Servers.com and Qrator Labs share details on the recent attacks so that others can prepare and be ready to face this in the future. The two companies provide details and analysis of the first significant in-the-wild DDoS attack employing one of the TCP amplification vectors.
The attack mainly consisted of the LDAP amplification (with a significant portion of fragmented UDP datagrams) and the SYN/ACK amplification traffic, with other sorts of UDP amplification present periodically.
The SYN/ACK amplification traffic peaked at around 208 millions of packets per second, possibly excluding a significant portion of traffic originating in the Level3 customer cone due to static loops, suspected transit link congestions, and other routing problems.
The main issues behind a SYN/ACK amplification (and TCP-based packet floods in general) are:
- This kind of a DDoS attack is almost untraceable due to low adoption of counter-spoofing approaches (such as BCP 38). As those approaches are assumed to require a substantial redesign of a network under certain circumstances, collaterally breaking things that are more important for a network, the adoption of those approaches is expected to stay low in the foreseeable future unless the IETF comes up with a different robust anti-spoofing design;
- An ISP’s or a datacenter’s ability to handle this kind of a DDoS attack with BGP Flow Spec (or similar techniques) depends on what particular sort of equipment is deployed in their network;
- For a considerable part of customers, the ability to connect to an external service or an API gateway via TCP is crucial. Web crawlers, technologies like OAuth or CDN, or enterprises such as credit scoring systems or insurance companies depend greatly on external databases (or data sources in general);
- To ensure proper handling of spoofed SYN/ACKs while still maintaining a possibility to connect to an external service, a hosting company under attack would have to track all of the outgoing SYNs to match them against received SYN/ACKs later.
The latter could be done in different ways, each is considered either complicated to design and deploy, or having a severe impact on network latency and RTT, or both;
- The amplification factor for SYN/ACK amplification absent of relatively rare corner-cases is assumed to be between 1x and 5x. That is not a significant figure if compared to NTP’s 500+ or Memcached’ 9000+. However, taking into account the rest of the issues and complicated mitigation measures, five times the DDoS packet rate might be a turning point.