September 14, 2021
Ever since their discovery in July 2018, bit-and-piece attacks have gone from strength to strength, and remain a real threat to Communications Service Providers (CSPs). Attackers are continuing to diversify their toolsets through the employment of a wide variety of attack vectors with bit-and-piece attacks to reach their goal of bringing down target networks and infrastructures.
Bit-and-piece attacks result from drip-feeding doses of junk traffic of negligible size into a large pool of IP addresses across hundreds of IP prefixes, which eventually saturates the target when the junk traffic starts to accumulate from different IPs, as illustrated in Figure 1.
Fig 1 - Bit-and-piece attack with legitimate traffic
Early bit-and-piece attacks saw attackers employ amplification and UDP-based attacks to increase attack size and congest bandwidth.
In the second quarter of 2020, we observed that attackers opted for a more deceptive and stealthy approach, by utilizing a more elaborate practise of bit-and-piece attacks to launch a wider range of UDP-based attacks through the employment of a blend of attack vectors to flood target networks with traffic.
High Packet Rate Attacks
Observations based on our most recent attack analysis reveal that attackers are now hitting critical network devices (eg. routers) with large amounts of legitimate small-sized packets to generate high packet rates (increased volumes of packets per second - pps) to overwhelm network equipment. The maximum packets per second (pps) by IP Prefix /24 in 2021 has seen a substantial increase of 657% compared with 2020, as shown in Table 1. This tactic has been extremely effective given that when malicious traffic is concentrated on a single network device, it is much easier to exceed the maximum throughput and thus cause network outage, as illustrated in Figure 2. Furthermore, using relatively low traffic to penetrate networks increases the level of difficulty in filtering legitimate traffic from attack traffic.
2018-2019 |
2020 |
2021 |
||
Attack Size by IP Prefix /24 (Gbps) |
Minimum |
0.53 |
0.0261 |
0.1258 |
Maximum |
105.32 |
103.62 |
102.02 |
|
Attack Size by IP Prefix /24 (packets per second) |
Minimum |
66 |
4 |
175 |
Maximum |
13,165 |
18,781 |
142,251 |
Table 1 - Bit-and-Piece Attack Size Summary between 2018 and 202
Fig 2 - PPS attacks against critical network devices
Filterable and Non-Filterable Attack Vectors
We have observed that the continued advancement of bit-and-piece attacks has led to new attack patterns that leverage not only high packet per second (pps) or bit per second (bps) attack modes but also filterable and non-filterable attack vectors, that easily fly under the radar and effectively take down victim hosts as well as networks and infrastructures.
Bit-and-Piece Attacks |
|||
2018-2019 |
2020 |
2021 |
|
Exploited Weakness |
Hijacking legitimate traffic |
Hijacking legitimate traffic |
Hijacking legitimate traffic |
Attack Mode Dynamic |
Bandwidth based attack (bps) |
Bandwidth based attack (bps) |
Bandwidth based attack (bps) and high packet rate attack (pps) |
Possibility of Characterisation |
Amplification attacks |
UDP-based attack and Amplification attacks |
TCP-based attacks, UDP-based attacks and Amplification attacks |
Attack Vectors |
Filterable: DNS amplification, SSDP amplification, CHARGEN amplification and NTP Amplification Non-filterable: none |
Filterable: DNS amplification, SSDP amplification, NTP amplification, CLDAP amplification, CHARGEN amplification, UDP attack Non-filterable: none |
Filterable: DNS amplification, SSDP amplification, NTP amplification, CLDAP amplification, CHARGEN amplification, UDP attack, MDNS amplification, ICMP, TCP SYN and TCP RST Non-filterable: TCP ACK |
Victim Type |
Network and infrastructure |
Network and infrastructure |
Host, Network and Infrastructure |
Table 2: Evolution of Bit-and-Piece Attacks
According to our findings, the 46-byte TCP ACK packet has become the most frequently used attack vector. 39.94% of bit-and-piece attacks utilize such packets, as shown in Table 3. The 46-byte TCP ACK packet is one of the smallest packets commonly seen on networks and is used in the TCP handshaking process, whether for TCP connection establishment or as a keepalive. Since these packets are seen as normal traffic, attack traffic hidden among such normal traffic is extremely difficult to detect, especially for signature-based detection methods.
Targeted ASNs: 84
Total No. of IP Prefixes (Class C) Under Attack: 1318
Attack Types |
Targeted Geo-locations |
TCP ACK Attack(39.94%) UDP Fragmentation Attack(16.26%) CLDAP Reflection Attack(11.93%) NTP Amplification Attack(8.84%) SSDP Amplifi1cation Attack(8.37%) DNS Amplification Attack(6.23%) UDP Attack(5.52%) ICMP Attack(1.19%) IP Fragmentation Attack(0.47%) CHARGEN Attack(0.42%) TCP SYN Attack(0.36%) TCP Null Attack(0.30%) TCP RST Attack(0.12%) MDNS Amplification Attack(0.06%) |
|
Table 3 - Summary of Bit-and-Piece Attacks
Based on our recent attack analysis, we foresee that there will be a decrease in attack size with attackers opting to deploy non-filterable attack vectors to attack more IP prefixes. This will seriously undermine traditional threshold and signature-based detection methods, given that CSPs now need to detect smaller and more complex attack traffic patterns among large volumes of legitimate traffic.
While Nexusguard’s solution ensures that end-users are protected from DDoS attacks, the ongoing evolution of bit-and-piece attacks should alert CSPs to the importance and need to enhance their cyber resiliency, and employ more effective ways to protect their critical infrastructure and networks.
Deploying big data and AI methods would be an effective solution for mitigating increasingly complex bit-and-piece attacks. Big data analysis and deep learning-based methods are extremely proficient in learning and analyzing network traffic patterns, overcoming the inefficiencies associated with threshold and signature-based detection methods. Owing to their speed and precision in scrutinizing large amounts of CSP traffic data, malicious attack patterns can be detected well before they can be exploited.