The Attack That Taught Us Everything

At around 03:40 UTC on November 14th, our network monitoring flagged an anomaly. Inbound traffic on one of our transit uplinks had spiked from a typical background noise of around 200 Mbps to just under 180 Gbps in the space of about 90 seconds. That's not a typo. A 900x traffic spike in a minute and a half.

This was a volumetric UDP flood — specifically a DNS amplification attack leveraging open resolvers. Whoever launched it knew what they were doing. The attack was distributed across thousands of source IPs, with spoofed origins spread across multiple ASNs, which makes simple IP-based blocking largely useless.

Peak inbound: ~178 Gbps. Duration: 22 minutes. Customer-facing downtime: 0 seconds.

What actually happened on the network

Our upstream mitigation kicked in at the BGP level within the first 30 seconds. Traffic destined for the targeted IP range was rerouted through our scrubbing infrastructure before it ever reached our physical hardware. The scrubbing layer inspects packet headers, applies rate limiting based on traffic fingerprints, and drops anything that matches the attack signature while continuing to pass legitimate traffic through.

The challenge with DNS amplification specifically is that the attack traffic looks a lot like real DNS responses — you can't just drop all UDP/53 without killing legitimate name resolution. Our mitigation layer handles this by tracking request-response ratios per source. If a source is sending responses without prior requests, it's noise. That traffic gets dropped. Legitimate DNS traffic, which has a traceable request origin, passes through cleanly.

What our customers saw

Essentially nothing. Game servers stayed online throughout. The scrubbing overhead added a small amount of latency — we measured an increase of roughly 2–4ms during peak scrubbing — but no connections dropped, no servers went unreachable, and no player sessions were interrupted. We had a handful of customers contact support the next morning because they'd seen the status page update and wanted to know what happened. That's the ideal outcome.

What we changed afterward

Even though the mitigation worked, we did a full post-mortem. A few things came out of it:

We lowered our auto-mitigation trigger threshold from 50 Gbps to 20 Gbps, so the scrubbing layer engages faster on future attacks
We added additional BGP anycast nodes to reduce the blast radius if a specific PoP comes under sustained attack
We updated our internal runbook for large-scale volumetric attacks so the on-call engineer has a clearer decision tree

The November attack was the largest we'd seen up to that point. It won't be the last. But the infrastructure held, and that's what matters.

← Back to Blog