As some of you may be aware, our system was the target of two DDoS attacks this week. We wanted to give you some details on what happened and what we have done to mitigate the attacks, now and in the future.
DDoS stands for Distributed Denial of Service. What that generally means is when a malicious party uses a number of compromised machines to attack another system, which could be anything from a single machine to an entire network. This traffic then overwhelms the system, overloading resources and causing failures in various forms.
Tuesday's DDoS was the first we'd actually seen against the platform and came in the form of an NTP reflection and amplification attack. What that involved was hitting a customer's unprotected NTP server hosted within the Civo network with UDP packets requesting a large payload. That allowed the attacker to send relatively small packets and flood the network with much larger responses (the amplification part). This caused us problems as the incoming traffic volume was relatively small and didn't trigger our DDoS protection systems.
Luckily we had plenty of monitoring in place and were able to quickly detect the issue and set about resolving. UDP allows for packets to be sent with spoofed IP's so it becomes difficult to stop incoming requests that would normally be identifiable from compromised machines that have a number of fixed addresses. It also causes an issue because the spoofed IPs will be responded to by the service, potentially causing a DDoS on them too (the reflection part). Once we had determined the type of attack, we were able to take steps to resolve.
Wednesday's DDoS took a different format and was more straight forward attack that hit the network with many requests, attempting to overwhelm the system with traffic. Our DDoS protection systems were able to detect this and respond with little to no disruption to our users.
Unfortunately DDoS and a whole host of other security threats are something that we all have to face on a day to day basis. At Civo, we take security very seriously and continue to learn and grow with every day. With the attacks this week, we have been able to improve not only our monitoring but also our methods of mitigating any future attacks.