February 23, 2020
Communications service providers (CSPs) are suffering from an extremely stealthy network-layer attack − the “bit-and-piece” attack that we identified as earlier as in 2018, which was later dubbed as carpet bombing by some others. Designed to bypass traditional threshold-based detection, this attack is posing a new security challenge for CSPs, which can cause massive service degradation for its network and its customers and there’s nothing their on-premise investments can do to help.
Traditional threshold-based detection is futile against bit-and-piece attack
Whichever name it is called, the attack exploits the large attack surface of CSPs by drip-feeding junk traffic to a wide range of destinations within a specific subnet or CIDR block, for example, a /20. Within each IP, attack traffic is crafted to be small enough to bypass threshold-based detection, but big enough to clog the target when they accumulate at the destination.
As such, traditional threshold-based detection that focuses on specific IP addresses will not work and often fails to produce alarms, because attack traffic spreads across all IP addresses of different subnets. Moreover, the attacker often shifts between subnets during a campaign, also making detection even more difficult at the CSP level. Usually fragmented, these attacks are carried out in the form of UDP reflection, such as DNS amplification, and a few reflection tactics.
Services delivered by CSPs suffering from bit-and-piece attacks will inevitably be degraded, leaving customers and end-users frustrated over slow connection or denial of access.
Detecting and mitigating stealthy network attacks
To counter the threat of bit-and-piece attacks, CSPs are suggested to analyze traffic crossing network boundaries or traversing particular routing systems in order to gain a more granular view. Moreover, regular profiling should be performed to baseline the pattern of normal traffic volumes to groups of resources or larger subnets, including traffic spikes on special occasions, in order to detect traffic anomalies.
Since a range of IP addresses or even subnets are contaminated, the nuclear option — blackholing traffic to the entire network — is grossly unrealistic. Nexusguard’s Origin Protection (OP) platform with multiple layers of filtering has the capability to identify and filter malicious activities that induce anomalies in network traffic. This approach permits to detect new kinds of network attacks not seen before, because these will naturally deviate from the constructed baseline.
For CSPs or large network owners, the OP platform provides a lot of flexibility to build custom detection and mitigation rules tailored to different protection groups. The OP platform also comes with traffic baselining features that allow the network owner to continuously monitor traffic and determine normal and abnormal traffic volumes.
In a broader sense, Nexusguard’s global scrubbing network is comprised of nine defence nodes for attack prevention, detection and response. This globally distributed architecture allows DDoS attack to be detected as soon as possible before it reaches the victim, identifying the attack sources, and stopping the attack as close as possible to the attack sources.
Finally, the ongoing evolution of DDoS methods suggests that CSPs need to enhance their network security posture and find better ways to protect their critical infrastructure and tenants.
To learn more about how to counter the threat from Bit-And-Piece Attacks, please read about Nexusguard’s Origin Protection.