January 3, 2019

Little droplets form roaring ocean

Owing to their large attack surface, ASN-level CSPs  are exposed most to the rising risk of DDoS attacks. While DDoS attack is nothing new, different techniques can be combined to achieve the denial of service effect in an increasingly stealthy and yet more cost-effective way.

In the third quarter we identified a new, sneaky tactic whereby attackers contaminated a diverse pool of IP addresses across hundreds of IP prefixes (at least 159 ASN, 527 class C networks from our findings) with small-sized junk traffic. As a consequence, both the maximum and average attack sizes fell measurably from the same period a year ago.


Targeted ASNs


Attack types

DNS amplification attack, SSDP attack, CHARGEN and NTP amplification attack

Targeted geolocations

Attacks tended to target resources physically located within the same geolocation  

Total IP prefixes (at least Class C network) under attack


No. of IP prefixes in the same ASNs in the same attack campaigns (top 10)

1. ISP/Telecommunication


2. ISP/Telecommunication


3. ISP/Telecommunication


4. Datacenter and IP transit


5. Datacenter and IP transit


6. Datacenter and IP transit


7. Datacenter and IP transit


8. Datacenter and IP transit


9. Datacenter and IP transit


10. Datacenter and IP transit


No. of targeted IP addresses per IP prefix







Attack duration


1439.67 mins


5.12 mins


113.81 mins

Attack size per IP


300.1 Mbps


2.5 Mbps


33.2 Mbps

Attack size per IP prefix


5.32 Gbps


285.4 Mbps


2.48 Gbps

Like the meticulous way ancient Mongol troops planned and executed battles, attackers carried out a classic “reconnaissance” mission to map the target CSP’s network landscape to identify all mission-critical IP ranges. Whereas in the past, attackers mainly zeroed in on a smaller number of high-traffic IP prefixes to cause traffic congestion.



Then, the attacker injects pieces of small-sized junk traffic into legitimate traffic across a diverse pool of IP addresses across multiple IP prefixes. Because the size of attack traffic hidden in legitimate traffic within the space of each IP is very small and is well below detection thresholds, they can easily bypass detection.


As opposed to handling traffic to a small number of victim IPs, mitigating vastly distributed small-sized attack traffic is very difficult at the CSP level. The convergence of polluted traffic that has slipped through the “clean pipes” of upstream ISPs forms a massive traffic flow that easily goes beyond the capacity limits of mitigation device, leading to a high latency at best, or deadlock at worst. Blackholing all traffic to an entire IP prefix appears to be a way out, yet the obvious downside is also blocking access from legitimate users to a wide range of services.



We also noticed that the attackers behind the “bit-and-piece” attacks had leveraged open DNS resolvers to launch what is commonly known as DNS amplification. Because the destination (victim) IPs for the abused DNS resolvers to send (reflect) responses to are highly diversified, each destination (victim) IP receives only a small number of responses in each well-organized campaign, leaving no or little traces. As such, mitigating against DNS amplification attacks carried out this way will become much more difficult down the line.


At the end of the day, the continued evolution of DDoS trends suggest that CSPs must find ways to better protect their critical network infrastructure and tenants while enhancing their network’s security posture. The continued discovery of new attack patterns also reminds enterprises of the importance of selecting DDoS-proof service providers wherever possible.


Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.