Arbor's Carlos Morales said the company could confirm a 1.7Tbps reflection/amplification attack aimed at a customer of an US-based service provider had been recorded by its ATLAS global traffic and DDoS threat data system.
He said the attack was carrying out using memcached, the same application used to launch an attack measured at 1.35Tbps that was reported to have hit software hosting repository GitHub on 28 February.
Morales said that prior to this, the biggest DDoS attack that Arbor had experienced was 650Gbps aimed at a target in Brazil.
In 2013-14, he said, malware that weaponised the network time protocol had made an appearance and replaced DNS as the most prominent reflection/amplification vector.
Figures he had collated showed that the average NTP traffic globally in November 2013 was 1.29Gbps; by February 2014. that had grown to 351.64Gbps.
The following year, with the rise of botnets along with the proliferation of IoT devices, attackers had unprecedented power in their hands, Morales noted.
In 2016, he pointed out, the presence of more than 28 million open DNS resolvers meant that they were there for use in reflection/amplification techniques.
"Throughout this year (2016), the number of DNS reflection/amplification attacks being tracked per week nearly doubled, from approximately 10,500 to 18,500. Other protocols were being used as well to a lesser extent; DNS, NTP and Chargen represented the top three reflection/ amplification attack vectors," Morales said.
The trend continued in 2017, with attackers using reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximise the scale of their attacks.
He said in 2018, "memcached servers are now being used as reflectors/amplifiers to launch extremely high-volume UDP reflection/amplification attacks".
"They are proving especially effective because memcached servers have high-bandwidth access links and reside on networks with high-speed transit uplinks. This makes memcached servers ideal for use in high-bandwidth reflection/amplification DDoS attacks."
Graphic: courtesy Arbor Networks