New, Aggressive Waves of DDoS Attacks

Check Point has observed the increasing number of incidents where massive Layer 7 web DDoS attacks are combined with large-scale network layer (L3/4) attacks. Such sophisticated attacks are characterized by their persistence and duration. They involve coordinated attacks across multiple network and application layer vectors. The following examples observed by Check Point provide a picture of the current threat situation.

Example #1 of averted DDoS tsunami attacks: National bank in EMEA

A large national bank based in the EMEA region was hit with at least twelve separate waves of attacks within a few days, usually two to three per day. To illustrate how massive the attacks were, it is advisable to use the RPS (request per second). RPS is an important parameter for assessing the severity, impact and scope of DDoS attacks and refers to the number of requests per second. At the bank, several waves of attacks exceeded the threshold of 1 million RPS. One reached a peak value of almost 3 million RPS. For comparison: this bank normally has a data traffic of less than 1000 RPS.

At the same time, attackers have launched several volumetric attacks at the network layer with over 100 Gbit/s. The attacks used a variety of different attack vectors, including HTTPS floods, UDP fragmentation attacks, TCP handshake violations, SYN floods and more.

Example #2: Wave of attacks on insurance company

An insurance company faced several large-scale waves of attacks within a few days, with several waves peaking at over 1 million RPS. The largest of these waves reached 2.5 million requests per second. Typical traffic for the company is several hundred requests per second, so these attacks would far exceed the application infrastructure.

In addition, the attackers combined some of the attack waves with volumetric attacks at the network layer that reached over 100 Gbps. The attacks included sophisticated attack vectors such as web DDoS tsunami attacks (HTTP/S floods), DNS floods, DNS amplification attacks, UDP floods, UDP fragmentation attacks, NTP floods, ICMP floods and more.

Below is an example of one of the attacks with multiple waves over a three-hour period, with several spikes reaching the 1 million requests per second (RPS) threshold and some rising above 2.5 million RPS:

Example #3: European telecommunications company

A European telecommunications company was repeatedly targeted by state-sponsored attack groups. This week, it was targeted with a sustained web DDoS attack of about 1 million RPS almost continuously for two hours, with peak traffic reaching 1.6 million RPS.

Protecting against aggressive DDoS waves

Modern DDoS attack profiles have evolved to combine multiple vectors to attack both the network and application layers. These sophisticated attacks use encryption and innovative techniques such as dynamic IP addressing to mimic legitimate traffic, making them highly effective and difficult to detect. Traditional defense methods are often inadequate, especially for Layer 7 attacks, as they cannot effectively inspect encrypted traffic.

A cloud-based, automated DDoS defense infrastructure is therefore indispensable. It is characterized by the fact that it seamlessly intercepts multi-layered attacks of this type and prevents work processes from being interrupted. As the threats are very diverse, a series of automated protection modules is required at best.

This new wave of cyber threats underscores the need for adaptive and comprehensive defense strategies that can anticipate and mitigate such attacks to ensure uninterrupted services and critical infrastructure protection.