On March 22, the largest DDoS attack yet seen in the history of the Internet hit the CloudFlare network.
“We saw approximately 120 Gbps hit the edge of our network,” Matthew Prince, co-founder and CEO of CloudFlare told eSecurity Planet. “At that point, the attackers changed their strategy and started targeting our upstream providers.”
The upstream providers in turn were hit by a massive 300 Gbps DDoS at the peak of the attack.
The volume of attack traffic, both for the upstream and for CloudFlare’s own network, is the most that Prince — or anyone else — has ever seen. Prince said that while he has seen a handful of DDoS attacks that have crossed the 100 Gbps threshold, he’s not aware of any attack online that is larger than 300 Gbps.
“Attacks generally have a natural ceiling around 100 Gbps due to the fact that is the largest port you can get on a router,” Prince said. “Tom on our networking team previously worked for a large network provider in Asia and reports that there have been a handful of attacks internal to China’s network that have supposedly been larger, but I don’t have any direct knowledge of them.”
John Grady, IDC research manager for Security Products, told eSecurity Planet that the 300 Gbps attack is the largest of which he is aware.
“While not incredibly common, it is much easier than just a couple of years ago to get an attack up over 50 Gbps,” Grady said. “Sustaining that is a different matter. This attack seems to have gone on over the last week or so, which is becoming more typical.”
Though the DDoS against Spamhaus and CloudFlare was the largest publicly reported DDoS in history, the broader impact on the entire Internet depends on where in the world you are.
“The congestion on the network was almost entirely limited to Europe and, for a brief period of time, Asia,” Prince said. “Whether the Internet slowed down depended on whether your packet was going through a Tier 1 provider or Internet Exchange that was affected.”
Prince explained that when the Internet “slows down,” it really means that packets are being lost and need to be re-sent. “Packet loss is often caused by a port on the network having more traffic sent to it than it can handle,” he said.
While CloudFlare and Spamhaus were under the DDoS attack, the attacker didn’t actually succeed in taking the site offline.
“Spamhaus just proved to the world that a 300 Gbps DDoS attack can be mitigated, they clearly put a lot of forethought into their system architecture and planned for this kind of eventuality,” Andrew Storms, director of security operations for security vendor nCircle, told eSecurity Planet. “Every organization should have a DDoS plan as part of their security program, and collectively we need to study the strategies Spamhaus and their partners used to mitigate this attack.”
Lessons Learned: Tips for Fighting DDoS
There were in fact a number of lessons that CloudFlare learned from this incident. For one, Prince noted that there were some security vulnerabilities in Internet Exchanges (IXs) that allowed them to be targeted.
“We, along with a number of other network security experts, have been working with the IXs to better secure their systems,” Prince said.
CloudFlare has outlined some specific recommendations in a blog post about the DDoS incident.
“We’re pretty proud that throughout the incident we kept Spamhaus’s site online,” Prince said. “That’s something few, if any, other providers could do.”