We recently mitigated a 1.55 terabit per second (Tbps), DDoS attack for a steady customer of ours. This particular customer is a reputable domain name service (DNS) provider. I’ve personally used them for over a decade to register domains for all the projects I will never complete or, tbh, start. But anyway!

Infrastructure like DNS is often collateral damage in the many thousands of skirmishes that happen across the internet every day. Here’s a semi-contrived example of how a DNS provider might fall under attack even though they are an innocent bystander.

Supposed that two cryptocurrency miners are in fierce competition. Each wants their proof of work (PoW) calculations to post to the blockchain first, earning them money (no prizes are given for second place). So, they begin to attack each other’s ecosystems. They target and attack each other’s network egress and any open ports. Both sides harden their defenses and start to use proxies to “hide” their servers. Eventually there is no attack surface left except each other’s DNS provider. So, they attack these third parties, hoping to make their competitor’s compute clusters unable to resolve the blockchain node on which to post their PoW.  The poor DNS provider, who is not even a competitor of either of these two miners, thus comes under attack.

Now imagine this scenario across every industry (not just crypto) and you start to see the scale of the problem. This customer, and many organizations like them, are basically being shelled every day with TCP floods, UDP floods and all manner of network mischief.

When our DNS customer was attacked, they initially saw 20 Gbs of network traffic hit their network. We detected it within seconds, and our mitigations kicked in and we started blocking – you can see the initial traffic spike in our graph below.

The attacker started attacking with a TCP flood but we mitigated it quickly. They then tried UDP, but we mitigated that too. They switched back to TCP, and then back to UDP a couple of times before giving up.

We often see many more vectors attempted during the attack, but perhaps the attacker was hoping that the volume of 1.5 terabits (not insignificant, no matter what you might otherwise hear) would be sufficient to overwhelm defenses.

The attacker did at least launch their attack globally such that 30 of our 60+ global points of presence became involved in the defense of the customer. Multicast for the win, am I right?

What does it mean?

Different types of completely legitimate companies find themselves under daily attack. DNS is one of them.  Gaming; another, crypto; another, etc. Like non-military actors in an occupied zone like you might be hearing about in the news around the world today, these legitimate organizations are being attacked all day, every day.  They never know when the next “bomb” will hit.

When we look back at the past 90 days of activity for this customer, we had mitigated 2,484 discrete attacks against them.  That’s a new attack every hour.

Welcome to the new normal in the digital world that we, as technologists, have cobbled together over the decades.  DDoS attacks remain too easy to launch and it’s too easy to hide the identity of the attacker.

What keeps you up at night?

A week later, we mitigated a slightly smaller attack for this customer, 1.37 Tbps of TCP and UDP floods.  We don’t have confirmation but think it was likely the same attacker as the previous week. Most pros will will argue that attribution doesn’t usually matter; you just mitigate the attack and move on. Treat it like weather, don’t take it personally, etc.

When reached out to our DNS provider customer to ask how they felt about our defenses, they responded they are very pleased with our service, and they, in fact, sleep well at night.