Telco Transformation: enable you to deploy and offer DDoS mitigation-as-a-service at a low CapEx and a low OpEx.
Read more
Run Bastions Services on premises for a truly consistent and seamless hybrid experience
Learn more
TAP the lucrative market for DDoS Protection.
Be Our Partner
The Capture The Flag challenge: Get on the top of the scoreboard and win an Pentester Expert Coin !
Enroll now
In the first half of 2022, the total attack count and average attack size increased by 75.60% and decreased by 55.97% respectively compared to the figures recorded in the second half of 2021. Learn More
Cybersecurity best practices and DDoS defence strategies
Owing to their large attack surface, ASN-level CSPs are exposed most to the rising risk of DDoS attacks. While DDoS attack is nothing new, different techniques can be combined to achieve the denial of service effect in an increasingly stealthy and yet more cost-effective way.
In the third quarter we identified a new, sneaky tactic whereby attackers contaminated a diverse pool of IP addresses across hundreds of IP prefixes (at least 159 ASN, 527 class C networks from our findings) with small-sized junk traffic. As a consequence, both the maximum and average attack sizes fell measurably from the same period a year ago.
Targeted ASNs |
159 |
|
Attack types |
DNS amplification attack, SSDP attack, CHARGEN and NTP amplification attack |
|
Targeted geolocations |
Attacks tended to target resources physically located within the same geolocation |
|
Total IP prefixes (at least Class C network) under attack |
527 |
|
No. of IP prefixes in the same ASNs in the same attack campaigns (top 10) |
1. ISP/Telecommunication |
38 |
2. ISP/Telecommunication |
38 |
|
3. ISP/Telecommunication |
38 |
|
4. Datacenter and IP transit |
28 |
|
5. Datacenter and IP transit |
26 |
|
6. Datacenter and IP transit |
24 |
|
7. Datacenter and IP transit |
21 |
|
8. Datacenter and IP transit |
21 |
|
9. Datacenter and IP transit |
19 |
|
10. Datacenter and IP transit |
19 |
|
No. of targeted IP addresses per IP prefix |
Maximum |
252 |
Minimum |
49 |
|
Average |
131 |
|
Attack duration |
Maximum |
1439.67 mins |
Minimum |
5.12 mins |
|
Average |
113.81 mins |
|
Attack size per IP |
Maximum |
300.1 Mbps |
Minimum |
2.5 Mbps |
|
Average |
33.2 Mbps |
|
Attack size per IP prefix |
Maximum |
5.32 Gbps |
Minimum |
285.4 Mbps |
|
Average |
2.48 Gbps |
Like the meticulous way ancient Mongol troops planned and executed battles, attackers carried out a classic “reconnaissance” mission to map the target CSP’s network landscape to identify all mission-critical IP ranges. Whereas in the past, attackers mainly zeroed in on a smaller number of high-traffic IP prefixes to cause traffic congestion.
Then, the attacker injects pieces of small-sized junk traffic into legitimate traffic across a diverse pool of IP addresses across multiple IP prefixes. Because the size of attack traffic hidden in legitimate traffic within the space of each IP is very small and is well below detection thresholds, they can easily bypass detection.
As opposed to handling traffic to a small number of victim IPs, mitigating vastly distributed small-sized attack traffic is very difficult at the CSP level. The convergence of polluted traffic that has slipped through the “clean pipes” of upstream ISPs forms a massive traffic flow that easily goes beyond the capacity limits of mitigation device, leading to a high latency at best, or deadlock at worst. Blackholing all traffic to an entire IP prefix appears to be a way out, yet the obvious downside is also blocking access from legitimate users to a wide range of services.
We also noticed that the attackers behind the “bit-and-piece” attacks had leveraged open DNS resolvers to launch what is commonly known as DNS amplification. Because the destination (victim) IPs for the abused DNS resolvers to send (reflect) responses to are highly diversified, each destination (victim) IP receives only a small number of responses in each well-organized campaign, leaving no or little traces. As such, mitigating against DNS amplification attacks carried out this way will become much more difficult down the line.
At the end of the day, the continued evolution of DDoS trends suggest that CSPs must find ways to better protect their critical network infrastructure and tenants while enhancing their network’s security posture. The continued discovery of new attack patterns also reminds enterprises of the importance of selecting DDoS-proof service providers wherever possible.
Thank You!
We will get back to you shortly.
Attackers preyed on the large attack surface of ASN-level communications service providers with a ‘bit-and-piece’ approach
© 2023 Nexusguard - All Rights Reserved. Read Our Privacy Policy.