The Largest DDoS Attacks & What You Can Learn From Them

A DDoS (Distributed Denial of Service) is an attack that focuses on making the website unavailable to its legitimate users. DDoS attacks can produce service interruptions, introduce large response delays, and cause various business losses.

Denial-of-Service Attacks result in two ways —they either flood services or crash services. Attackers execute DDoS through computers and smart devices. Given this, it’s common for attackers to make use of IoT devices that are internet-accessible. IoT devices refers to any electronic that can connect to the internet and transmit data, such as toys, smart TVs, and monitors of any kind.

Because these devices have limited processing and operating systems, they may not come with advanced security features. DDoS attackers leverage this via the IP addresses of these IoT devices, personal computers, and even servers to fake legitimate traffic. This makes quick detection harder or difficult to track the attacker’s starting point and IP.

According to TechRepublic, in Q1 2019, there was an increase of 967% for attacks sized 100Gbps or higher, compared to Q1 2018. The largest attack was 70% larger than the biggest one for the same period in 2018, with 587Gbps compared to that of 345Gbps.

The Top 4 Largest DDoS Attacks

Have you ever wondered what the top 4 largest DDoS attacks were? In this post, we will dive into what the largest DDoS attacks looked like.

Spamhaus – 2013

The Spamhaus Project is an international organization based in London and Geneva. This anti-spam organization, founded in 1998, is responsible for compiling anti-spam lists to reduce the amount of spam reaching their users who are usually internet service providers and email servers.

This particular attack took place on March 16th and shut down Spamhaus until March 23nd. The attackers seized SpamHaus’ IP addresses through a malicious BGP (Border Gateway Protocol) route using a DNS server at the IP. By doing so, it gave a positive result for every SpamHaus DNSBL (Domain Name Server-Based Blacklist) query.

This reported as a DNS Reflection or Amplification DDoS attack at 140Gbps in some instances and up to 300+Gbps in others. The attack affected their website, e-mail servers, and DNS IPs.

Performed by a hacker-for-hire, it took many networks and several website security providers to mitigate one of the largest DDoS attacks ever recorded. Spamhaus quoted this about the events and the attacker:

“A 17-year-old male from London has been charged with computer misuse, fraud, and money laundering offences. He was arrested in April 2013. On his arrest officers seized a number of electronic devices”.

Misconfigured, open recursors are a true threat for the internet because they run on big servers with fat pipes. There is an open list available of all of these recursors, which in the wrong hands, could be disastrous to the internet.

BBC – 2015

The BBC (British Broadcasting Corporation) is a public service broadcaster based in London and founded in 1922, which makes it the oldest national broadcasting organization in the world. This might be the reason why they are now one of the biggest ones and carry TV channels, radio and web portals for all of their subsidiaries.

During New Years Eve of 2015, a group called The New World Hackers took responsibility for executing a DDoS attack to the BBC website, saying it was “A test of their abilities”.

Though almost 600Gbps, neither this magnitude or the attack’s identity were ever confirmed by the BBC. At the time this attack took place it was the largest one recorded (if indeed it reached that scale) taking nearly two weeks to completely recover from the incident.

The entire BBC domain was taken down, including their on-demand television and radio player for a total of three hours worth of attack, plus experimenting residual issues for the rest of the morning. To this, The New World Hackers had to say:

“The reason we really targeted the BBC is because we wanted to see our actual server power”

and followed with:

” It was only a test. Our servers are quite strong”

The BBC DDoS Attack

Botnets performed this DDoS attack using DDoS tools such as Lizard Stresser and BangStresser. These hacktivists mentioned at the time that they didn’t intend to run the attack for that long.

Dyn – 2016

Dyn is an internet performance management and web application security company founded in 2001 (acquired by Oracle Corporation in 2016) and based in the U.S. It offers products to optimize, control, and monitor online infrastructure.

On October 21st, Dyn had a series of DDoS attacks targeting systems operated by this DNS provider. The attack affected a large amount of users in North America and Europe. The DDoS attack lasted roughly one day, with spikes coming and going up to 1.2Tbps. It affected several large businesses and websites with high authority and traffic, such as: Airbnb, Amazon.com, Fox News, HBO, The New York Times, Twitter, Visa and CNN.

The New World Hackers, Anonymous, and SpainSquad claimed responsibility for the attack, a hacktivist effort to retaliate for Ecuador’s rescinding internet access to WikiLeak’s founder Julian Assange at their embassy in London where he had asylum. No one has confirmed this as the reason.

Dyn stated that according to risk intelligence firm FlashPoint, this was a botnet coordinated through a large number of IoT-enabled devices, including baby monitors, cameras, and residential gateways that had been infected with mirai malware.

Github – 2018

Founded in 2008, GitHub is a subsidiary for Microsoft based in the United States. It offers web-based hosting services for version control using Git as a source-code management (SCM) tool.

On February 28th, a large amount of traffic hit the developer platform spiking it to 1.3Tbps—the largest ever recorded. In total, GitHub was offline for five minutes, but the recovery took nearly a week.

GitHub stated they were not underprepared:

“Over the past year we have deployed additional transit to our facilities. We’ve more than doubled our transit capacity during that time, which has allowed us to withstand certain numeric attacks without impact to users. Even still, attacks like this sometimes require the help of partners with larger transit networks to provide blocking and filtering”. – GitHub

Memcached Server, a caching system to optimize websites relying on external databases, facilitated the attack. The attacks involved spoofing or phishing a target’s IP address to the default UDP (User Datagram Protocol) port on available memcached amplifiers. This returned much larger responses to the target.

Responsibility for this attack and the attacker is still unknown.

How to Prevent and Respond to a DDoS Attack

Whether a small or large website, everyone should prepare to face a DDoS attack. Having a website firewall protect your website is a great way to be ready for the worst case scenario. The Sucuri Web Application Firewall (WAF), filters all incoming traffic, impeding DDoS attacks from reaching your website. This way, your website will have enhanced performance along with website security.

Preparation is key, but it also helps to have a response plan:

Avoid single point of failure – spreading your servers across multiple data centers with a good load balancing system.
Have a secondary DNS server – attackers may try to bring your DNS servers down.
Consider managed website security – a professional on your side can help you work through an attack with minimal implications.
Don’t buy more bandwidth – Don’t feed the troll, use a professional WAF.
Limit your vulnerable or resource hungry end-points to the expected attention or traffic that your website has.
Outsource as much as possible off of your website components. Instead of having a built-in search system, consider using a professional search service integrated to your website.