an image related to the topic.
Feb 22, 2023 marks the anniversary of the DDoS attack that Gcore faced in January 2021. The attack exceeded the average bandwidth of similar attacks by 60×, with a peak volume of 650 Gbps. It exploited over 2000 servers from one of the top three cloud providers and targeted a client who was using a free CDN plan. Despite the scale of the attack, Gcore was able to mitigate the incident due to their distribution of infrastructure and large number of peering partners.
The attack was composed of three vectors: UDP flood, TCP ACK flood and a mix of TCP and UDP. It spanned a duration of 15 minutes and was composed of hundreds of millions of UDP packets sent to the target server in order to consume the bandwidth of the application and cause its unavailability. The attackers used a lack of requirements of UDP connection establishment and spoofed IP addresses to make it difficult to identify the sender. It was also composed of a large number of packets with the ACK flag sent to the target server to overflow it.
Gcore’s connectivity through peering with many locations and large capacity allowed them to absorb the attack. The attackers were using 2,143 servers in 44 different regions, all belonging to the same public cloud provider. Utilizing Anycast allowed Gcore to absorb the attack 100% over peering connections with this provider. The attack was distributed across the Gcore network and each particular server only received 1-2 Gbps, which is an insignificant load.
This incident serves as a reminder that even small and medium-sized businesses need to use distributed content delivery networks such as the CDN and Cloud to protect against DDoS attacks.
Key Points:
• Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps.
• The attack exceeded the average bandwidth of similar attacks by 60×.
• The attackers used 2,143 servers in 44 different regions, all belonging to the same public cloud provider.
• Gcore’s connectivity through peering with many locations and large capacity allowed them to absorb the attack.
• This incident serves as a reminder that even small and medium-sized businesses need to use distributed content delivery networks such as the CDN and Cloud to protect against DDoS attacks.
Image: Sankey diagram of the source and flow of the attack (Names of the locations from the first column are associated with one of the top 3 cloud providers).