20, Akamai mitigated one of the largest confirmed DDoS attacks of the year on our routed network. The attack targeted a European media organization and was comprised of six DDoS attack vectors: SYN, UDP fragment, PUSH, TCP, DNS, and UDP floods. It peaked at 363 Gbps and 57 Mpps. The attack analysis identified a DNS reflection technique that abused a dnssec- configured domain. This attack technique generates an amplified response due to the requirements of the dnssec. During the past few quarters, Akamai observed and mitigated a large number of dns reflection and amplification DDoS attacks that abuse dnssec- configured domains. As with other DNS reflection attacks, malicious actors continued to use open DNS resolvers for their own purposes, effectively using these resolvers as a shared botnet.. The source domain was observed in DDoS attacks against customers in multiple industries. It was likely the work of malicious actors making use of a DDoS-for-hire service with purchased virtual private server (vps) services, public proxies, and legacy botnets. It appeared to have the ability to launch multiple simultaneous attack vectors, such as the ones used in this attack. Part of the SYN flood matched a signature from the Kaiten std botnet. Akamai SIRT has been investigating a malware variant of Kaiten std that specifically targets networking devices used in small-office and home-office (soho) environments and Internet of Things (IoT) devices. The malware has an extensive list of attack vectors and the capability to execute arbitrary commands and take full control of an infected system. The Kaiten std malware is packed with a custom packer/encoder to hinder analysis. It is compiled to run on multiple architectures (mips, arm, PowerPC, x86, x86_64) and uses a custom Internet relay chat (irc)-like communication protocol for command and control (C2) communications. The UDP flood could also have been generated by the Kaiten std botnet, a similar variant, or an entirely different botnet. The payload was too generic to draw a strong conclusion. This SYN flood can be identified by the length of its TCP headers and options.