Effects of the DDoS Attack on the RIPE NCC

Introduction

Starting from 14:00 UTC Thursday 27 February, the RIPE NCC network suffered a large DDoS attack. It was a distributed ICMP echo attack.

The attack caused various congestion related problems for the RIPE NCC's network to the extent that our BGP peering sessions were affected, and non-ICMP traffic was being randomly dropped.

The attack was successfully mitigated with cooperation of our peer networks at AMS-IX. Network condition returned back to normal the same day at 16:30 UTC.

As a result, some of our services, including www.ripe.net (web), whois.ripe.net (RIPE Database), ns.ripe.net (DNS) and ftp.ripe.net (FTP) were not accessible during this timeframe. Now all services are back to normal.

Effects seen by the measurement projects at the RIPE NCC

The test-boxes installed for the TTM service noticed the attack through their delay-based alarm within ten minutes after it started. An alarm based on loss, which is not in production yet, would have fired within five minutes after the start of the attack. Figure 1 and 2 are two examples of network delays and losses during the attack. As can be seen in the top left plot, delays went up during the attack, and, as is shown in the bottom left plot, the fraction of packets that arrived went down to 10% or less. In other words, packet loss was 90% or more. When the attack was diverted, service levels returned to normal, as can be seen from the plots.

An interesting effect is that for a few paths (figures 3 and 4), the attack caused BGP to select better routes between sites in Ireland (tt25) and London (LINX, tt26). The Irish path flapped back to the original path the next day.

In the other measurement relations, we see the delays (figure 5) for box 56 (Estonia) to other boxes go up at exactly the same time that attack started, then go down again around the time RIPE NCC Operations had inserted black-hole routes for toybox.ripe.net. Most striking is the delay between tt56 (Tallinn, Estonia) and tt34 (Helsinki, FI).

RIS BGP Data shows a lot of activity for the nearby RRC's (figure 6), very little for the ones far away (Figure 7, San Jose, Tokyo). This is as expected. At no time, was the RIPE NCC prefix invisible.