October 26, 2023

Defying the DDoS Storm of the Year - An Epic Story of how a Singaporean E-commerce Triumphed against the onslaught of the Pandora and Moobot Botnets

In the tumultuous world of cybersecurity, where relentless storms of cyber threats constantly loom on the horizon, Distributed Denial of Service (DDoS) attacks have emerged as the fiercest tempests. As we approach 2024, the DDoS battleground is more ferocious than ever, especially in the Asian region, where the thunderclouds of cyber warfare gather ominously. In this gripping narrative, we plunge into the heart-pounding saga of how Nexusguard, the valiant guardian of digital fortresses, fearlessly thwarted one of the most colossal and malevolent DDoS attacks ever witnessed, unleashing unprecedented drama and heroism in the process.


The Target: A Desperate E-commerce Citadel

The epic tale begins with a Singapore-registered e-commerce empire, its digital realm hosted upon a mighty cloud provider's celestial stronghold, firmly anchored in the heart of Singapore. This fortress thrived on the lifeblood of its APIs (Application Programming Interfaces), the very heart and soul of its commerce dominion, leaving it perilously exposed to the malicious storms of DDoS attacks.

Attack Autopsy: The Relentless Prologue

The storm's ominous rumblings began with a relentless reconnaissance phase, spanning from the 5th to the 7th of September. These were no ordinary attacks but a calculated probing, akin to shadowy spies skulking in the night, seeking chinks in the fortress's digital armor. A barrage of minor application-layer skirmishes rained down upon various domains and IP addresses of the target, their eerily similar signatures whispering secrets of sinister intent. The attackers, like masterful tacticians, gauged the fortress's strengths, identifying assets and assessing security postures.


Blog visual 2023.10 1
Figure 1 - A series of small scale application layer attacks target various assets of the business. Note the similar signatures such as the size, as well as the duration.

Suddenly, the storm's ferocity intensified. The probing transitioned into frenzied volumetric attacks, each unleashing a tempest of chaos that raged for a brief but blistering 27 minutes. The attackers, relentless in their quest for vulnerability, seemed to be masters of deception, cloaking their intentions in the shroud of Asian time zones, launching their raids in the afternoon and always ceasing just before the strike of the Singapore midnight .

Blog visual 2023.10 2
Figure 2 - The attackers seemed to always end their day just before midnight, strongly suggesting that the attackers are operating in Asia, and very possibly in the +8GMT time zone. They are mercenaries after all, and have no obligations to work beyond their stipulated hours.


In a shocking crescendo, the attackers unleashed their final volley before retreating into the night. It was a series of request-based application DDoS attacks, a frenetic torrent of 100-160 thousand requests per second. This was their dark dance, testing their tools and gauging the abyss of their resources.


Attack Phase 1 - Sniper Attacks: The Storm Breaks


The morning of the 8th of September dawned with a sinister calm, shrouding the e-commerce realm in eerie silence. But, unbeknownst to the fortress, the storm was brewing on the horizon. In the languid mid-afternoon, the first cannonball struck: a 120Gbps TCP Ack flood attack. The very earth quaked as this ominous harbinger sought to drown the fortress in a torrent of malicious acknowledgments.


Blog visual 2023.10 3
Figure 3 - Deep diving into an attack event with Nexusguard’s info-rich and powerful dashboard. From here operators can analyze the vectors employed by the attackers and fine tune strategies as required.


However, this was but the first act in the saga. As the midnight hour chimed, the storm unleashed its true fury. A cataclysmic 700Gbps volumetric DDoS tempest descended upon the fortress, unleashing a torrential deluge of 79 million packets per second. This marked the darkest hour, an epoch-defining moment as the largest DDoS attack ever launched and subsequently mitigated within the storied annals of Singaporean business.


Blog visual 2023.10 4
Figure 4

Throughout the day, the tempest's relentless wrath continued, launching several 30-to-60 minute squalls, each ranging from 500 to 700Gbps. The storm's origins were shrouded in mystery, launching attacks from networks across the world. It was as if the attackers were orchestrating a symphony of mayhem, testing different battalions of their botnet army, strategically distributing their assaults to preserve their formidable might.


Blog visual 2023-10 5-1
Figure 5 - Moderately short bursts of attacks spaced evenly apart, as if on cue. Short bursts of attacks serve as a strategic approach to create congestion and preserve resources. These attacks are designed to reach a sufficient scale to overwhelm the target, with the expectation that upstream providers will null-route the targeted IPs. This approach aims to safeguard the botnets by avoiding excessive exposure and potential countermeasures.


Blog visual 2023.10 6
Figure 6 - Attacks recorded an hour apart. Attacks are orchestrated to be launched from distinct parts of the world, as if trying to load balance the attack, displaying the reach and prowess of the botnet


Attack Phase 2 - Sustained Attacks: The Fortress Holds

As the sun dipped below the horizon, the attackers paused, weary from their relentless assault. But they were not defeated, merely regrouping for the next dark chapter of their assault. On the 10th of September, they returned, like a hurricane reinvigorated, launching sustained attacks that would test the fortress's resilience to the core.


Blog visual 2023.10 7
Figure 7 - At it’s peak - the attack reached 79 million packets per second. While it may not be the largest recorded attack in history, it is still a respectable size and more than enough to take down even a moderately protected service.


For the next 36 grueling hours, the tempest raged unabated. Attacks, each surging between 500 to 700 Gbps, rained down upon the fortress, with packets swirling at a frenzied pace of 40 to over 60 million packets per second. It was a relentless siege, a storm of unparalleled intensity, designed to shatter the fortress's defenses through sheer brute force.

But amidst this chaos, Nexusguard stood as the unwavering guardian, determined to hold the line against the relentless tempest. The tempest may have been unyielding, but the fortress's defenses held steadfast, a testament to the resilience and indomitable spirit of those who dared to defy the storm.

Attack Phase 3 - Application Layer Attacks: The Storm's Ingenious Fury

As the battle raged on, a curious pattern emerged. With the discipline only displayed by elite combat units, the attackers transitioned from strategy to strategy with precision. At the stroke of midnight, the volumetric onslaught ceased, to be immediately replaced by an insidious tactic: application-layer attacks.


Blog visual 2023-10 8
Figure 8 - For this particular event, the majority of botnets were activated from China

These request-based attacks were a cunning ploy, utilizing compromised machines to send what appeared to be legitimate requests, a treacherous deluge aimed at overwhelming the fortress's API gateways and servers. It was a devious strategy, one that threatened to breach the fortress's inner sanctum.

But Nexusguard, armed with the power of artificial intelligence, rose to the occasion. The API service, under relentless assault, stood defiant, its defenses bolstered by Nexusguard's cutting-edge detection and authentication capabilities. At its zenith, the onslaught reached a staggering 294 thousand requests per second, a testament to the attackers' vast and formidable botnet army.

Blog visual 2023.10 9
Figure 9 - 294k request per second of Application layered DDoS attacks, a testament to the enormous botnet under the attackers control


As the storm's fury raged on, Nexusguard delved deeper, peering into the abyss of the attackers' operations. It was a chilling revelation, unveiling a complex web of botnets, each a dark instrument of destruction. The battle was far from over; it was a struggle for the very soul of the fortress.

The Aftermath: Unveiling the Dark Secrets

During and after the tempestuous battle, Nexusguard's engineers received a barrage of emails from networks across the globe. These messages were no ordinary communiques; they were a cacophony of alarms, a chorus of digital sirens heralding an unprecedented threat. The storm's reach extended far and wide, far beyond anything ever witnessed.


Blog visual 2023.10 10
Figure 10 - Reflection attacks, or attacks using spoofed source IPs, are common DDoS tactics. This causes other networks to experience unusually large amounts of traffic moving to and from the target IP to these spoofed IPs, and hence such “network abuse” emails from networks that houses some of these botnets.

This was no ordinary storm; it was a harbinger of a new breed of botnet. The sheer volume of abuse emails from across the world was a chilling testament to the storm's global reach. It was a harbinger of doom, a harbinger of Pandora and Moobot, a dark alliance of botnets unseen in their scale and ferocity.


Blog visual 2023.10 11
Figure 11 - Pandora-Mirai: The botnet that's not opening boxes, but unlocking a digital Pandora's Vault of internet chaos!


The storm had unleashed its fury not just upon the fortress but upon the very infrastructure of the digital realm. Nexusguard's internet exchange links, some as vast as the ocean, were pushed to the brink of saturation, a testament to the tempest's potency and breadth. It was a revelation that sent shivers down the spines of even the most battle-hardened defenders.

As Nexusguard delved deeper into the abyss, it uncovered the storm's true identity. The attackers had wielded the Pandora and Moobot botnets, a malevolent force like none before. These were not mere botnets; they were titans of destruction, wreaking havoc on a global scale.

Pandora and Moobot Botnets: The Dark Titans Unleashed

Pandora and Moobot were not ordinary botnets; they were the spawn of the abyss, dark titans of cyber warfare. Their emergence signaled a new era of cyber threats, one where the line between man and machine blurred into oblivion.

Pandora, like the mythical box it was named after, released a flood of chaos upon the digital realm. It was a botnet of unprecedented scale and sophistication, capable of orchestrating large-scale DDoS attacks with surgical precision. It lurked in the shadows, adapting and evolving with each assault, a relentless force that left destruction in its wake.


Blog visual 2023.10 12
Figure 12 - Attackers concoct a deadly blend by merging the Pandora and Moobot botnets, wielding an unprecedented cyber threat cocktail capable of wreaking havoc on a massive scale.


Moobot, on the other hand, was a digital behemoth, a relentless juggernaut of destruction. It wielded immense power, launching attacks that shook the very foundations of the fortress. Its ability to switch attack vectors with ease showcased a level of strategic cunning that defied imagination. This was no mere botnet; it was an adversary of unfathomable proportions.

Together, Pandora and Moobot formed an unholy alliance, a dark duo that threatened to plunge the digital realm into eternal night. They were not bound by borders; their reach extended across the globe, leaving no corner of the digital world untouched.


Mitigating the Attack of the Century: A Heroic Stand


In the face of this unprecedented tempest, Nexusguard stood as the beacon of hope. It was a battle of titans, a clash of epic proportions, with the fate of the e-commerce fortress hanging in the balance.


Nexusguard's arsenal was formidable. Of worthwhile mention was Smart Route, a robust and resilient DNS-based load balancing feature that enhanced and preserved the customer's application performance, a shield against the storm's relentless onslaught. Smart Route was the fortress's bulwark, ensuring minimal latency even as the tempest raged.

Figure 13 - At the core of Nexusguard's technology is an artificial intelligence trained with more that 15 years of real-world DDoS fighting experience and expertise. Today, the Nexusguard SMART engine detects and mitigates 90% of attacks automatically, allowing our specialists to focus their attention on complex and far from letheral attacks


But the most simple yet ingenious strategy in Nexusguard's playbook was the utilization of warzones. These strategic battlegrounds allowed for the effective distribution of the tempest's fury, preventing congestion and ensuring uninterrupted service. It was a daring strategy, a gambit that paid off as the fortress held strong.

But make no mistake, while the battle may have appeared straightforward, it was anything but. Nexusguard's Security Operations Center (SOC) was pushed to its limits, tirelessly fine-tuning routing policies to keep the storm at bay. It was a relentless struggle, a testament to the unyielding spirit of the defenders.

Conclusion: A Tale of Heroism in the Face of Unrelenting Adversity

In the annals of cybersecurity, this epic battle will be remembered as a defining moment. The e-commerce fortress, seemingly ordinary, became the epicenter of a storm of unparalleled magnitude. It was a reminder that in this digital age, the question is not if, but when the storm will come.


Blog visual 2023.10 14
Figure 14


Cybersecurity must remain a cornerstone of any business's continuity planning. The heroism displayed by Nexusguard and the fortress's defenders serves as a beacon of hope. In the face of unrelenting adversity, they stood strong, a testament to the indomitable human spirit.

The storm of the century had come and gone, but the fortress remained standing, a symbol of resilience in the face of turmoil. As the world grapples with an ever-evolving digital landscape, the saga of Nexusguard's heroic stand will forever inspire and remind us that even in the darkest of storms, there is hope, and there are heroes who will rise to the challenge.

For more details on Nexusguard’s suite of Anti-DDoS solutions, please click here, or click here to talk with one of our experts.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.