Wynncraft, one of the largest Minecraft servers, was recently hit by a 2.5 Tbps distributed denial-of-service (DDoS) attack.
It was a multi-vector attack that lasted for about two minutes and consisted of UDP and TCP floods packets attempting to overwhelm the server and keep out hundreds of thousands of players, DDoS mitigation company Cloudflare says.
The researchers say this was the largest bitrate attack they ever recorded and handled.
A DDoS attack this large occurred in 2017, in a campaign that lasted for six months from a nation-state actor, disclosed by Google in 2020.
Cloudflare’s 2022 Q3 DDoS report notes that multi-terabit DDoS attacks are now more frequent.
In the third quarter of the year, Cloudflare mitigated more DDoS attacks compared to last year, with HTTP-based ones increasing by 111%. Layer 3 and 4 (L3/4) DDoS attacks also almost doubled year-over-year, their occurrence jumping by 97%.
The most notable region targeted by HTTP DDoS attacks was Taiwan, which saw an increase of 200% compared to the last quarter, while Japan was targeted 105% more quarter-over-quarter.
L3/4 DDoS attacks targeted mainly the gaming industry and their volume was inflated by a Mirai comeback that increased its activity by 405% compared to Q2 2022.
Another worrying DDoS trend seen in Q3 2022 is the abuse of the BitTorrent protocol, normally used for file sharing. This practice rose by over 1,200% QoQ.
“A malicious actor can spoof the victim’s IP address as a seeder IP address within [BitTorrent] Trackers and DHT (Distributed Hash Tables) systems,” details Cloudflare.
“Then clients would request the files from those IPs. Given a sufficient number of clients requesting the file, it can flood the victim with more traffic than it can handle.”
The countries most targeted HTTP DDoS attacks were the United States, China, and Cyprus, while network-layer attacks targeted mainly Singapore, the U.S., and China.
Size and duration
Cloudflare highlights a rise in the number of large-scaleDDoS attacks (over 100 Gbps) but underlines that these are still the outliers, accounting for only 0.1% of the total.
The vast majority (97.3%) were attacks measuring under 500 Mbps, which Cloudflare characterizes as “cyber-vandalism”, attributing to the so-called “script-kiddies” that use readily available DDoS tools and direct attacks against small and poorly protected targets.
The duration of most (94%) attacks is brief, measuring below 20 minutes. However, there was a small rise of 8.6% and 3.2% in lengthy episodes lasting above an hour and three hours, respectively.