The two peaks appeared to be caused by the attackers targeting the company’s domain name, rather than a specific IP address. The customer uses a round robin DNS system with two IP addresses, each with a 90-second TTL (time-to-live). As the attackers’ DNS resolutions shifted with the round robin, for a brief period both IP addresses were attacked simultaneously, which corresponds to the second peak.

We may speculate that this effect is due to the attackers using tools that were multithreaded, and as the DNS result changed, the number of threads increased, but this is not something we can prove.

Standard Attacks—Just a Lot of Them

The attack traffic was quite pedestrian in its content. Attackers used a combination of TCP and UDP vectors, with TCP vectors including both SYN and RST flooding. UDP vectors were primarily DNS request reflections. Additionally, we observed some ICMP traffic, which the attackers may not have actually generated but was a side effect of the other traffic.

Other than dealing with the scale of the attack, straightforward mitigations were used by the SOC to protect the customer: blocking UDP at the edge network, and using a combination of various TCP flood protections, some purely volume based, some using standard SYN cookie techniques, and some tracking specific client traffic on a per-client basis.

Client Analysis

The attack traffic was observed in several Silverline datacenters around the world. This indicates that the traffic came from many different devices in many different countries and used typical Internet routing to reach the target.

F5 Labs, with the help of Silverline staff, retrieved a small sample of attacking IP addresses to investigate this attack further. While the data set we obtained was quite small (only 282 unique IP addresses) it nevertheless revealed some interesting information. It is important to note that this small data sample was limited to the IP addresses that appeared on specific device logs in Silverline’s infrastructure. It is likely that our sample is less than 0.1% of the total number of attacking IP addresses. No data is available for UDP-based traffic, since that traffic was mitigated prior to the network position where this sample was gathered.

In terms of the number of connections these 282 IP addresses showed, the data again is quite limited. We observed 1,304 TCP connections and 680 ICMP connections over the course of the attack time period.

Unity and Diversity

The top 10 countries by total traffic were the United States, China, South Korea, Germany, the Netherlands, Taiwan, Japan, the United Kingdom, Hong Kong, and Australia, which accounted for 80.6% of the traffic observed (Figure 2). These are all countries with robust and modern Internet connectivity.