Amazon’s cloud services provider, AWS was hit with a record 2.3 Tbps CLDAP reflection-based DDoS attack in February 2020
Speaking of records this one is something that no one will be proud of! Unknown hackers directed a colossal 2.3 trillion bytes of data every second at AWS’s servers in an effort to bring it down in February 2020. The attackers tried this day in day out for three consecutive days but were unsuccessful according to a report by Amazon.
You can imagine the scale of this DDoS attack which sent 2.3 Tbps unwanted data to AWS servers when compared to the infamous 1.3 Tbps DDoS attacks on GitHub which took it down for almost a week. Before that, unknown hackers used Mirai botnet to bring down half the Internet to its knees through a DDoS attack on Dyn by sending 1 Tbps data packets in 2016.
For attacking AWS with a 2.3 Tbps DDoS attack, the unknown hackers used what is called a CLDAP reflection-based attack. The new Q1 AWS Shield threat landscape report [pdf]reveals that this was a whopping 44 percent larger than any other previous attack that AWS had seen. Read more to know different types of DDoS attacks here. CLDAP reflection-based attack is a new DDoS threat vector that abuses the connectionless version of the Lightweight Directory Access Protocol (LDAP). It works by sending a request to a third-party server, using a spoofed IP address. The response is much larger in size and is returned to the spoofed IP address of the target causing it to stutter down.
AWS report says that the motive of the unknown attackers was not clear, but noted that attacks spike when a new vector is discovered by attackers.
AWS also said in the report that it saw increased Docker, Hadoop, Redis, and SSH attacks using the known CVE vulnerabilities. In fact, AWS lists 41 million attempts made to compromise services using these four techniques.
- “Docker unauthenticated RCE, where the suspect attempts to exploit a Docker engine API to build a container, without authorization.
- “SSH intrusion attempts, where the suspect looks for ways to gain unauthorized access to the application using commonly used credentials or other exploits.
- “Redis unauthenticated RCE, where the suspect attempts to exploit the API of a Redis database to gain remote access to the application, gain access to the contents of the database, or make it unavailable to end-users.
- “Apache Hadoop YARN RCE, where the suspect attempts to exploit the API of a Hadoop cluster’s resource management system and execute code, without authorization.
You can read the full Q1 AWS Shield threat landscape report in PDF version here.