A group of unknown hackers carried out a well-planned multi-vector DDoS attack on a video gaming website. The attack peaked at almost 110 Gbps and sent more than 90 million packets per second. However, the attack was successfully countered by new Behemoth Scrubbers by Incapsula.
Last week, Incapsula contacted the VPNCreative team and told us about the attack. The attack took place within a month of launching the Behemoth scrubbers deployed in five data centers: Los Angeles, San Jose, London, Frankfurt, and Miami.
The attack started on June 21 and continued until July 28, lasting for 38 days, which was much longer than initially predicted by the team. The company had to filter out a few tens of millions of DDoS packets on a daily basis to counter this high intensity attack.
While the company fought against the DDoS attack, hackers tried everything to bring the website down – from focused application layer (HTTP) floods to network layer DDoS attacks and several XSS and SQL injection attempts. And unfortunately for the hackers, all these attempts were successfully foiled by the Incapsula Web Application Firewall.
The Beginning of the Attack
The Incapsula team noticed a DNS flooding attack peaking at almost 90 Mpps (Million packets per second), with most of the attacking IP addresses belonging to India and China. This led the researchers to believe that the IPs are spoofed.
A DNS flood attack is a type of symmetrical Distributed Denial of Service (DDoS) attack that uses publicly accessible DNS servers to overrun a victim’s server with DNS response traffic. This type of attack exhausts the server side resources (including processors and memory) with multiple UDP (user diagram protocol) requests that are generated using scripts running on botnet systems.
The trends of DDoS are changing and hackers these days use all possible resources to exploit the weakness of the victim system.
The attack went on for 38 days, during which the Behemoth servers filtered out more than 50 petabits (50,000 terabits) of malicious traffic. The attackers also resorted to using large SYN floods directed towards the Incapsula DNS infrastructure.
One interesting factor in these attacks was that while the hackers switched between various targets, they constantly attacked the website of one Incapsula client, which was a video gaming company that hired Incapsula just before the attack. This showed that the gaming company was the real target. The attackers showed extreme determination and aggression, hinting towards the involvement of a rival party. Their goal was obvious – taking down the website and thus ruining their online business.
When Incapsula noticed the malicious packets more closely, they found that a large part of them were coming from similar IP ranges.
“We knew that 20% of C-classes are typically responsible for ~80% of all DDoS traffic.”
By monitoring the IPs, the company was able to detect the offenders who continued attacking using powerful network resources. The strategies they used indicated that they were not amateur hackers trying to make a quick buck with a DDoS attack, but professionals with a serious motive.
Incapsula did not share the real identities of the main victim or the perpetrators of the attack.