Our latest research findings suggest that communications service providers (CSPs) continue to suffer from a new breed of stealthy network attacks deliberately carried out in a piecemeal way in attempts to evade detection. Compared with the same period a year ago, about 50% more ASN-level CSPs were found to have been targeted by this kind of “bit-and-piece” attack in Q4 2018, especially those with a large pool of mission-critical IP prefixes.
Figure 1. In Q4 2018, 50% more ASNs suffered from a new type of stealthy network attacks carried out in a piecemeal fashion
To be exact, a total of 238 ASNs were abused to tunnel junk traffic to their networks and downstreams. Attack activity increased more noticeably towards the end of 2018. From month to month, the number of targeted ASNs rose to 67 in November from 63 in October, and then soared to 108 in December, a traditional peak season for cyberattacks.
By service sector, ISPs/telcos and cloud service providers accounted for about 49.36% and 25.64%, respectively, of all ASNs that fell victim to DDoS attacks. Since they serve as the principal exchange node between the Internet and end-users, DDoS attacks could cause serious problems such as performance degradation and denials to access requests.
The small sizes of malicious traffic spread across hundreds of IPs are difficult to detect at the CSP level and even harder to mitigate in the absence of specialized sandboxing. The targeted CSP often eventually comes to realize the full impact on the physical transmission lines when the bits and pieces of junk traffic converge at the high-traffic IP prefixes.
Figure 2. The breakdown of CSPs attacked by DDoS (by service sector)
On a per-IP basis, the maximum, minimum and average sizes were 434.50Mbps, 2.70Mbps and 49.15Mbps, respectively, surpassing the same set of figures in Q3. The average duration was 632.24 minutes, substantially longer than the average of 113.81 minutes recorded in the preceding quarter.
Figure 3. The breakdown of attack types by vector
By attack vector, SSDP floods were used the most by far and away, accounting for 98.66% of all types of attacks. Sentinel-5093 and DNS attacks took the distant second and third spots, respectively. As expected, the US, Brazil and China were the top three attack destinations, representing 36.24%, 21.48% and 16.11%, respectively, of all attack destinations.
Figure 4. The country-by-country breakdown of attack destinations
Expect a constant mutation of DDoS attacks
While the vast majority of attacks we observed are SSDP-based reflection/amplification attacks, they are “redesigned” to bypass detection. In this case we identified a new twist on a fairly old attack type. This revelation further reminds us that new tactics are constantly being developed on old attack methods, not limited to SSDP, but also Syn flood, IP flood and probably other types of amplification attacks in the future as attackers seek to boost their firepower.
For CSPs without proper DDoS mitigation deployment, DDoS detection is extremely difficult. Three common challenges are false positives, false negatives and data aggregation. False positives are false alarms. False negatives are failure to detect an attack. The challenge of data aggregation is that they lack access to centralized attack data analysis.
Blackhole routing is a thing of the past
Blackholing all traffic to the destination IP appears to be a way out for CSPs who simply want to get rid of a potential collateral damage. But don't forget it is being done at the expense of the victim, making an innocent customer disappear from the Internet. Doing it too much and too frequently will upset your customers and tarnish your reputation in the long run.
To survive the constantly evolving threat landscape and keep the network and customers safe, CSPs are recommended to offload traffic spike to a multicast scrubbing facility to avoid congestion that might cause bottleneck to the destination ASN. Highly scalable and fully redundant, Nexusguard’s global scrubbing network is exactly architectured to detect and mitigate DDoS attacks of any size or pattern before they reach the CSP network.