Lumen stops 1.06 Tbps DDoS attack in the company's largest mitigation to date

Intended victim experienced no downtime despite attacker's persistence.

In its quarterly report on Distributed Denial of Service (DDoS) attacks, Lumen Technologies (NYSE: LUMN) revealed the company mitigated one of its largest ever – a 1.06 terabits per second (Tbps) attack that was part of a larger campaign targeting a single victim. Despite the size and complexity of the attempted attack, the target experienced no downtime.

Size was not the only notable element of the failed attack; it was also part of a larger campaign in which the threat actor attempted to leverage multiple techniques. These techniques are called out in the report as emerging trends in the second quarter.

Trend #1: Leveraging the cloud

Attackers leverage cloud-based services in a fraudulent way to significantly boost their attack capability.

To be successful at this type of attack, cybercriminals mask their acquisition and control of cloud-based services through compromised hosts or anonymizing services. The attacker then abuses the cloud providers' resources to launch volumetric attacks against their intended victims.

To learn how to avoid being a victim of compromised cloud services, read the full Q2 DDoS report.

"Using cloud and hosting providers to launch large DDoS attacks creates a unique challenge because it puts both the victim and the provider at risk," said Mark Dehus, director of threat intelligence for Black Lotus Labs, the threat research team at Lumen. "Cloud providers must be vigilant to ensure their services are not being abused. They should also have mitigation methodologies to limit the impact if a threat actor gains unauthorized or fraudulent access to resources."

Trend #2: Hit-and-run

Analysis from Black Lotus Labs revealed the 1.06 Tbps attack was part of a larger campaign that lasted 12 minutes. It began when the threat actor attempted to deploy a series of "hit-and-run" attacks. With this technique, victims are typically targeted with a series of consecutive or concurrent attacks that are relatively small in size and duration. Threat actors deploy these attacks to assess a potential victim's defenses and determine which attack methods – if any – will be successful.

The longest campaign Lumen mitigated in Q2 lasted 21 days, 8 hours.

Learn how to protect against hit-and-run attacks with Lumen DDoS Mitigation services.

Trend #3: VoIP targeting continues

Late last year, several researchers (including Lumen) began reporting on a rise in attacks targeting VoIP providers. In Q2 2022, one attack vector – Session Initiation Protocol (SIP) – stood out in the data. Although the number of SIP attacks that Lumen mitigated was relatively small – just 1.84% of all mitigations – they represented a 315% increase over Q1 2022, and a 475% increase over Q3 2021.

While the number of SIP attacks is low compared to tried-and-true methods, attacking SIP is considered a more surgical approach to disrupting VoIP services compared to DDoS brute-force methods like TCP-SYN flooding and UDP-based amplification. For more information about Lumen's previous research into VoIP attacks, read our Q4 2021 DDoS report.

"Organisations of all types can be victimized by DDoS attacks," said Dehus. "Using the intelligence and visibility from the Lumen Platform, Black Lotus Labs can protect Lumen DDoS customers with better insights from the ever-growing list of threats to business-critical systems and data."

84% of IT professionals have some degree of confidence in their user access security systems to enable remote work securely and easily, up from 56% in 2021.
Allurity has acquired Spanish multinational Aiuken Cybersecurity, as an important step in its journey to becoming Europe's leading cybersecurity provider. Aiuken brings an entire SOC platform spanning three continents, as well as its Cloud Security and SOC-as-a-Service platforms.
A first among data protection vendors, the new cyber deception service detects and contains ransomware threats.
Atos has been awarded a three-year contract with Solent NHS Trust to manage, support and secure its services to enable a better experience of delivering and receiving more effective and good value healthcare.
Focused on bringing ease of use to IT security automation, ThreatQ TDR Orchestrator addresses industry needs for simpler implementation and more efficient operations.
Development and security teams can now proactively address the most critical software supply chain risks from code through runtime.
Reposify’s external attack surface management (EASM) capabilities expand CrowdStrike’s robust Threat Intelligence and Security and IT Operations product suites.
Almost half surveyed say they are using hybrid cloud or local cloud service providers as an alternative to AWS, Azure, and Google Cloud to meet sovereignty requirements.