No Sooner Did the Ink Dry: 1.7Tbps DDoS Attack Makes History


DDoS attack

In January 2018, NETSCOUT Arbor published our 13th Annual Worldwide Infrastructure Report (WISR 2018). 

This year’s report noted that the largest DDoS attack was 650 Gbps; which was down from the prior year of 800 Gbps.  The report also noted that though the largest DDoS attack was 650Gbps, the overall mix of attack sizes is still shifting up.  For example, this year the percentage of attacks over 1 Gbps has increased to 22%, growing three years in a row.

No sooner had the ink dried on WISR 2018 did we encounter a 1.7Tbps DDoS attack!

On March 5th 2018, NETSCOUT Arbor’s ATLAS global traffic and DDoS threat data system confirmed a 1.7Tbps reflection/amplification attack that targeted a customer of a U.S.-based service provider.

memcached 1


The attack utilized a Memcached (pronounced mem-cash-dee) Reflection & Amplification vector to accomplish such a massive attack.

Though Memcached reflection and amplification attacks are not new, the abrupt rise in the number and size of these attacks indicates the weaponization of this technique has occurred. In other words, now this technique is in the hands of less sophisticated attackers who now simply utilize a DDoS for Hire Boot Stresser service to launch such an attack.

How did the DDoS attack occur?

To learn more about the technical details of the Memcached Reflection and Amplification attacks and ways to stop them, visit our ASERT Blog:

But the truth is, not all DDoS attacks are that large. In fact, the vast majority (87%) of DDoS attacks are under 2 Gbps.

memcached 2


And the modern day DDoS attack is complex as it deploys a dynamic combination of at least three different attack vectors.

First, volumetric attacks, like the memcached attacks which can reach Terabits in size, are designed to saturate bandwidth. According to Arbor’s WISR 2018, 52% of attacks are volumetric.

Second, TCP state exhaustion attacks are designed to take out your first lines of defense such as firewalls or IPS devices. According to Arbor’s WISR 2018, 16% of attacks are TCP State Exhaustion.

And last but not least, low and slow, very difficult to detect application-layer attacks are designed to bring down critical applications.  According to Arbor’s WISR 2018, 32% of attacks are application-layer attacks, which is up 26% from last year.

The attackers use all three of these attack vectors simultaneously, making it very difficult to defend against.

Best Practices to Stop These Kinds of Attacks

Industry best practices dictate, you need to take a layered or hybrid approach to stop multi-vector DDoS attacks. In other words…

To stop volumetric attacks (that only need to be as large as your internet pipe)…

memcached 3memcached 4


Your only option is the cloud. You need the help of your Internet Service Provider or a cloud-based DDoS protection service provider to reroute attack traffic to their cloud based scrubbing centers.

For TCP state exhaustion or low and slow application layer attacks which are more difficult to detect and stop with a cloud-only based solution…

The best option for protection is on your premises. That is, deploy DDoS protection in the most critical data centers.

Customize policies for applications running in those data centers.

And install in front of firewalls to protect them from TCP-state exhaustion attacks.

NETSCOUT Arbor’s solution is an intelligently automated, seamlessly integrated combination of on-premise and in-cloud DDoS attack protection; continuously backed by global visibility and threat intelligence.

memcached 5
  1. On the premise, the Arbor APS product is an in-line, always on product that can automatically detect and stop all types of DDoS attacks – especially application layer attacks which it excels at.
  2. In the event of a large attack, via a feature called Cloud Signaling, the Arbor APS will automatically redirect attack traffic to the Arbor Cloud.
  3. Arbor Cloud is a fully managed DDoS attack protection service offering multiple Tbps of mitigation capacity via worldwide scrubbing centers. 
  4. All of these products and services are continuously armed with the global threat intelligence offered by Arbor’s ATLAS and Security Engineering and Response Team (ASERT).

So, don’t let the headlines influence you. Yes, DDoS attacks are getting large (e.g. 1.7Tbps Memcached attacks), but they are also getting more complex. Comprehensive protection requires an intelligently automated, seamlessly integrated combination of on-premise and in-cloud DDoS attack protection; continuously backed by global visibility and threat intelligence.

For more information on Memcached attacks, take a look at this video, What is a Memcached DDoS Attack? And How You Can Stop It

For more detailed information about NETSCOUT Arbor DDoS Attack Protection products and services, visit