In early 2023, hackers attacked a Gcore customer’s application. The customer was using Gcore’s free CDN plan. The incident consisted of several volumetric attacks with a peak volume of 650 Gbps and involved over 2,000 servers worldwide, all belonging to the Big 3 cloud providers. Due to Gcore’s connectivity and capacity, the attack was mitigated, and our customer’s application continued to operate as intended. Read on to learn about the attacks close-up and discover how our infrastructure withstood them.
How Was the Application Attacked?
The attacks were connection protocol attacks (L4 level). Attackers sent vast quantities of packets in an attempt to overflow the application’s bandwidth and cause unavailability. The incident consisted of three different attack vectors, and at its peak was 650 Gbps—sixty times the average volume of similar attacks.
The incident lasted for fifteen minutes. The fact that the customer’s application continued to run despite the attacks may have contributed to the short duration of the incident. The cost required to execute an attack with this amount of outbound traffic is high, and if the attacks are ineffective, there is no point in continuing the DDoS.
Here’s the quantity of malicious traffic received by our CDN cache servers:
- The first peak corresponds to the UDP flood attack (over 650 Gbps). In a UDP flood attack, an attacker exploits the User Datagram Protocol (UDP,) a sessionless/networking protocol, by sending a large number of UDP packets to a target system’s random ports. This forces the system to repeatedly check for the application listening at that port and (when no application is found) respond with an ICMP “Destination Unreachable” packet, thus saturating its resources and causing it to become unresponsive to legitimate traffic.
- The second peak shows the TCP ACK flood attack (600 Gbps). This means the attacker exploited the TCP’s three-way handshake mechanism by overwhelming a target system with ACK packets, forcing the system to process a large number of non-legitimate, half-open connections. As a result, significant amounts of system resources are confused, with the goal of causing system unavailability for legitimate traffic.
- The third peak illustrates a mix of TCP and UDP (over 600 Gbps). This was a custom, non-standard variation of the first two attack types.
The assaults were launched from multiple, non-spoofed IP addresses, which made the incident stand out. CDN systems engineers analyzed the incident and determined that the attackers were using 2,143 servers in 44 different regions, and all of the servers belonged to a single public cloud provider.
The Sankey diagram below shows the source and flow of the attack. Names of the locations from the first column are associated with Big 3 cloud providers.
Why Did the Attacks Fail?
Two features of our CDN infrastructure helped to mitigate the attack and keep the customer’s application available during the DDoS attack: wide connectivity and large capacity.
Connectivity. Gcore has more than 11,000 peering partners (ISPs.) Peering uses cables to connect ISP networks and give each other access to traffic originating from their networks. These connections allow traffic from peering partners to be absorbed directly, avoiding the public internet. Compared to traffic on the public internet, this traffic is either free or significantly less expensive.
In this case, Gcore and the cloud provider used to launch the attack are peering partners. So, when the attacks were performed, we ingested most of the traffic over the cloud provider’s private network and absorbed 100% of the attacks.
Capacity. Our network has hundreds of CDN cache servers located in 140+ PoPs worldwide, and its overall capacity is 110 Tbps. Due to the sheer capacity of the CDN infrastructure, it can absorb the large volume that is generated by a massive DDoS attack. So, the 650 Gbps of traffic was distributed across the network, with each particular server only receiving 1-2 Gbps, which is an insignificant load.
The road ahead
Gcore’s Edge Network infrastructure can protect our customers’ applications effectively against L3/L4 DDoS attacks, even on our CDN free-forever plan. The potentially negative impact is mitigated by the capacity and connectivity of the infrastructure.
We plan to implement a flexible architecture based on the XDP stack (eBPF,) which will allow us to repel any attacks without filtering capacity restrictions. This stack will allow us to integrate our powerful DDoS Protection filtration center with over 140 CDN caching servers worldwide, turning these servers into cleaning points capable of cleaning unlimited volumes of traffic.