Amazon Web Services and Akamai were both hit by record DDoS attacks, in February and June respectively.

There is no indication that the attacks were related, and a DDoS attack was not behind this week’s major T-Mobile outage - despite some media reports to the contrary.

Remember when 500Gbps was a big deal?

DDoS rack at sea
– DCD/Fay Marney

In February, AWS experienced a record DDoS attack of 2.3 terabits per second. “This is approximately 44 percent larger than any network volumetric event previously detected on AWS,” the company said in a report.

The attack came in one form - as a Connection-less Lightweight Directory Access Protocol (CLDAP) reflection attack that lasted for three days. The attacker sends a CLDAP request to an LDAP server with a spoofed sender IP address that is the target’s IP address. The server then responds, flooding the target IP with traffic.

It’s one of the more popular, and simpler, variants of DDoS attack.

Akamai’s attack was technically smaller, at 1.44 terabits, but tried various different strategies of assault. “Nine different vectors were used, so they were really throwing the kitchen sink, trying to find the chink in the armor to create some damage for this particular customer along the way,” Roger Barranco, VP of global security operations at Akamai, told DCD.

“It also lasted well over an hour, and it maintained its intensity at 1.3 terabits per second - that's pretty unheard of, maintaining that level of velocity from a size perspective.”

The attack was the CDN and security company’s biggest to date, and targeted an undisclosed US Internet Service Provider.

“This attacker went out of their way to use multiple tools and a [wide] geographic distribution to kick off this attack in a concerted and well-coordinated fashion,” Barranco said. “A lot of thinking went into it, it wasn't just someone who was mad about something and rented the tool for five minutes to throw some gigs at someone.”

One of the most successful DDoS attacks in recent history was the Mirai botnet, which took out Dyn’s DNS services - knocking hundreds of websites offline back in 2016. But that attack could have been a lot worse, Barranco noted. “There's very little doubt in my mind that Mirai was not fully taken advantage of,” he said.

“I'm glad that it is now dormant. It was a really very interesting tool that allowed the attacker to manipulate the attack quickly.”

Such attacks will only keep happening, and keep growing - roughly doubling in size every two years. “We're talking about a massive attack of 1.44 terabits. But if you look at our Edge, it's not unusual for us on a normal day without a lot going on to be handling 60 or 70 terabits. We get much higher numbers during an event.”

Poorly secured Internet of Things devices are making it easier and easier for anyone to build increasingly powerful DDoS tools.

“I think a lot of the IoT devices are built in regions where they probably don't care,” Barranco said. “It's just not a part of their bottom line.”

Perhaps even more important is trying to get consumers to take responsibility for their IoT devices. “Frequently, people don't care,” Barranco said, pointing out that the Americas lags behind EMEA and APAC in patching its devices, and changing default logins.

"Not only are the [targets] in the Americas, a lot of the bot and IoT systems that are being taken over to reflect are also in the Americas," he said.

This lack of security focus from both consumers and customers is increasingly dangerous. ”It’s important from a DDoS perspective, but we're actually more concerned about how many IoT manufacturers don't have a [security] mindset,” he said. “Especially those that are in the medical industry - there's a lot of risks out there that can be extraordinarily damaging health and life beyond just 'oh my server is down.'”

He continued: “They can be manipulated to steal information, cause bodily harm, possibly all sorts of things. For example, my air conditioner is really smart. If I'm in a hospital or a convalescent home, and [someone] figures out a way to hack into that and turn it off, there's death associated with that.”

For now, while there have been some efforts to push for IoT security reform, it has been mostly unsuccessful - and no matter what the future brings, there will be the billions of devices that have already been sold to contend with.

Barranco views the chances of this changing any time soon as unlikely: “Unfortunately, it's probably gonna take something horrible for people to react to that and hopefully put some legislation in place.”

Further reading