DDoS or massive data transfer?

[peq42]

I was looking at IX.br(Brazil's Internet exchange point website) today, out of curiosity, and saw this massive peak in today's traffic. Not being a professional, but very curious, I kinda wonder: was this a short lived DDoS or a possible massive data transfer between datacenters?

 

I'm not entirely sure if data centers exchange large volumes of data through the same cables as everyone else or if they got dedicated ones between large data centers to not affect user traffic(something like google's subsea cables?), but if they do, is that what this kind of transfer looks like?

[Eigenvektor]

Given the magnitude of the spike (6.21 Pbps or 776 TB/s) it seems unlikely this was a single source transfer of some kind. Is there a way to zoom in and see this in more detail? This is likely a cumulative value and the actual transfer might've had a lower rate over a longer period of time.

 

It would probably also be a good idea to look at the data of multiple days or weeks, to check whether this is a regular occurrence at this time of day or not.

[peq42]

6 minutes ago, Eigenvektor said:

Given the magnitude of the spike (6.21 Pbps or 776 TB/s) it seems unlikely this was a single source transfer of some kind. Is there a way to zoom in and see this in more detail? This is likely a cumulative value and the actual transfer might've had a lower rate over a longer period of time.

 

It would probably also be a good idea to look at the data of multiple days or weeks, to check whether this is a regular occurrence at this time of day or not.

unfortunately I can't zoom in as the whole thing is an image

but it did happen within a 3h spam it seems, and its not a normal occurence looking at the monthly graph

https://ix.br/agregado/

[Eigenvektor]

9 minutes ago, peq42 said:

https://ix.br/agregado/

Looking at monthly and yearly this certainly looks like some form of attack, unless they were testing some extremely high performance equipment.

 

It's unlikely a single source could do this, so yeah likely a DDoS.

[Mark Kaine]

Someone downloaded all switch games before nintendo took them down!?

[BethQuentin]

Coincidentally, Cloudflare is reporting that they've mitigated a similarly sized attack but aren't giving any details yet. Speculation after this point: There are a few actors that might be capable of producing traffic of this magnitude (A well known one is coined The Great Cannon of China), it is possible, or even likely considering the magnitude, that one or more of these actors are conducting a wave of attacks. More actual news will likely be released today.

 

Months long attack campaign actually.

[mynameisjuan]

18 hours ago, peq42 said:

unfortunately I can't zoom in as the whole thing is an image

 

but it did happen within a 3h spam it seems, and its not a normal occurence looking at the monthly graph

 

https://ix.br/agregado/

Going off just the images in the thread, the fact that there is a single interval pbps spike in a 24h graph that is non-existent in the same graph shifted -4h and it being a major outlier far exceeding the highest recorded DDoS, this just looks like an artifact in what the NMS is calculating.

 

I see this occasionally with certain NMS' depending on how they store the values in the DB/RRD, how/if they filter integer overflow or how the value is calculated for the interval with delay.

 

An NMS uses SNMP to poll specific object values (OID) in a devices database (MIB) at certain intervals and records the timestamp/value, in this case a 64 bit total Octets/Bytes counter. Depending on how it's configured, the NMS may run the value through some calculations and store that or just store it as is. But in either case, if the value overflowed or the device reset the value, it needs to account for that and filter it properly.

 

When the NMS is queried, it will attempt to return values that fits within the requested interval. In rare cases on interval boundaries, this calc can result in a value much larger than it actually is and you will see these massive spikes that are usually always in the pbps range. Not a big issue, but happens time to time. Usually resolved over time when moves the values to the RRD for long-term storage.

 

So no, from experience my guess is that it was not a DDoS and just an anomaly