Microsoft Fends Off Record-Breaking 3.47Tbps DDoS Attack

Microsoft's Azure DDoS Protection team said that in November, it fended off what industry experts say is likely the biggest distributed denial-of-service attack ever: a torrent of junk data with a throughput of 3.47 terabits per second. Ars Technica reports: The record DDoS came from more than 10,000 sources located in at least 10 countries around the world. The DDoS targeted an unidentified Azure customer in Asia and lasted for about two minutes. The following month, Microsoft said, Azure warded off two other monster DDoSes. Weighing in at 3.25Tbps, the first one came in four bursts and lasted about 15 minutes. The second December DDoS reached a peak of 2.54Tbps and lasted about five minutes.

The record beats a 2.5Tbps attack that Microsoft mitigated in the first half of 2021. Previously, one of the biggest attacks was 2.37Tbps in size, a 35 percent increase over a record set in 2018. A separate DDoS in 2020 generated 809 million packets per second, which was also a record at the time. Packet-per-second DDoSes work by exhausting the computing resources of a server. More traditional volumetric attacks, by contrast, consume available bandwidth either inside the targeted network or service or get between the target and the rest of the Internet. The 3.7Tbps attack delivered roughly 340 million packets per second.

I wonder

[IWantMoreSpamPlease]

is the data coming from "pwned" Windows boxes, or is there a more modern way to direct that amount of data at MS?

Re: I wonder

[saloomy]

I really wish ISPs would have a way to give the DDOS victim an automated way of reporting the IPs, and issuing a disconnect for 30 seconds. The ISP can always validate the attack is coming from the IP by their own circuits, and see the amount of traffic coming from attacker destined to the victim. IF I were to design a protocol, I would make it so the victim could send a magic packet to the hop before the attacker's public IP (basically the attacker's gateway). The Gateway would see the attack flow, get the acknowledgement from the victim that it is junk data, and disable the attackers link in incremental timeouts. That way, attacking networks are incentivized to clean up their house, and not get booted.

Re: I wonder

[rpnx]

or just a command like BLOCK (source, dest) that the routers verify is legit (sent from the dest) and then start blocking said traffic for e.g. 5 minutes

Re:

[saloomy]

This wouldn't incentives the attacker to clean up their network. Most wouldn't realize it was going on. The right way is to block all traffic, that way the attacker sees their internet go down, and their ISP tell them "Mr. Customer, we suspended your internet for 30 minutes because we see your infected devices participating in a DDOS attack. Please contact your support vendors for more information. - Your ISP."

Then, default passwords would be changed, firmwares would be validated, and this shit would stop.

Re:

[rpnx]

So people should have the right to disconnect other people from the internet? That sounds like a fantastic idea... not.

Re: I wonder

[bad-badtz-maru]

You are not grasping how difficult of a problem a real DDOSing is. You, as the target, are not going to be reporting anything. Your system is going to be completely dead at DDOS traffic levels. They can only be detected and mitigated thru carrier-grade infrastructure.

Re: I wonder

[argStyopa]

Or, y'know, a phone call?

Re:

[bad-badtz-maru]

"Automated".

Re:

[argStyopa]

That's right, I've never heard of or received automated phone calls.
Someone needs to invent that.

Re: I wonder

[NagrothAgain]

You're talking about a mechanism where an untrustworthy 3rd party has the ability to knock an endpoint off the internet. Such a system would almost certainly be abused almost as soon as it was implemented.

Re:

[saloomy]

No, I am not, since the 3rd party would have to first have traffic coming from the attacker, making it the victim. Validation of the "complaint" would come from the ISP, who sees the connections stemming from the "attacker" and hitting the "victim / complainer", which is east to validate since all the flows traverse the ISPs provider edge router.

Basically something like this:

1. Attacker sends a lot of traffic to victim.

2. Victim sees junk data, and traces back to attacker.

3. Victim notifies fu

Re:

[Ostracus]

So how many IoT devices have to be owned to generate 340 million packets per second? Keeping in mind most IoT's are low-powered devices.

Re:

[gweihir]

Probably "Internet of Trash" IoT stuff. Also probably time to look at this as a form of terrorism.

Re: I wonder

[Corbets]

You are apparently easily terrorized.

Re:

[gweihir]

You are apparently easily terrorized.

Nope. But I think attacks on increasingly critical infrastructure should be classified as terrorism. These people have yet to verifiable kill anybody, but they are getting closer and closer.

Re:

[fahrbot-bot]

is the data coming from "pwned" Windows boxes, or is there a more modern way to direct that amount of data at MS?

Maybe people are just trying to return their Windows 11 "upgrades" ... :-)

Re:I wonder

[ChatHuant]

is the data coming from "pwned" Windows boxes

Wonder no more. I don't know about the latest attacks, but the 2.4 Tbps attack last August was coming from "pwned" Linux boxes, more specifically Microtik routers - which are also the components of the Meris [wikipedia.org] botnet, consisting of hundred of thousands of compromised machines. The botnet was also used to attack Krebs on Security [krebsonsecurity.com], Yandex [netgate.com] and others.

Note that multiple [tenable.com] vulnerabilities in those Linux routers have been known for years but, as you see, the exploits keep coming...

Fended?

[kackle]

Can someone explain to the uninitiated what happens during these events? Does Microsoft (or whoever) phone the source ISPs and tell them to disconnect their customer(s) until everyone can figure out what to do/who's at fault?

Re:

[redback]

MS block it in their firewall somewhere.

Re:

[Tim the Gecko]

Also it is possible for them to signal to their upstream networks to black-hole traffic to particular IP addresses, so it is dropped by the upstream network before it even gets to Microsoft. See rfc7999 [ietf.org] and rfc5635 [ietf.org]:

When a network is under DDoS duress, it MAY announce an IP prefix covering the victim's IP address(es) for the purpose of signaling to neighboring networks that any traffic destined for these IP address(es) should be discarded. In such a scenario, the network operator SHOULD attach the BLACKHOLE community.

This is done via BGP [wikipedia.org] sessions with the upstreams.

Re:

[morethanapapercert]

But doesn't that also cause legitimate traffic traversing or originating from a given network to be dropped as well? That would make it the "nuke and pave" option.

Re:

[Rhipf]

During the time of the attack it probably does disrupt legitimate traffic from the IPs with the same prefix (assuming they are blocking a range of IPs and not just individual IPs) but that is only temporary and is a lot better than blocking all legitimate traffic from all IPs (which an unfiltered DDoS attack would result in).

Re:

[Tim the Gecko]

It's black-holing only to the destination address - i.e. the IP address of Microsoft's server (if they were to send these communities) - so it is a bit of a nuclear option, as per the GP's post.

Big content delivery companies like Microsoft have a huge number of peering points with other networks, so they can have devices at those points which can take a flood of incoming traffic and discard the "bad" stuff based on source address, port, etc. Then the remaining traffic is forwarded to their data centers. So

Re:

[dowhileor]

Routing design is sound. It was engineered to define trust relationships on a bit level and all telecommunications assumes as much. One flaw though is how say a routing loop or a simple resend can just as likely be the fault of the receiving domain as it can be any domain upstream. Trust relationships do not simply allow a domain to be broken down in to layer upper layer well, brokenness since the higher up the stack the more that layer assumes all trust is a given.

Re:

[jmdevince]

Often what they can do is redirect the traffic through scrubbing centers or clusters that are distributed along multiple paths so that the data is scrubbed at network PoPs (places where multiple hundreds of gigabits or terabits of capacity is in place) - well upstream of any local routing gear or switching gear.

DDoS Protection

[nuckfuts]

Can someone explain to the uninitiated what happens during these events? Does Microsoft (or whoever) phone the source ISPs and tell them to disconnect their customer(s) until everyone can figure out what to do/who's at fault?

Here is some information from Microsoft about their DDoS Protection [microsoft.com].

If you're just a little guy on the receiving end of a DDoS attack, there's not much you can do. I think only big players like Cloudflare [cloudflare.com] and the like have the resources to handle these things.

Re: Fended?

[madmatty]

Inbound events like this are managed via BGP redirects to offload traffic through packet scrubbing farms. When a DDoS event is identified, they will identify the source addressing and black hole the trafficgenerally. After this is done , or if it is excessive still, they will reach out to the source ASN NOC to get assistance in investigations l. Speaking from my experience with Imperva, akamai, and cloudflare.

Re:

[kackle]

Interesting. Thanks to all for the replies.

What then?

[AndyKron]

What happens when the entire Internet becomes a DDoS?

Re:What then?

[dowhileor]

What happens when the entire Internet becomes a DDoS?

Then, people will suddenly remember that there is a Layer 2

Re:

[Torodung]

Wish I could mod this up funny. This is the best I can do for now.

Re:

[Antique Geekmeister]

Never underestimate the bandwidth of a station wagon full of tapes hurtling down the highway.
–Andrew Tanenbaum, 1981

New Internet Architecture Anyone???

[BoRegardless]

As an engineer who stopped programming @ Fortran, I still wonder why after all this time that new core elements for sane internet use have not been implemented in the real world to stop all sort of these nefarious actions.

Yeah, I know some things are hard, but they are worth working on. As IOT devices balloon in volume, I would imagine they could add to the arsenal of the crazies.

Who should be coordinating the change to internet protocols to fix it?

Re:

[Arethan]

More like service providers should be obliged to push security updates to the routers/modems they install -- many of them are simply given to new customers as part of the installation process, and most customers just live off the builtin wifi, so they never log into them even once, let alone bother to update them.

Perhaps if we started making ISPs somehow financially liable for the damages caused by their fleets of unpatched edge devices...

But before we bother asking the FCC to undertake yet another wet dog

Re:

[thegarbz]

I still wonder why after all this time that new core elements for sane internet use have not been implemented in the real world to stop all sort of these nefarious actions.

What do you propose that doesn't somehow cause major vested interests to become gatekeepers of who has a right to transit a network? The internet was founded on the natural routing of data between points without a care as to the source or to the purpose. Any intrinsic "fix" to any nefarious activity invariably results in a core element that has to by its nature discriminate against either the purpose or the source of traffic. Neither is good.

Much better to sit and wait and if some nefarious activity is dete

Re:

[blahplusplus]

Who should be coordinating the change to internet protocols to fix it?

Not going to be fixed, most of the problem is companies forcing client-server apps because the average member of the public s stupid. That's why we lost PC games ability to host basic multiplayer when they started stealing PC RPG's and rebranding them mmo's. They've been on a back end every app on the planet to remove local apps to prevent piracy spree over the last 23+ years once they figured out the little Omers's of the world were dumb as fuck at PC's.,

https://twitter.com/remotayx [twitter.com]

The last 23+ years ha

Need more sources.

[Gravis Zero]

I understand using amplification to make a larger impact but a puny 10K sources is pathetic. Hit 'em with 10M sources and we'll see the paint start to peel off their datacenters. :)

That ain't no DDos

[CaptainLugnuts]

That's just all the Windows 11 boxes phoning home with your personal details at the same time.

A competition you can always claim records on

[ffkom]

What evidence did they provide for their "record"? If it is just some charts they themselves measured, it may have been just as well a small DDOS attack with some Megabit/s unit having been confused with a Gigabit/s metric. Or they could have freely "invented" the whole event solely for marketing purposes.

There is a reason why even the lowly "Guiness book of records" has some standards on what constitutes a record worth keeping note of.

Re: A competition you can always claim records on

[flyingfsck]

They recorded it in a DBMS. Therefore it is a record. Simples.

Should be easy for them

[akunkel]

They handle telemetry from 100s of millions of Windows installations with no problem.

Why?

[bustinbrains]

At this point, DDoS attacks and traffic patterns are pretty well known. Anyone conducting a DDoS attack isn't going to get very far.

Re:

[parityshrimp]

This reads very much like an abortive attempt at an artificial intelligence routine designed to mimic human thought processes.

i did too

[superwiz]

by pulling out the wire. It's why stand-alone apps are more secure than web apps.

Interesting "angle".

[Kelxin]

"DDoS targeted an unidentified Azure customer in Asia and lasted for about two minutes" - so, if someone "bad" is DDoSed, they list who it is, such as the recent North Korean internet being knocked out by a DDoS. On the other side, if it's someone that Microsoft wants to retain as a customer, but doesn't want the public to know because of bad press, they just say customer"... So guessing this is someone in China that has really upset someone else and went to Microsoft who sold out to protect them despite

Re:

[test321]

Microsoft doesn't want to publicly admit they're protecting them?

The victim is a customer of their cloud offer, of course they are protecting them and not going to disclose their name. They are doing their job as infrastructure supplier and want to keep their customers. Maybe the victim is a government agency of a State that has their cloud with Microsoft, and the details of this cyberattack is treated as State secret. Though they had to talk about the attack in general terms, to avoid that security researchers discover it and publish details, creating more damage to the

Re: Interesting "angle".

[bloodhawk]

They are a paying customer of a service as such Microsoft have no right to publicly name the target, that is up to the target to decide.

Re:

[gravewax]

I would be far more disgusted if they did reveal it without permission. It is not up to them to determine whether to publicly identify the target. I would be pretty bloody pissed if as a paying customer of a company that they decided to reveal anything about me without my explicit permission.