16 Gbps DDoS Attack.
The little DDoS attack that just keeps growing - Yet the client was always online!
Over the Easter Weekend (2013) we have had a client targetted by a Distributed Denial of Service attack.
Initially we noticed a steady ten hours of 1.1gbit per second UDP (DNS Reflection - Port 53) attack which contained on average nine million packets per minute
This was then followed by a ten minute 2.5gbit HTTP Flood attack (with a lazy 35 million packets per minute)
From there, this was then juiced up to become a ten minute 16.83gbit HTTP Flood attack (90 million packets per minute) which makes the first ten hour’s worth of attacks seem minute and relatively unimportant.
The Solution for now… Filter out and drop the bad traffic using NSfocus DDoS Hardware!
More information on NSfocus DDoS hardware can be found here -www.nsfocus.com
Twelve hours after however, the attack has continued. The attack is now only only 30mbit - 1.1 million packets per minute of HTTP GET commands originating from 83 different sources... We figure that this is potentially because some bot’s have not listened to a 'stop attack' command..
So where did the attack traffic come from….
In short we are still analyzing the data…. So far we noticed that there were roughly 250 compromised Australian servers / computers and thousands and thousands of servers / computers from around the rest of the world!
So far we have identified over 10,000+ unique IP addresses from 4200 seperate C Class IP Address Ranges (/24’s)
What is also interesting is that in the 16.83gbit attack less than 500 source IP addresses were sending 90% of the traffic. The remaining 9500 odd unique source IP addresses were almost masquerading the IP addresses which were actually sending the bulk amount data.