Akamai on Thursday reported that it had detected and mitigated the largest DDoS attack ever launched against a European customer on Akamai’s Prolexic platform, with traffic spiking to 704.8 millions-of-packets-per-second (Mpps) in an aggressive attempt to cripple the organization’s business operations.
DDoS attacks are an ongoing concern worldwide, and Craig Sparling, an Akamai researcher, said U.S. companies should immediately review and implement Cybersecurity and Infrastructure Security Agency (CISA) recommendations.
These include reviewing critical subnets and IP spaces, and ensure that they have mitigation controls in place. Sparling said security teams should also deploy DDoS security controls in an “always-on” mitigation posture as a first layer of defense to avoid an emergency integration scenario reduce the burden on incident responders.
“If you don’t have a trusted and proven cloud-based provider, get one now,” said Sparling. “Proactively pull together a crisis response team and ensure runbooks and incident response plans are up-to-date. For example, do you have a runbook to deal with catastrophic events? Are the contacts within the playbooks updated? A playbook that references outdated tech assets or people who have long left the company isn’t going to help.”
On the question of why this attack was measured in Mpps, John Bambenek, principal threat hunter at Netenrich, explained that the maximum packet size is 65,507 bytes, though it’s very doubtful this attacked used packets of that size. Bambenek said if they did, the attack would be on the scale of 46 TB/sec.
Bambenek said the minimum packet size is only 8 bytes. However, measuring by packet size has relevance because network devices have to process each header of every packet regardless of size, so there’s a possibility of not overwhelming the overall bandwidth while still overwhelming the processing of headers by the network devices themselves.
“Ultimately, protecting from DDoS is an arms race, you have to have some filtering in front of your critical resources that can filter the noise and for your internet-facing resources to have enough load to weather Layer 7 (application layer) DDoS attacks,” Bambenek said. “A has to be greater than B and it’s not much more complicated than that.”