How UCloud Defeated a 1.2 Tbps DDoS Assault: Insights & Defense Strategies

Introduction

Since the 1.35 Tbps attack on GitHub in 2018, Tb‑level DDoS attacks have become increasingly common with the rise of IoT and smart devices. Recently, UCloud’s security team helped a client fend off multiple 1.2 Tbps attacks, and this article reviews and analyzes the incident.

Event Review

From 10:56:32 to 11:49:06 on December 2, the client experienced a 159 GB DDoS wave, which was initially dismissed as routine. A second 361 GB wave (11:54:41‑12:11:30) raised alarms, followed by a massive 1.16 Tbps attack at 12:56:51, indicating that Tb‑scale attacks have become normalized.

Attack Analysis

The attack employed a complex mix of methods, with hybrid attacks accounting for 66% of the total, including various flood attacks, reflection attacks, TCP‑level connection exhaustion, and HTTP‑level connection exhaustion.

Attack Types:

Attack Type Distribution:

Duration and Peak Traffic Distribution:

Top 10 Abnormal Types:

Attack Source Distribution

Domestic traffic accounted for 68.1% of the attack, with the remaining 31.9% originating overseas. The top ten source countries are shown below.

Within China, the leading provinces were Shandong (14.6%), Jiangsu (13.9%), Yunnan (13.7%) and Zhejiang (13.6%). The top ten domestic provinces are illustrated.

Regarding source device types, personal PCs contributed 47%, IDC servers 32%, and IoT devices 21%, highlighting the growing security risk of compromised IoT equipment.

These findings demonstrate that Tb‑scale attacks are increasingly easy to launch and are often combined with connection‑exhaustion techniques, complicating defense.

Defense Recommendations

UCloud advises vendors, developers, and operators to take the following pre‑emptive steps:

Assess Attack Risk – Tailor mitigation plans to business characteristics and historical attack data, deciding when high‑availability protection is required.

Hide Origin Servers – Use fresh IPs for protection services, conceal real server IPs, audit business logic, and conduct security scans to prevent backdoors.

Customize Protection Strategies – Reduce attack surface by limiting unnecessary protocols/ports, configure CC protection, and work with providers to analyze traffic and create private‑protocol defenses against TCP exhaustion.

Conclusion

DDoS remains a low‑skill, high‑impact attack method that can cripple services at low cost. Its prevalence is driven by illicit profit motives, leading to continual technique upgrades. We recommend early risk assessment, choosing a trustworthy cloud provider, purchasing high‑defense services when needed, and collaborating closely with experts to design deep, customized protection plans.