Automation Pays Off When Thwarting a 1.3 Tbps DDoS Attack
Just as Neustar Security Services (NSS) was getting ready to spin off as a standalone company on December 1st, a Neustar UltraDDoS customer was hit by a 1.3 Tbps (terabits/second) DDoS attack on November 28th (Eastern). The company targeted in this attack provides critical internet infrastructure services to tens of millions of customers who count on their availability. This company counts on NSS to safeguard their network and applications. Was this a just another targeted attack intended to bring down a large internet infrastructure provider or was it meant to test the defenses of NSS, a security service provider, during a time of transition? The motive may never be made clear, but the attackers’ intentions were thwarted, nonetheless. NSS stood tall and the customer continued to operate without any impact. Despite the larger than normal size, the attack was seamlessly handled by a combination of advanced mitigation technology, clever automation, and tight integration into the customer’s environment.
DDoS mitigation at this magnitude is not just about providing effective technology, reliable service, and being a trusted extension of the customer’s team. It is also about the flexibility, automation, and scale that the service can bring to bear. It is imperative to offer a broad array of configuration options that can wrap around the operational environment of the customer to provide fast, consistent, and reliable protection from DDoS attacks. The ability to reliably stop even multi-terabit-scale DDoS attacks while providing high performance and low latency to customer applications is a necessity. Scale to stop multi-terabit DDoS should be a given, but automation enables that scale to react quickly to preserve customer availability.
This DDoS attack lasted several hours with many waves greater than 800Gbps and a peak of 1.3Tbps. The attack was almost 100% UDP focused blending several vectors including fragmentation, and DNS and SNMP reflection/amplification. The traffic had more than 44,000 unique sources that were broadly distributed across the globe with a strong concentration in AsiaPac. The attack also used carpet bombing attack techniques with target IP addresses that were also broadly distributed within the customer’s network footprint. Most of the UDP traffic had random high order source and destination ports.
Graph - 10 waves greater than 600Gbps peaking at 1.3Tbps
The 1.3Tbps and 114Mpps DDoS attack was handled 100% through automation without any manual intervention with no customer impact. There was no period of limited availability and no collateral impact on adjacent services or customers. This was possible by using highly tuned automation triggers, platform intelligence, and a well-designed architecture with Ultra capacity. The NSS Security Operations Center (SOC) is available 24x7x365 to monitor and tune mitigations as necessary but automation allows the SOC to focus on the critical few attacks that are more complex and evade initial defenses.
Automation is a key design objective for the UltraDDoS platform intended to enable speed of response, predictability, and scale of operations. NSS considers these objectives to be current best practices. Automation paid off to protect this customer and preserve all the services on which its end customers rely. Once again, Neustar Security Services and the UltraDDoS Protect Service achieved the mission of helping this global company to thrive on-line.