Silverline Security Operations Center team was immediately on the case as alerts to F5 Silverline’s proprietary traffic actioner, collectors, and detection mechanisms per DST host. These notifications and alerts were flagged to F5 Silverline’s 24x7 Security Operations Center in near real-time.
In this specific attack, the malicious attack traffic went from 0 to 800 Gbps in less than one minute, simultaneously hitting approximately 250 targets. The countermeasures applied by the F5 Silverline Security Operations Center were primarily blocking proto UDP and associated port ranges after communication with the customer was quickly established and the customer confirmed that it did not expect UDP on certain hosts/ports.
F5 Silverline incident response is based on each customer's real-time incident procedures (RTIPs). F5 Silverline continuously fine tunes and optimizes our customers' defense posture for their critical assets. This includes both the application security (L7 DDoS, WAF, IPI) and infrastructure (L3/L4 Volumetric DDoS) defense layers.
After this attack was successfully mitigated, F5 Silverline applied additional countermeasures further upstream within F5 Silverline's globally distributed IP Anycast network using BGP Flowspec.
"F5 Silverline continuously fine tunes and optimizes our customers' defense posture for their critical assets."
The Importance of Carrier Relationships
F5 Silverline uses at least five Tier 1 carriers across F5 Silverline’s globally distributed DDoS mitigation cloud to ensure scalability, redundancy, performance, and security.
F5 Silverline derives its strength from its carrier relationships combined with the expertise of its Security Operations Center, which leverages F5’s proprietary and blended array of best-of-breed DDoS mitigation toolsets. Together, these provide the capacity and mechanisms to stop the largest, most sophisticated DDoS attacks ever observed on the Internet.
Conclusion: A Strong Defense is the Best Offense
As DDoS attacks continue to grow in scale and complexity, organizations around the globe need multiple layers of protection to stop these attacks before they reach the enterprise network. F5 Silverline Managed Security Services detects and mitigates even the largest of volumetric DDoS attacks—deploying security services for every app, anywhere, without upfront investments in IT infrastructure and support.