Sometimes it's accidental (but probably not in this case).
One time a customer came to us and asked us to PenTest their server, checking it stands up to a DDoS. They said they owned the server and it was their network, so we said "we can run a small one for you which should give us an idea of some pain points".
We run the "mini" DDoS against the server, it takes a little more to sink the server than expected, but we just ramp up a few more connections and it is fine. We lift off on the test attack, but customer site doesn't come back up. We contact them and they say they will contact the VPS host. * Heart sinking moment *
We test other websites running on their cloud from a different connection - we had taken out their entire cloud infrastructure (this was a small provider). After a short while they were back up, but not before another few conversations with the customer. I really don't even want to know how badly positioned we were legally that day.
I won't forget having a pentester nmap a local network - it hard locked every single phone handset corporation wide. People had to walk around pulling the power out and putting it back in every single desk in multiple buildings.
At one place I worked, we had a printer that would die whenever the PCI-DSS auditors would run a network scan.
There was a Windows vulnerability that came out in 2010-2011ish, when I was working there, that I had to deal with. I ran an nmap scan of the entire network looking for the bug, and accidentally BSOD'd half the office...
Baddies will sometimes do big DDOS’s of a public site to showoff their botnet’s capability. That clout is then used as proof to sell their service to customers. I could see this being an instance of such a thing.
I believe that sort of attack can't be achieved repeatedly. These attacks leave traces and clues behind them, and investigators are able to better pinpoint and protect for the next one. I heard they also can't be sustained for a long time.
I believe they are more like an attempt to discover limits in the network or some targeted systems. Some systems are also vulnerable while they reboot, so attackers only need a one-time reboot.
Not an authority or expert in any fields of discussion itt
From what I've been told, you're right. DDOS attacks can routinely expose information through failure modes the ops team never prepared for. What happens when your failsafes fail? If they didn't test for it and put mitigations in place then it's rather likely that sensitive error messages or service details, or whatever, is being exposed over the wire. So aws mitigated this attack. Does aws know for a certainty that they revealed nothing sensitive in the process? Maybe, maybe not. If the attacker is good, and 2.3tbps is pretty fing good, then could the victim even be positioned to know what to look for? In uncharted territories the attacked is always down from the attacker.
I heard they also can't be sustained for a long time.
That used to be the case, but with the popularity and widespread use of IoT devices it won't hold true for long. If you can hack home appliances you could hold an attack for hours, if not days.
Is there an economically positive criminal activity that involves DDoSing an AWS-hosted UDP service (probably video calls... probably like Zoom)?