
AWS said it mitigated a 2.3 Tbps DDoS attack - furcyd
https://www.zdnet.com/article/aws-said-it-mitigated-a-2-3-tbps-ddos-attack-the-largest-ever/
======
smarx007
2.3 Tbps is (peak) ingress, but AWS Shield egress of 2.3 Tbps costs around
$53k per hour. I am curious what kind of bill would you get from AWS after
this is over? Also interesting to know if the Cloudflare's price tag of
$200/mo. will also cover such an attack without nullrouting or severe
throttling where site becomes unusable.

~~~
sudosysgen
That is insanely expensive. 2.3Tbps would cost you about $100k per month, so
that's a massive economic advantage for the attacker.

~~~
fxtentacle
In the article it says that it only lasted 3 days.

~~~
sudosysgen
Sure but how ridiculous is it that AWS shield costs in two hours a month of
bandwidth? That makes is more economical to buy 2.3Tbps for an entire month
than to defend against it for three hours.

~~~
fxtentacle
Isn't it like that for all cloud offerings?

------
an_opabinia
But who are the attackers, and why? What is the motivation / objective?

Is there an economically positive criminal activity that involves DDoSing an
AWS-hosted UDP service (probably video calls... probably like Zoom)?

~~~
api
I would suspect extortion. Pay us or we DDOS you offline.

~~~
antpls
I believe that sort of attack can't be achieved repeatedly. These attacks
leave traces and clues behind them, and investigators are able to better
pinpoint and protect for the next one. I heard they also can't be sustained
for a long time.

I believe they are more like an attempt to discover limits in the network or
some targeted systems. Some systems are also vulnerable while they reboot, so
attackers only need a one-time reboot.

~~~
Red_Leaves_Flyy
_Not an authority or expert in any fields of discussion itt_

From what I've been told, you're right. DDOS attacks can routinely expose
information through failure modes the ops team never prepared for. What
happens when your failsafes fail? If they didn't test for it and put
mitigations in place then it's rather likely that sensitive error messages or
service details, or whatever, is being exposed over the wire. So aws mitigated
this attack. Does aws know for a certainty that they revealed nothing
sensitive in the process? Maybe, maybe not. If the attacker is good, and
2.3tbps is pretty fing good, then could the victim even be positioned to know
what to look for? In uncharted territories the attacked is always down from
the attacker.

------
DenisM
Little known fact: the load balancer takes care of many DDOS attacks, and this
protections requires no additional config or costs.

 _For web applications, you can use ALB to route traffic based on its content
and accept only well-formed web requests. This means that many common DDoS
attacks, like SYN floods or UDP reflection attacks, will be blocked by ALB,
protecting your application from the attack. When ALB detects these types of
attacks, it automatically scales to absorb the additional traffic. This
scaling activities are transparent for AWS Customers and do not affect your
bill._

~~~
jedberg
They've been doing transparent DDOS mitigation for a long time. Almost since
the beginning.

When I moved reddit from datacenter to AWS in 2009, I no longer had to deal
with DDOS attacks. They just magically disappeared. I'm pretty sure reddit was
still getting DDOS attacks after the move. :)

------
GauntletWizard
I can't share details beyond I was working at Google at the time, but I saw a
1Tbps DOS attacks back in 2012ish; so I doubt that this is "the largest ever",
though it might be AWS Shield's largest ever. I don't think Google shares
their numbers, though.

~~~
stepstop
> The previous record for the largest DDoS attack ever recorded was of 1.7
> Tbps, recorded in March 2018.

The article says this ^. 1tbps in 2012 might have been a record but it’s been
nearly a decade

~~~
jsnell
I think that was the point. It seems quite implausible that in 8 years the
size of the maximum attack would only increase by a factor of 2.

------
goalieca
1 Trillion = 1 million x 1 million. The scale of distribution must be
astounding.

How much traffic is being generated by a single endpoint in one of these?

~~~
pamperson
many eu countries have gigabit per second connections, so thats like 2300
infected hosts at least. not many at an internet scale.

~~~
t0mas88
Many providers in EU countries offer 1gbps fiber as an option, but the most
sold option is more like 200-250mbit because the price is lower. And many of
those are cable based which means only 25 or 50mbit uplink, not symmetrical
like fiber. So that would require 100,000 endpoints participating.

But this was a reflection attack, so most of the bandwidth was coming from
poorly secured servers. In datacenters those would most likely have 1 Gbps
uplink speeds.

~~~
sudosysgen
... Or only 2300 high value endpoints. You can select your endpoints, you
know.

Also, even cable is capable of Gigabit speeds. I briefly had 1.2Gbps via
cable, downgraded to 400Mbps as it became cheaper.

~~~
zucker42
I feel like you didn't read the comment you replied to carefully.

Did you have GB upload speeds with cable too?

~~~
sudosysgen
Not gigabit upload, but I got close at 700Mbps, and some cable providers offer
gigabit upload speeds in some regions, cogeco for example offers gigabit
symmetrical cable in Trois-Rivières.

------
sidcool
How is such a large attack even possible? Genuinely curious.

~~~
close04
In short in many cases an amplification attack is used where you send a small
quantity of traffic from a spoofed address (the victim's) to a server that
will reply to the victim with up to several hundreds of times (even 50000)
more data [0].

[0] [https://en.wikipedia.org/wiki/Denial-of-
service_attack#Ampli...](https://en.wikipedia.org/wiki/Denial-of-
service_attack#Amplification)

More detailed descriptions:

[https://www.cloudflare.com/learning/ddos/memcached-ddos-
atta...](https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/)

[https://www.cloudflare.com/learning/ddos/ntp-
amplification-d...](https://www.cloudflare.com/learning/ddos/ntp-
amplification-ddos-attack/)

[https://www.cloudflare.com/learning/ddos/dns-
amplification-d...](https://www.cloudflare.com/learning/ddos/dns-
amplification-ddos-attack/)

------
jjeaff
Is there any research into making attacks like these less feasible? I think
it's rather disconcerting that given a large enough botnet, anyone could take
anyone offline that doesn't have the money and resources to fight it.

~~~
Scarbutt
If you don't have money or other valuable resources, you won't be a target of
this large botnets.

~~~
dirtnugget
Well imagine somebody trying to push back a competitor which may be a young
startup which is threatening to take part of their cake.

~~~
Scarbutt
If the young startup is a threat, then it has real value no?

~~~
gxon
No? A big player might decide to preemptively squash ANY startup that could
possibly become a threat while it's cheap and nobody else cares enough to
notice.

------
freebasenic
Activision should learn from AWS, their servers get DDoS'd constantly.

~~~
thatlongthrow1
Can't deny service if the server isn't serving. :(

------
kitteh
Who says it's the largest ever?

Plenty of folks keep this stuff secret.

~~~
SketchySeaBeast
I mean, until someone says otherwise, it can be the largest ever[1].

[1] on public record

------
dirtnugget
I wonder if this had to do with the T-Mobile outage

~~~
vondur
This attack took place in February.

