Moobot vs. Gatebot: Cloudflare Automatically Blocks Botnet DDoS Attack Topping At 654 Gbps

On July 3, Cloudflare's global DDoS protection system, Gatebot, detected and mitigated a UDP-based DDoS attack that peaked at 654 Gbps. The attack was part of a ten-day multi-vector campaign targeting a Magic Transit customer and is believed to have been generated by Moobot, a Mirai-based botnet. Over 5,000 DDoS attacks were mitigated against this one customer during the campaign, mainly UDP floods, SYN floods, ACK floods, and GRE floods. The largest attack was a UDP flood that targeted only one IP address but hit multiple ports. It originated from 18,705 unique IP addresses, each believed to be a Moobot-infected IoT device. The attack traffic was observed in Cloudflare's data centers in 100 countries around the world, with approximately 89% of the attack traffic originating from just 10 countries. Moobot is a self-propagating Mirai-based malware that infects IoT devices using remotely exploitable vulnerabilities or weak default passwords. Once a device is infected by Moobot, control of the device is transferred to the operator of the command and control (C2) server, who can issue commands remotely such as attacking a target and locating additional vulnerable IoT devices to infect (self-propagation). The attack was not successful due to Cloudflare's global network capacity being over 42 Tbps and growing, along with the use of Anycast for inter-data center load balancing and Unimog for intra-data center load balancing. Additionally, various forms of traffic engineering were utilized to deal with sudden changes in traffic loads across their network. Cloudflare's three software-defined DDoS protection systems - Gatebot, dosd (denial of service daemon), and flowtrackd (flow tracking daemon) - collect traffic samples in order to detect DDoS attacks and generate mitigation rules with dynamically crafted attack signatures. In the case of this attack, more than 65 Terabytes of attack traffic were generated by the botnet, but as part of Cloudflare's unmetered DDoS protection guarantee, Cloudflare mitigated and absorbed the attack traffic without billing the customer.