lolloj - Fotolia

New DDoS attack technique puts CSPs at risk

Nexusguard found a new DDoS attack technique that targeted CSPs in which attackers used a bit-and-piece approach to inject junk into legitimate traffic and dodge detection.

A new DDoS attack technique designed to evade detection mechanisms is gaining steam.

The stealthy, sophisticated attack technique, known as bit-and-piece, is targeting communications service providers (CSPs), according to a recent report by Nexusguard, a distributed denial-of-service (DDoS) mitigation service provider.

The bit-and-piece DDoS attack, which is different from traditional volumetric attacks, capitalizes on the large attack surface of ASN-level (autonomous system number) CSPs "by spreading tiny attack traffic across hundreds of IP addresses to evade detection," Nexusguard's Q3 2018 Threat Report found.

"The general idea of the bit-and-piece attack is instead of concentrating the attack on one IP address or one destination -- in which case, it's relatively easy for the CSPs to identify such attacks and then take action -- the attackers attack a range of IP addresses, so that it basically flies under the radar and CSPs don't know which ones to take action on," said Donny Chong, product director at Nexusguard. "In fact, the attacks will saturate the CSP's resources and ultimately bring down the customers who are using this CSP as an option."

The Nexusguard report found 159 ASNs were targeted by the new DDoS attack in the third quarter of 2018, with attackers targeting networks within the same geolocation.

Attackers carried out "reconnaissance missions" to determine their target CSP's network landscape and mission-critical IP prefixes before deploying the DDoS attack technique, the report found.

The "attack traffic in the space of each IP address was small enough to bypass detection, but it was big enough to cripple the targeted site or even an entire CSP network once the traffic converged," according to the report.

The quarterly report, which looks at thousands of DDoS attacks worldwide, also found ASN-level CSPs were targeted by 65.5% of DDoS attacks in the third quarter of 2018.

"Attackers are likely targeting CSPs because they are a form of critical infrastructure," said Lawrence Orans, vice president analyst at Gartner. "A successful DDoS attack against a major CSP could be highly disruptive to businesses and consumers that traverse the CSP's network."

Signs of a DDoS attack

The evolution of DDoS attack techniques and mitigation strategies

Orans added that DDoS attack techniques have continually evolved over the last several years.

"For example, 2013 was the year of NTP [Network Time Protocol] amplification. In 2014, it was SSDP [Simple Service Discovery Protocol] attacks. And in 2016, we saw the Mirai botnet and attacks from IoT devices," Orans said. "It's not at all surprising to learn of a new attack technique in 2018."

Nexusguard attack traffic comparison

As cyberattackers become more resourceful, DDoS attacks will continue to evolve, Nexusguard's Chong reinforced. It is not something that CSPs can simply brush off, he said.

While there's nothing CSPs can do to discourage attackers, Chong said CSPs should update their defense strategy and focus on enhancing their network security posture to ensure their services are not affected.

The general idea of the bit-and-piece attack is instead of concentrating the attack on one IP address or one destination ... the attackers attack a range of IP addresses.
Donny Chongproduct director, Nexusguard

"They have to look for ways in which they can much more effectively manage the DDoS attacks, so that their infrastructure and their customers do not suffer any damage," he said.

Normal security measures used by ASN-level CSPs cannot detect and mitigate bit-and-piece attacks before they can cause any harm, the report found. This is due to the negligible size of the "junk" that the new DDoS attack technique injects into the legitimate traffic.

Chong advised against solely relying on threshold-based DDoS attack detection and mitigation techniques, as they are not adequate for detecting attacks involving small amounts of attack traffic.

Conventional DDoS mitigation measures like blackholing also won't work, Chong said, because blackholing will block access to a wide range of legitimate services.

Chong suggested detecting attacks like bit-and-piece requires CSPs to employ more advanced detection techniques, which are capable of detecting DDoS "based on signatures."

Dig Deeper on Data security and privacy

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close