Akamai Diversity

The Akamai Blog

Was This Really One of the Internet's Biggest Attacks?

There was an interesting story in eWeek yesterday about "one of the largest attacks in the history of the Internet" taking place last week. It describes a 9-hour barrage against an unnamed entity that swelled to 100 Gigabits of traffic at its peak.

But does it really qualify as one of the biggest in Internet history? It's an impressive barrage, to be sure. 

Reading the article reminded me of a post Akamai CSO Andy Ellis wrote back in March about a 300 Gbps attack against SpamHaus.

(For additional perspective, check out Andy's blog post on "DNS reflection defense" and our page on Akamai's DNS security offerings)

He wrote at the time:

When we think about an attack an Akamai, we think about three things: the attacker's capacity, their leverage, and the target's capacity. And when we think about leverage, it's really comprised of two smaller pieces: how much cost efficiency the attacker expects to get, and how the target's resilience mitigates it. 300 Gbps isn't that bad when it's restricted to reflected DNS traffic -- if you have enough capacity to ingest the packets, they're pretty trivial to drop, and, until your network cards fill up, are less effective than a SYN flood. 

So why bother? Andy continued:

The attacker likely doesn't have 300 Gbps in their botnet - they probably have somewhere in the range of 3 to 60 Gbps. Attacks through DNS resolvers are amplified - so the attacker can create a larger attack than they might have otherwise, at the cost of reducing their leverage. In comparison the BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps.   Because they're willing to sacrifice their hosts, they have a wider range of attacks available to them. Commonly, they send HTTPS request floods - requiring their targets to negotiate full SSL connections, parse an HTTP request, and determine whether they'll deliver a reply or not. BroBot could certainly throw around a bit more bandwidth with DNS reflection - but against most of their targets, it would have less effect than some of their current tactics.

I write this with the admission that I'm not an expert in the metrics of data transfers and the size of Internet traffic in general. As a still-fairly-new Akamai employee, I'm learning quickly. But I'm not ready to shoot down the claims others make.

But as a long-time journalist, I also know how easy it it to make too much or too little of attack traffic patterns. In the hurry to cover breaking news, I've been the sucker of more than one claim over the years. So whenever I see "biggest" or "largest" in a headline, I'm an instant skeptic.

Having said that, I welcome your thoughts. Is this really that big, or is it hyperbole?