View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 13, 2020updated 15 Jun 2020 10:46am

AWS Hit With a Record 2.3 Tbps DDoS Attack

AWS also sees Docker, Hadoop, Redis, SSH attacks at a huge scale

By CBR Staff Writer

AWS says it was hit with a record DDoS attack of 2.3 Tbps earlier this year, with the (unsuccessful) attempt to knock cloud services offline continuing for three days in February.

To put the scale of the attempt in context, it is nearly double the 1.3 Tbps attack that blasted GitHub in 2018, or the circa 1 Tbps Mirai botnet DDoS that famously knocked Dyn offline in 2016.

Record DDoS Attack: AWS Reports CLDAP Incident 

DDoS attacks come in a wide range of flavours.

The attack on AWS was a CLDAP reflection-based attack, and was 44 percent larger than anything the cloud provider has seen before, it said in a Q1 AWS Shield threat landscape report [pdf] seen this week.

AWS did not cite an apparent motive, but noted that attacks spike when a new vector is discovered by attackers.

Reflection attacks abuse legitimate protocols, by sending a request to a third-party server, using a spoofed IP address.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

The response is much larger in size and is returned to the spoofed IP address of the unwitting victim. (Security firm Akamai in 2017 found that 78,071 of hosts responded with 1,500+ bytes of data to an initial 52 byte query).

CLDAP reflection attacks abuse the connectionless version of the Lightweight Directory Access Protocol (LDAP).

AWS weathered this attack, its threat report shows, but it comes after the public cloud giant saw services knocked offline in October 2019 by a DDoS attack on its DNS service.

What Else’s is Being Used to Attack the Cloud?

The report also highlights the four most prominent (malicious) “interaction types” used to try and hack services running on AWS in Q1.

There were 41 million attempts made to compromise services using these four techiques along during the quarter: 31 percent of all events.

Without naming explicit CVEs, AWS points to:

• “Docker unauthenticated RCE, where the suspect attempts to exploit a Docker engine API to build a container, without authorization.

• “SSH intrusion attempts, where the suspect looks for ways to gain unauthorized access to the application using commonly used credentials or other exploits.

• “Redis unauthenticated RCE, where the suspect attempts to exploit the API of a Redis database to gain remote access to the application, gain access to the contents of the database, or make it unavailable to end users.

• “Apache Hadoop YARN RCE, where the suspect attempts to exploit the API of a Hadoop cluster’s resource management system and execute code, without authorization.

The report notes: “The motivation of an attacker can vary. Individual interactions may result from an attacker with a specific goal that related to the targeted application. The higher volume interactions are motivated by control of compute and network resources at scale for purposes like cryptocurrency mining, DDoS attacks, or data exfiltration.

“The frequency of interaction with an application depends on factors like its prevalence on the Internet, availability of unpatched RCE vulnerabilities, and the likelihood that application owners have effectively restricted access to those applications”, it concludes.

See also: The Top 10 Most Exploited Vulnerabilities: Intelligence Agencies Urge “Concerted” Patching Campaign


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.