By Categories: Service UpdatesTags: , , , , Comments Off on DDOS Attack on Web Ports

We are currently seeing a large DDOS attack this morning affecting multiple customer websites. DDOS stands for Distributed Denial of Service. Unlike a single-source DoS, a DDOS uses many source IPs at once, so blocking one address does not stop the attack.

How this attack works

These attacks do not require a server or network vulnerability. Attackers overwhelm resources with legitimate-looking requests to exhaust CPU, memory, connection slots, or packet-handling capacity. Imagine a PO box that receives so much bulk mail in one day the post office must start returning mail because there’s no room — that’s what a DDOS does to a server.

This is what tipped us off:

What we observed

Typical VLAN traffic averages about 35 kbps. During the attack we saw interfaces stuck at 4+ Mbps, which is alarming even though the network can carry more than 10 Gbps. The problem here is packets-per-second that strain routers, not raw bandwidth. If we weren’t using octa-core routers and modern edge filters, some services would have dropped.

All traffic used user-agents reporting Mac 11 and Chrome 87, which we believe are forged. The bulk of requests originated from IP ranges in China, with occasional sources in the U.S., EU, and Russia. Right now they appear to be targeting an American Christian church site for bandwidth exhaustion.

On other sites, such as an office furniture site, attackers retried repeatedly over several hours to force downtime:

Mitigation status

So far we have mitigated the attack and it has not grown in strength. We have seen short bursts since it began, but upstream filters and our edge rules have been effective.

We have collected more than 11,000 IPs making blanket requests. As upstream providers apply filters, the attackers’ effectiveness drops and the attack eases.

The attack pattern looks random across subnets and networks. It does not appear to target a specific site type beyond being U.S.-focused.

UPDATES

5:46 am: Our upstream providers report this may form part of a larger campaign meant to strain United States internet infrastructure. They see similar attacks across many customers.

5:52 am: We have almost entirely neutralized the initial DDOS surge.

11:00 am: Attackers shifted to Slowloris-style tactics, attempting to hold many slow connections and strain servers at the application layer. We adjusted timeouts and connection handling and again mitigated these attempts. The transition is visible below:

3:35 pm: Issue closed. Attacks have ceased and we do not expect further impact to our services at this time.

We will continue to monitor traffic and remain in constant contact with upstream providers. If anything changes, we will post updates here.