Hacktivists launched up an immense and formerly undocumented 300Gbps DDoS attack earlier this summer by taking advantage of an obscure motherboard-level exploit on 100,000 unpatched servers, VeriSign has disclosed in their latest quarterly Trends report.
As with all other DDoS trends nowadays, VeriSign’s analysis notes the growing measurements of DDoS attacks in the second quarter though the more surprising news is really what happened to one of its customers in the second quarter, around June.
Referred to as being a content delivery network (CDN) in the media and entertainment field, an unidentified datacentre discovered itself receiving the end of a motivated DDoS “siege”, which began with a three-hour SYN and TCP flood, a typical process to weaken it’s target.
Following mitigation, the attackers altered the attack to use massive UDP packets, rapidly achieving a peak traffic level of 250 Gbps that required VeriSign to begin shuffling the strain around its global capacity. For an additional 24 hours, the mitigation systems had to deal with more than 30 short but large bursts of UDP and TCP floods as the attackers probed for weak points.
Within a final attack to take down the target, the quantity ramped up to 300Gbps, causing this to be among the largest DDoS attacks ever publically shared. Repelled by VeriSign’s mitigations systems, it took 30 hours for the attackers to halt.
The DDoS attack documented by VeriSign called its enormous strength from a botnet comprised of up to 100,000 servers susceptible to the ‘Supermicro IPMI [Intelligent Platform Management Interface]’ flaw, published by researcher Zachary Wikholm on 19 June. This motherboard-level issue permitted hackers to get into an unencrypted password file for a system by connecting via software port 49152.
The attackers knew what they were doing. An additional noticeable method was to sneak malformed packets past mitigation by placing them within GRE (Generic Routing Encapsulation) tunnels.