The National Technology and Research Infrastructure Network (EDYTE S.A. – GRNET), in a statement he refers to the attacks on the Theme Bank, quotes the history of attacks and mentions the protection provided by the AKAMAI platform.

The announcement states in detail:

“The platform trapeza.iep.edu.gr of the Institute of Educational Policy (IEP) is hosted in EDYTE infrastructures and is connected to the Internet through the EDYTE network. At the request of the IEP, actions were taken to deal with Distributed Denial of Service (DDoS) attacks in the morning hours of May 29 and 30, 2023.

Record: On Monday 29/5 widely dispersed systems in countries all over the world were creating excessive connections to the platform (TCP SYN flood, approximately 280,000 network packets per second) as well as large idle network traffic (UDP flood) up to 1.8 Gbps. These attacks were dealt with at 09:20.

On Tuesday 30/5 there was a multi-volume high-dispersion attack to the platform infrastructure (TCP SYN flood) with a rate of up to 5 million network packets per second. The attack was countered at 07:32. Then, the target of the attack was shifted to infrastructures of the Panhellenic School Network (PSD), but at 08:09 this was also dealt with. Then EDYTE’s partners helped to solve other issues that arose due to the attack on the application.

Regarding the protection provided by AKAMAI: The AKAMA platformIt is designed to protect only the application, not the underlying infrastructure as falsely stated in publications. A DDoS attack can be carried out in different ways through the different layers of the internet protocol stack. Access to the application first goes from the Internet to the EDYTE network, then to the infrastructure and finally to the application.

The attacks on Monday 29/5 were mainly against the application and on Tuesday 30/5 against the infrastructure. As we mentioned, AKAMAI’s platform does not protect at the infrastructure level but at the application level. In order to protect the infrastructure, EDYTE engineers took relevant actions at the request of the administrators of the application.

Dealing with network attacks: Network-level attacks have been increasing globally in recent times. The web destination trapeza.iep.edu.gr that received the attacks is only one of hundreds of thousands of potential targets served through the EDYTE network. In any case, however, the specific attacks were successfully countered and, despite the truly unpleasant delays experienced, did not manage to prevent the operation of the Theme Bank application.

Attack Documentation: The publicly available graphs below (Figures 3 and 4) show the gradual and smooth increase in traffic on 5/31 and 6/1 where no attack was detected. The smooth motion gradually increases to a maximum during the day and gradually subsides. In contrast, in the morning hours of 5/29, malicious traffic is detected as a distinct peak earlier than the smooth peak of traffic. On 30/5 the increase due to malicious traffic clearly exceeds the total traffic of the EDYTE network to the Internet. In Figures 1 and 2, the attack can be seen focused as an increased processing rate of incoming network packets from the Internet at the nodes “EIE” and “COLETTI” respectively.

We note that the diagnosis of attacks it is done through network monitoring tools and through protection tool reports and not just through publicly available data. The information that EDYTE has is clearly available in the criminal investigation being carried out on the case.

Clarifications in relation to legal network traffic: The rate of 280 thousand packets per second reported for Monday 5/29 corresponds to about 17 million connections per minute or 1 billion per hour.

On Tuesday 30/5, the respective processing rates of network packets, as can be seen indicatively from the graphs above, are 300 million per minute or 18 billion per hour.

These rates far exceed the reasonable requirements for the legitimate traffic of the applications involved in these attacks. We consider comments that suggest oversizing systems as a way to deal with DDoS attacks, or compare applications with different specifications, to be careless and misleading, especially when coming from representatives of the IT and communications sector.

General Comment: Directly or indirectly questioning the credibility of those responsible for diagnosing and responding to such malicious attacks, rather than condemning those who plan and execute them, we believe is counterproductive and risks encouraging rather than discouraging them by distracting them. discussion.

See the related graphs here