A Distributed Denial of Service attack involves cybercriminals orchestrating a significant surge in website traffic using a network of compromised computers, aiming to disrupt access for legitimate users. This surge renders the website inaccessible, leading to financial losses for the service provider. Recently, there has been a sharp increase in DDoS attacks in India. According to a report, these attacks originated from 8 million unique IP addresses over a 14-day period. The volume of DDoS attack traffic ranged from 3,000 to 14,000 times higher than the typical daily traffic on the targeted websites.
Notably, during the 2023 G20 Summit hosted by India, the official summit website experienced a staggering 16 lakh cyberattacks per minute, with DDoS attacks being the primary method used.
Check Point has a long-standing history of protecting numerous customers worldwide from large-scale web DDoS attacks, effectively handling large amounts of traffic exceeding 1 million requests per second .
Emerging DDoS attacks, notably Tsunami attacks, have surged in frequency and sophistication since the start of the Russia-Ukraine War, driven by both state-sponsored actors and “hacktivists” using botnets and cutting-edge tools. These cyber criminals are continuously evolving, leveraging advanced techniques to exploit vulnerabilities, magnifying the attack surface for organizations worldwide.
At Check Point, we’re seeing businesses experience an increasing number of incidents combining massive Layer 7 web DDoS attacks with large-scale network-layer assaults. These sophisticated attacks are notable for their persistence and duration. They involve coordinated attacks of multiple network and application layer vectors.
This new wave of cyber threats underscores the necessity for adaptive yet comprehensive defense strategies that can anticipate and mitigate such attacks, ensuring uninterrupted services and protection for critical infrastructure. Check Point’s automated cloud DDoS protection solutions have been safeguarding targeted organizations with no downtime and no impact to service.
Examples of Prevented DDoS Tsunami Attacks
EMEA-based Large National Bank
This EMEA-based Large National Bank suffered an attack; and within a few days, the customer faced at least 12 separate waves of attacks, typically around 2-3 a day. Multiple waves of attacks crossed the 1 million requests per second (RPS) threshold and one peaked at nearly 3 million RPS. To put this into perspective, this bank has a typical traffic level of less than 1000 RPS.
Quick definition: RPS is a critical parameter for assessing the severity, impact, and scale of DDoS attacks.
At the same time, attackers have launched multiple network-layer volumetric attacks of over 100 Gbps. The attacks have also been using a variety of different attack vectors, including HTTPS flood, UDP fragmentation attack, TCP handshake violations, SYN floods, and more.
Below is a visual representation of one of the attacks, with a peak wave of nearly 3M RPS.
Major Insurance Company
This insurance company faced several large-scale attack waves within a few days, with multiple waves peaking at over 1 million RPS. The largest such wave peaked at 2.5 million requests per second. The typical traffic rates for this customer are several hundred requests per second, so these attacks would by far overwhelm their application infrastructure.
In addition, attackers have combined some of the attack waves with network-layer volumetric attacks reaching over 100 Gbps.
The attacks included sophisticated attack vectors, such as web DDoS tsunami attacks (HTTP/S floods), DNS floods, DNS amplification attacks, UDP floods, UDP fragmentation attacks, NTP floods, ICMP floods, and more.
Below is an example of one of the attacks, with multiple waves over a 3-hour period, with several peaks reaching the 1 million request-per-second (RPS) threshold, and multiple spikes going over 2.5 M RPS:
European Telecommunications Company
A European telecommunications company has been the repeated target of state-backed attack groups. This week they were attacked with a persistent web DDoS attack of about 1 M RPS almost continuously for two hours, with peak traffic reaching 1.6 M RPS.
Check Point’s Response to DDoS Tsunami Attacks
Modern DDoS attack profiles have evolved, combining multiple vectors to target both the network and application layers. These sophisticated attacks employ encryption and innovative techniques like dynamic IP addressing to mimic legitimate traffic, making them highly disruptive and challenging to detect. Traditional mitigation methods often fall short, especially against layer 7 attacks, as they struggle to inspect encrypted traffic effectively.
Check Point’s cloud-based, automated DDoS mitigation infrastructure stands out by absorbing these multifaceted attacks seamlessly, ensuring no disruption to customer services. Recognizing the varied nature of these threats, Check Point employs a suite of automated protection modules. This arsenal includes the Cloud Web DDoS Protection Module, the L3/L4 Behavioral DoS (BDoS) Engine, and the Active Attackers Feed, among others. Together, they provide unparalleled protection against the industry’s most formidable tsunami DDoS attacks.
Check Point’s behavioral-based algorithms detect and mitigate attacks in real-time without blocking legitimate traffic. Our DDoS Protection protects against the widest range of attacks, from layer 3 to layer 7.
Check Point’s SOC and ERT are in constant contact with customers facing attacks, making sure that protection coverage is complete, with no impact to services or legitimate users.