<img alt="" src="https://secure.leadforensics.com/89462.png" style="display:none;">

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Featured Stories

Blog Home
Nexusguard Research
By
January 03, 2019

Little droplets form roaring ocean

  DDoS

Owing to their large attack surface, ASN-level CSPs  are exposed most to the rising risk of DDoS attacks. While DDoS attack is nothing new, different techniques can be combined to achieve the denial of service effect in an increasingly stealthy and yet more cost-effective way.


In the third quarter we identified a new, sneaky tactic whereby attackers contaminated a diverse pool of IP addresses across hundreds of IP prefixes (at least 159 ASN, 527 class C networks from our findings) with small-sized junk traffic. As a consequence, both the maximum and average attack sizes fell measurably from the same period a year ago.

  

Targeted ASNs

159

Attack types

DNS amplification attack, SSDP attack, CHARGEN and NTP amplification attack

Targeted geolocations

Attacks tended to target resources physically located within the same geolocation  

Total IP prefixes (at least Class C network) under attack

527

No. of IP prefixes in the same ASNs in the same attack campaigns (top 10)

1. ISP/Telecommunication

38

2. ISP/Telecommunication

38

3. ISP/Telecommunication

38

4. Datacenter and IP transit

28

5. Datacenter and IP transit

26

6. Datacenter and IP transit

24

7. Datacenter and IP transit

21

8. Datacenter and IP transit

21

9. Datacenter and IP transit

19

10. Datacenter and IP transit

19

No. of targeted IP addresses per IP prefix

Maximum

252

Minimum

49

Average

131

Attack duration

Maximum

1439.67 mins

Minimum

5.12 mins

Average

113.81 mins

Attack size per IP

Maximum

300.1 Mbps

Minimum

2.5 Mbps

Average

33.2 Mbps

Attack size per IP prefix

Maximum

5.32 Gbps

Minimum

285.4 Mbps

Average

2.48 Gbps


Like the meticulous way ancient Mongol troops planned and executed battles, attackers carried out a classic “reconnaissance” mission to map the target CSP’s network landscape to identify all mission-critical IP ranges. Whereas in the past, attackers mainly zeroed in on a smaller number of high-traffic IP prefixes to cause traffic congestion.

 

blog-graphic_image01

Then, the attacker injects pieces of small-sized junk traffic into legitimate traffic across a diverse pool of IP addresses across multiple IP prefixes. Because the size of attack traffic hidden in legitimate traffic within the space of each IP is very small and is well below detection thresholds, they can easily bypass detection.

 

As opposed to handling traffic to a small number of victim IPs, mitigating vastly distributed small-sized attack traffic is very difficult at the CSP level. The convergence of polluted traffic that has slipped through the “clean pipes” of upstream ISPs forms a massive traffic flow that easily goes beyond the capacity limits of mitigation device, leading to a high latency at best, or deadlock at worst. Blackholing all traffic to an entire IP prefix appears to be a way out, yet the obvious downside is also blocking access from legitimate users to a wide range of services.

 

blog-graphic_image02

We also noticed that the attackers behind the “bit-and-piece” attacks had leveraged open DNS resolvers to launch what is commonly known as DNS amplification. Because the destination (victim) IPs for the abused DNS resolvers to send (reflect) responses to are highly diversified, each destination (victim) IP receives only a small number of responses in each well-organized campaign, leaving no or little traces. As such, mitigating against DNS amplification attacks carried out this way will become much more difficult down the line.

 

At the end of the day, the continued evolution of DDoS trends suggest that CSPs must find ways to better protect their critical network infrastructure and tenants while enhancing their network’s security posture. The continued discovery of new attack patterns also reminds enterprises of the importance of selecting DDoS-proof service providers wherever possible.

 

Attackers preyed on the large attack surface of ASN-level communications service providers with a ‘bit-and-piece’ approach

Comments Form: