At the beginning of January, Gcore faced an incident involving several L3/L4 DDoS attacks with a peak volume of 650 Gbps. Attackers exploited over 2000 servers belonging to one of the top three cloud providers worldwide and targeted a client who was using a free CDN plan. However, due to Gcore’s distribution of infrastructure and a large number of peering partners, the attacks were mitigated, and the client’s web application remained available.
Why was mitigating these attacks so significant?
1. These attacks were significant because they exceeded the average bandwidth of similar attacks by 60×. The performed attacks relate to volume-based attacks targeted to saturate the attacked application’s bandwidth in order to overflow it. Measuring total volume (bps)—rather than the number of requests—is the way these attacks are usually tabulated.
The average bandwidth of this attack type is generally in the tens of Gbps (about 10 Gbps). Therefore, the specified attacks (at 650 Gbps) exceeded the average value by 60 times. Attacks of this volume are rare and are of particular interest to security experts.
Additionally, this value (650 Gbps) is comparable to the record DDoS attack on the largest Minecraft server (2.4 Tbps), only one-fourth as massive.
2. The client being attacked was using a CDN plan without additional DDoS protection. When clients use Gcore’s CDN (as part of the Edge Network), the malicious traffic of the L3/L4 attacks directly affects only its infrastructure (it serves as a filter), not the targeted clients’ servers. The negative impact falls on the capacity and connectivity of the infrastructure When a CDN is powerful enough, it can protect clients against L3/L4 attacks—even when accessed using a free plan.
images from Hacker News