Strongest DDoS attack of 2022 rewrites last year’s record

[gtranslate]

In recent weeks, cyberspace has been a war zone. Of course, not everything is Russia’s fault. The current chaos is also being exploited by a number of organized groups, so we are seeing more phishing, application layer attacks with extortion, and traditional DDoS attacks. But let’s not forget that Russia demonstrated its new HermeticWiper data-erasing malware early in the war. It quickly spread beyond Ukraine. It can affect you too. So our challenge still stands – back up your data to yourself wherever you have it!

In today’s article, we would like to focus on the traditional DDoS attacks that we have encountered in recent weeks. Specifically with one batch that hit us on the night of Thursday (03.03.2022) to Friday (04.03.2022).

Retaliation for supporting Ukraine? No, we’ve been under attack for weeks.

A number of you asked us if this was retaliation for putting the Ukrainian flag on our website and other activities in support of Ukraine. We are convinced that this is not the case. This is because these very strong DDoS attacks have been going on for several weeks. Our protections have been able to fully eliminate or reduce them to the point that they have not affected our services for a long time (we can automatically go from attack detection to filtering in sub-second increments).

For example, one of these stronger attacks z 18. – On February 19, we documented in detail for you on our blog in our article February night DDoS attacks exceeded 133 Gbps.

On the other hand, in connection with Russia’s invasion of Ukraine, we have seen attacks on pro-Russian websites, websites of Russian companies, conspiracy websites and a few others that have nothing to do with Russia. These are mostly primitive web attacks via web browsers. Although they are very simple in nature, hacktivists have been able to generate up to 75 million requests per day for one such site. And it’s showing.

We protect these sites with our WEDOS Global Protection, which is still under development. Thanks to these attacks, we have made very rapid progress with her. This is application layer protection that puts a redirect or captcha page in the way of potentially problematic traffic.

A captcha page that protects dozens of our customers’ websites from application layer attacks.

Our protection against DDoS attacks

After a very tough experience with DDoS attacks in 2013, we understood that if we don’t start working hard on building protections ourselves, we won’t get very far. There would always be someone who could paralyze our services. It was necessary to build really massive protection and to focus on cybersecurity as such.

Since then, we have been investing millions of crowns a year in protection. Gradually, not only is our protection more robust (the number of servers is growing, we are upgrading HW), but we are also significantly strengthening connectivity, backup routes and the entire network infrastructure. We have more people working on protection and networks. At the same time, we gain important know-how, data and, most importantly, real experience. That’s what is very noticeable. Most probably years of experience and constant “digging and testing” led to a number of groundbreaking modifications.

We currently have 3 main routes with 100 Gbps connectivity each and additional backup 10 Gbps routes. We are able to filter virtually all traffic that goes through these routes. We can go from detection to the start of filtering from 1 to 3 seconds (depending on the attack). To do this, we run one of the largest blacklists built on paid third-party blacklists and our data. We host the most websites in the Czech Republic and we actively work with data both automatically and manually. We can thus detect even attackers who carry out attacks very carefully.

After the strongest DDoS attack in the history of the Czech Internet, where we managed to measure 164.3 Gbps and 98.1 million packets per second at peak times, we understood that it was only a matter of time before someone would be able to carry out such an attack on a long-term basis. Alternatively, it will have enough equipment in the Czech Republic to clog the local ISP. The attack was bigger, but we didn’t get more and we couldn’t measure it anyway 🙂

We have thus begun to develop the concept of a decentralised WEDOS Global network that will take the fight to the local battlefield where the attacks are coming from. For an update, see Building WEDOS Global – First infrastructure sites agreed.

How the strongest DDoS attack in the Czech Republic (so far) took place in 2022

The attack itself was preceded by a truly massive and thorough scanning of everything we have or may have something to do with. We detected these attempts gradually for several days before the big attack.

The numbers are what we have been able to measure or calculate with the sensors. In fact, everything was higher because there was clogging of the routes.

The big attack itself started at about 19:50. He literally went through each segment of our network one by one. These were ICMP-based attack units. By 20:00, the attack strength had surpassed 100 Gbps and reached 116 Gbps in minute averages. The peak was practically more than 2x as much.

At 20:10 it slowed down and dropped to about 40 Gbps. The attackers were probably calibrating something 🙂

At approximately 20:30, a very strong attack was launched, which exceeded 125.8 Gbps (again, we are talking about a minute average). Our 100 Gbps Telia route was completely clogged. This route mainly handles traffic from abroad. A very strong attack also went through Nix and another route.

Increased traffic, which went through our Czech connectivity supplier Kaora from NIX.

At this time, the attackers mainly targeted web hosts that might have been inaccessible from abroad, or rather slowed down. We also noticed a smaller number of requests that arrived on the webservers. It was mainly about automated trafik (search engine robots, data collection, measuring availability, etc.)

At this point, the whole company was already online and everyone was watching what was going on. It wasn’t so much about strength, but more about the length of the attack. We have never experienced an attack that exceeded 100 Gbps in measured values and went for 50 minutes straight!

The strongest part of the attack started after a short break at 21:30. The number of individual attacks during a 10-minute interval exceeded 140 Gbps. This was a packet count attack, which at peak was 77.2 million packets per second at minute averages. However, last year’s record of 98.1 million packets per second was not broken.

The peak of the attack came at 21:50, when the strength of the attack went over 190 Gbps for ten minutes and we measured a new Czech record of 190.2 Gbps. At this moment only from the Czech NIX went about 20 Gbps in 5 min averages and many local ISPs collapsed.

When the attackers saw that we were still running, they launched another 145.7 Gbps attack over UDP. That didn’t help either. The attack was going until 1:20, but it gradually faded from 40 Gbps to 20 Gbps.

The following graphs show the progress of the attack.

Graph of attack strength in Gbps from 03.03.2022 to 04.03.2022 as measured by sensors.
Graph of attack strength in millions of packets per second from 03.03.2022 to 04.03.2022 as measured by sensors.

As you can see, ICMP attacks dominated. For about 10 minutes, a stronger attack via UDP took place.

Number and types of individual attacks from 03.03.2022 to 04.03.2022 as measured by sensors.

Conclusion

Although this attack looked horrible, there was only a temporary slowdown of traffic from abroad and from some ISPs in the Czech Republic. No serious damage was done.

The attackers continued their attacks the next day. They exceeded 100 Gbps again for a few hours and managed to shut down our customer administration this time. For this reason, we still have a backup that customers could use.

However, it turned out that once again we are thinking mainly about protecting the service of our customers and making sure that everything works for them. We kind of forgot about our administration.

Because of the strongest attack, we only heard from a few customers who were unable to get to the site due to monitoring from abroad. Which is a fraction compared to the dozens who reported unavailable administration.

So we have it pretty well tuned, we just need to think about our services 🙂

However, when you compare this attack with the strongest of last year, you can really see the diametric difference in both strength and length. A year from now, a similar attack could take not hours, but days. That’s why we are also devoting all our efforts to building our WEDOS Global network to move the battlefield closer to the attackers. Hopefully next week we will launch the first servers outside the Czech Republic. Read more in the article Building WEDOS Global – First infrastructure sites agreed.