We are currently noticing a massive DDOS attack on multiple customer websites this morning originating from China. DDOS stands for Distributed Denial of Service. This is different from a DOS (Denial of Service) attack because it is distributed, meaning that the traffic sources attacking come from multiple IP addresses which means you can’t simply turn off the traffic by blocking an offending IP.
These attacks are very sophisticated and do not require a vulnerability in a server or network to perform. It works by depriving a server or network of resources with legitimate-looking traffic or requests. Imagine for a moment your post office box got so much bulk mail in a single day that the post office had to start returning mail to people because there was no room in your PO box. That is a DDOS attack.
This is what tipped us off.
Seeing the other VLANs (this is a firewall) only get about 35kbps on average, seeing interfaces stuck at 4+mbps is quite alarming. While the network is more than capable of traffic exceeding 10gbps, it’s the packets per second that strain the network and routers. As of the moment, they haven’t come close, but if we were not using octo-core routers, we would be down right now.
All traffic is using Mac 11 and Chrome 87 which are likely forged (faked) clients. As you can see, they’re currently attempting to deprive bandwidth from a Christian Church website. The majority of the traffic originates from China, but rarely we see American, EU, and Russian IP’s.
On other websites, such as an office furniture website, they have been retrying several times over the past couple of hours to bring it offline:
So far we have mitigated the attack and It doesn’t seem to be growing in strength. There have been short periods and bursts of traffic since it began though, but still, we are mitigating well.
So far we’ve collected more than 11,000 IP’s that are currently making blanket requests from these websites with bursts as it seems others on the network up-stream are also helping to mitigate. As it picks up, their filters get a little better and knock the DDOS back down a notch.
The demographical attack pattern of this attack is entirely random. They’re attacking servers on separate subnets and networks and it doesn’t seem to be targeting a specific type of website except that it is American.
We’re going to continue to monitor this situation and we’re in constant contact with our upstream providers. If anything changes, we’ll let you know here.
UPDATES
5:46 am: We are being told by our upstream providers that this may be part of a much larger attack to put a strain on the United States Internet Infrastructure. They are reporting this attack is happening with nearly all of their customers right now.
5:52 am: We have almost entirely neutralized the DDOS attack.
11:00 am: The attackers have moved to attempt to use Sloworis-type attacks, that is, they’re attempting to target critical points of code in order to cause maximum strain on the servers. Once again, we’re almost entirely mitigating this. You can see the transition below:
3:35pm: Issue closed. Attacks have ceased and we no longer belive this will affect our services.