Our CDN mitigated a 650 Gbps DDoS attack

On January 4, hackers attacked the application of one of Gcore’s free CDN plan customers. The incident consisted of several volumetric attacks with a peak volume of 650 Gbps and involved over 2000 servers worldwide, all belonging to one of the top three cloud providers. Due to Gcore’s connectivity and capacity, the attack was mitigated, and the client’s application continued to operate as intended.

Let’s explore these attacks more deeply and consider how our infrastructure withstood them.

How was the application attacked?

The attacks pertained to connection protocol attacks (L4). Attackers sent vast amounts of packets to overflow the application’s bandwidth and cause unavailability. The incident consisted of three different attack vectors, and at its peak was 650 Gbps, which is 60 times the average volume of similar attacks.

The incident lasted for 15 minutes. The fact that the client application continued to run despite the attacks may have contributed to the short duration of the incident. The cost required to execute this amount of outbound traffic is quite high, and if the attacks are ineffective, there is no point in continuing the DDoS.

In the scheme below, you can observe the amount of malicious traffic received by CDN cache servers:

• The first peak corresponds to the UDP flood attack (over 650 Gbps). It used the lack of requirements necessary to establish a reliable TCP connection—attackers can send packets with any data; doing so increases the ease of generating UDP packets and therefore the volume.
• The second one—to the TCP ACK flood attack (600 Gbps). This employed the need to establish a TCP connection and respond to packets with the ACK flag. Attackers send packets with no payload, but the server is forced to process them and spend the resources.
• The third one—to the mix of TCP and UDP (over 600 Gbps). This was a custom, non-standard variation of the first two attack types.

The assaults were launched from multiple non-spoofed IP addresses, which made the incident stand out. CDN systems engineers analyzed the incident and determined that the attackers were using 2,143 servers in 44 different regions, and all of the servers belonged to a single public cloud provider.

The Sankey diagram below shows the source and flow of the attack. Names of the locations from the first column are associated with one of the top 3 cloud providers.

Why did the attacks fail?

Two benefits of our infrastructure helped mitigate the attack and keep the client application available during the DDoS attack: wide connectivity and large capacity.

Connectivity. Gcore has more than 11,000 peering partners (ISPs). Peering uses cables to connect ISP networks and give each other access to traffic originating from their networks. These connections allow traffic from peering partners to be absorbed directly, avoiding the public Internet. Compared to traffic on the public internet, this traffic is either free or significantly less expensive.

In our case, Gcore and the cloud provider used to launch the attack are peering partners. So, when the attacks were performed, we ingested most of the traffic over the cloud provider’s private network and absorbed 100% of the attacks.

Capacity. Our network has hundreds of CDN cache servers in 140+ PoPs worldwide, and its overall capacity is 110 Tbps. Due to the sheer capacity of the CDN infrastructure, it can absorb the large volume that is generated by a massive DDoS attack. So, the 650 Gbps of traffic was distributed across the network, with each particular server only receiving 1-2 Gbps, which is an insignificant load.

The road ahead

Edge Network infrastructure is able to protect client applications, even those running on a free plan, against L3/L4 DDoS attacks. The potentially negative impact is mitigated by the capacity and connectivity of the infrastructure. When it’s powerful enough, the right CDN can protect clients against L3/L4 attacks without any additional payment needed from the client.

We plan to implement a flexible architecture based on the XDP stack (eBPF), which will allow us to repel any attacks without the restrictions of filtering capacity. The stack allows Gcore to integrate the DDoS Protection filtration center with over 140 CDN caching servers worldwide and turns the servers into cleaning points able to clean unlimited volumes of traffic.