Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Internet Microsoft

Microsoft Fends Off Record-Breaking 3.47Tbps DDoS Attack (arstechnica.com) 56

Microsoft's Azure DDoS Protection team said that in November, it fended off what industry experts say is likely the biggest distributed denial-of-service attack ever: a torrent of junk data with a throughput of 3.47 terabits per second. Ars Technica reports: The record DDoS came from more than 10,000 sources located in at least 10 countries around the world. The DDoS targeted an unidentified Azure customer in Asia and lasted for about two minutes. The following month, Microsoft said, Azure warded off two other monster DDoSes. Weighing in at 3.25Tbps, the first one came in four bursts and lasted about 15 minutes. The second December DDoS reached a peak of 2.54Tbps and lasted about five minutes.

The record beats a 2.5Tbps attack that Microsoft mitigated in the first half of 2021. Previously, one of the biggest attacks was 2.37Tbps in size, a 35 percent increase over a record set in 2018. A separate DDoS in 2020 generated 809 million packets per second, which was also a record at the time. Packet-per-second DDoSes work by exhausting the computing resources of a server. More traditional volumetric attacks, by contrast, consume available bandwidth either inside the targeted network or service or get between the target and the rest of the Internet. The 3.7Tbps attack delivered roughly 340 million packets per second.

This discussion has been archived. No new comments can be posted.

Microsoft Fends Off Record-Breaking 3.47Tbps DDoS Attack

Comments Filter:
  • is the data coming from "pwned" Windows boxes, or is there a more modern way to direct that amount of data at MS?

    • by gweihir ( 88907 )

      Probably "Internet of Trash" IoT stuff. Also probably time to look at this as a form of terrorism.

      • You are apparently easily terrorized.

        • by gweihir ( 88907 )

          You are apparently easily terrorized.

          Nope. But I think attacks on increasingly critical infrastructure should be classified as terrorism. These people have yet to verifiable kill anybody, but they are getting closer and closer.

    • is the data coming from "pwned" Windows boxes, or is there a more modern way to direct that amount of data at MS?

      Maybe people are just trying to return their Windows 11 "upgrades" ... :-)

    • Re:I wonder (Score:4, Informative)

      by ChatHuant ( 801522 ) on Friday January 28, 2022 @07:48PM (#62216633)

      is the data coming from "pwned" Windows boxes

      Wonder no more. I don't know about the latest attacks, but the 2.4 Tbps attack last August was coming from "pwned" Linux boxes, more specifically Microtik routers - which are also the components of the Meris [wikipedia.org] botnet, consisting of hundred of thousands of compromised machines. The botnet was also used to attack Krebs on Security [krebsonsecurity.com], Yandex [netgate.com] and others.

      Note that multiple [tenable.com] vulnerabilities in those Linux routers have been known for years but, as you see, the exploits keep coming...

  • Can someone explain to the uninitiated what happens during these events? Does Microsoft (or whoever) phone the source ISPs and tell them to disconnect their customer(s) until everyone can figure out what to do/who's at fault?
    • by redback ( 15527 )

      MS block it in their firewall somewhere.

      • Also it is possible for them to signal to their upstream networks to black-hole traffic to particular IP addresses, so it is dropped by the upstream network before it even gets to Microsoft. See rfc7999 [ietf.org] and rfc5635 [ietf.org]:

        When a network is under DDoS duress, it MAY announce an IP prefix covering the victim's IP address(es) for the purpose of signaling to neighboring networks that any traffic destined for these IP address(es) should be discarded. In such a scenario, the network operator SHOULD attach the BLACKHOLE community.

        This is done via BGP [wikipedia.org] sessions with the upstreams.

        • But doesn't that also cause legitimate traffic traversing or originating from a given network to be dropped as well? That would make it the "nuke and pave" option.
          • by Rhipf ( 525263 )

            During the time of the attack it probably does disrupt legitimate traffic from the IPs with the same prefix (assuming they are blocking a range of IPs and not just individual IPs) but that is only temporary and is a lot better than blocking all legitimate traffic from all IPs (which an unfiltered DDoS attack would result in).

            • It's black-holing only to the destination address - i.e. the IP address of Microsoft's server (if they were to send these communities) - so it is a bit of a nuclear option, as per the GP's post.

              Big content delivery companies like Microsoft have a huge number of peering points with other networks, so they can have devices at those points which can take a flood of incoming traffic and discard the "bad" stuff based on source address, port, etc. Then the remaining traffic is forwarded to their data centers. So

      • Often what they can do is redirect the traffic through scrubbing centers or clusters that are distributed along multiple paths so that the data is scrubbed at network PoPs (places where multiple hundreds of gigabits or terabits of capacity is in place) - well upstream of any local routing gear or switching gear.
    • DDoS Protection (Score:4, Interesting)

      by nuckfuts ( 690967 ) on Friday January 28, 2022 @04:56PM (#62216289)

      Can someone explain to the uninitiated what happens during these events? Does Microsoft (or whoever) phone the source ISPs and tell them to disconnect their customer(s) until everyone can figure out what to do/who's at fault?

      Here is some information from Microsoft about their DDoS Protection [microsoft.com].

      If you're just a little guy on the receiving end of a DDoS attack, there's not much you can do. I think only big players like Cloudflare [cloudflare.com] and the like have the resources to handle these things.

    • Re: Fended? (Score:5, Informative)

      by madmatty ( 3468483 ) on Friday January 28, 2022 @04:57PM (#62216295)
      Inbound events like this are managed via BGP redirects to offload traffic through packet scrubbing farms. When a DDoS event is identified, they will identify the source addressing and black hole the trafficgenerally. After this is done , or if it is excessive still, they will reach out to the source ASN NOC to get assistance in investigations l. Speaking from my experience with Imperva, akamai, and cloudflare.
    • by kackle ( 910159 )
      Interesting. Thanks to all for the replies.
  • What happens when the entire Internet becomes a DDoS?
  • by BoRegardless ( 721219 ) on Friday January 28, 2022 @05:02PM (#62216323)

    As an engineer who stopped programming @ Fortran, I still wonder why after all this time that new core elements for sane internet use have not been implemented in the real world to stop all sort of these nefarious actions.

    Yeah, I know some things are hard, but they are worth working on. As IOT devices balloon in volume, I would imagine they could add to the arsenal of the crazies.

    Who should be coordinating the change to internet protocols to fix it?

    • by Arethan ( 223197 )

      More like service providers should be obliged to push security updates to the routers/modems they install -- many of them are simply given to new customers as part of the installation process, and most customers just live off the builtin wifi, so they never log into them even once, let alone bother to update them.

      Perhaps if we started making ISPs somehow financially liable for the damages caused by their fleets of unpatched edge devices...

      But before we bother asking the FCC to undertake yet another wet dog

    • I still wonder why after all this time that new core elements for sane internet use have not been implemented in the real world to stop all sort of these nefarious actions.

      What do you propose that doesn't somehow cause major vested interests to become gatekeepers of who has a right to transit a network? The internet was founded on the natural routing of data between points without a care as to the source or to the purpose. Any intrinsic "fix" to any nefarious activity invariably results in a core element that has to by its nature discriminate against either the purpose or the source of traffic. Neither is good.

      Much better to sit and wait and if some nefarious activity is dete

    • Who should be coordinating the change to internet protocols to fix it?

      Not going to be fixed, most of the problem is companies forcing client-server apps because the average member of the public s stupid. That's why we lost PC games ability to host basic multiplayer when they started stealing PC RPG's and rebranding them mmo's. They've been on a back end every app on the planet to remove local apps to prevent piracy spree over the last 23+ years once they figured out the little Omers's of the world were dumb as fuck at PC's.,

      https://twitter.com/remotayx [twitter.com]

      The last 23+ years ha

  • I understand using amplification to make a larger impact but a puny 10K sources is pathetic. Hit 'em with 10M sources and we'll see the paint start to peel off their datacenters. :)

  • by CaptainLugnuts ( 2594663 ) on Friday January 28, 2022 @05:42PM (#62216387)
    That's just all the Windows 11 boxes phoning home with your personal details at the same time.
  • What evidence did they provide for their "record"? If it is just some charts they themselves measured, it may have been just as well a small DDOS attack with some Megabit/s unit having been confused with a Gigabit/s metric. Or they could have freely "invented" the whole event solely for marketing purposes.

    There is a reason why even the lowly "Guiness book of records" has some standards on what constitutes a record worth keeping note of.
  • They handle telemetry from 100s of millions of Windows installations with no problem.

  • At this point, DDoS attacks and traffic patterns are pretty well known. Anyone conducting a DDoS attack isn't going to get very far.

  • by superwiz ( 655733 ) on Friday January 28, 2022 @07:09PM (#62216547) Journal
    by pulling out the wire. It's why stand-alone apps are more secure than web apps.
  • "DDoS targeted an unidentified Azure customer in Asia and lasted for about two minutes" - so, if someone "bad" is DDoSed, they list who it is, such as the recent North Korean internet being knocked out by a DDoS. On the other side, if it's someone that Microsoft wants to retain as a customer, but doesn't want the public to know because of bad press, they just say customer"... So guessing this is someone in China that has really upset someone else and went to Microsoft who sold out to protect them despite
    • Microsoft doesn't want to publicly admit they're protecting them?

      The victim is a customer of their cloud offer, of course they are protecting them and not going to disclose their name. They are doing their job as infrastructure supplier and want to keep their customers. Maybe the victim is a government agency of a State that has their cloud with Microsoft, and the details of this cyberattack is treated as State secret. Though they had to talk about the attack in general terms, to avoid that security researchers discover it and publish details, creating more damage to the

    • They are a paying customer of a service as such Microsoft have no right to publicly name the target, that is up to the target to decide.
    • I would be far more disgusted if they did reveal it without permission. It is not up to them to determine whether to publicly identify the target. I would be pretty bloody pissed if as a paying customer of a company that they decided to reveal anything about me without my explicit permission.

"Imitation is the sincerest form of television." -- The New Mighty Mouse

Working...