Amazon said it had managed to mitigate a 2.3 terabytes-per-second distributed denial-of-service attack in February this year, which is considered the largest DDoS attack recorded to date.
The previous record is held by a 1.7 Tbps Memcashed DDoS reflection attack which was mitigated by Netscout Arbor back in March of 2018 and a month before that, GitHub was hit with a 1.3 Tbps DDoS attack.
The attack has been detailed in a new AWS Shield Threat Landscape report, which provides a summary of threats detected and mitigated by AWS Shield protection service.
While the report did not name the AWS customer that was targeted in the attack, it did say that the attack itself was launched using hijacked CLDAP (Connection-less Lightweight Directory Access Protocol) web servers and lasted for three days.
“In Q1 2020, a known UDP reflection vector, CLDAP reflection, was observed with a previously unseen volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS. CLDAP reflection attacks of this magnitude caused 3 days of elevated threat during a single week in February 2020 before subsiding. Despite this observation, smaller network volumetric events are far more common. The 99th percentile event in Q1 2020 was 43 Gbps,” the report said.
CLDAP is built upon the Lightweight Directory Access Protocol (LDAP). It inherits a restricted set of LDAP's features, requires less resources than LDAP and is a connectionless-oriented protocol, so it uses UDP rather than TCP.
According to the report, after CDLAP reflection attacks, the second-most common DDoS vector observed by AWS in the first quarter were SYN flood attacks. A SYN flood is a form of DoS attack in which an attacker sends repeated SYN packets to every port on a targeted server often using a fake IP address.
During the first quarter of 2020 AWS researchers also observed TCP reflection attacks, a less common attack vector. TCP reflection attacks are similar to SYN flood attacks, but they use a flood of spoofed SYN packets sent to legitimate Internet services, which can elicit a larger flood of SYN/ACK packets toward the victim application.
