Amazon Web Services said it stopped a massive mid-February DDoS attack, the largest ever recorded, according to some media reports.
In a Q1 AWS Shield threat landscape report, the company disclosed web attacks that were prevented and mitigated by AWS Shield, Amazon’s cybersecurity service.
The targeted customer wasn’t identified in the report, but AWS said the attackers exploited CLDAP web servers and caused three days of “elevated threat” levels for its staff.
In Q1 2020, a known UDP reflection vector, CLDAP reflection, was observed with a previously unseen volume of 2.3 Tbps. This is approximately 44% larger than any network volumetric event previously detected on AWS. CLDAP reflection attacks of this magnitude caused 3 days of elevated threat during a single week in February 2020 before subsiding. Despite this observation, smaller network volumetric events are far more common. The 99th percentile event in Q1 2020 was 43 Gbps.
Read Next: Relax — There Was No Large-Scale DDoS Attack
According to ZDNet, CLDAP (Connection-less Lightweight Directory Access Protocol) is an alternative to Microsfot’s LDAP protocol and is used to connect, search and modify internet-shared directories.
That protocol has been exploited for DDoS attacks for several years and are known to amplify DDoS traffic by 56 to 70 times its initial size, making it a common target for DDoS-for-hire services, ZDNet reported.
The previous record for the largest DDoS attack ever recorded was 1.7 Tbps, ZDnet said, citing a report from NETSCOUT.
In the report, AWS said mitigating those threats is best achieved when following best practices.
Larger attacks, like the 2.3 Tbps CLDAP reflection attack … described in this report, are lower frequency, high severity threats that are best mitigated when you are closely adhering to the best practices. This can also help protect applications against complex or multi-vector attacks that are often lower volume, but are more challenging to identify or mitigate.
In addition to utilizing other AWS security solutions, the cloud provider recommends reducing the attack surface, keeping software current, managing remote access and monitoring the application.