In what should be a cautionary tale for enterprises, communications service providers were targeted by 65% of the distributed denial-of-service attacks in the third quarter of last year, according to a new report.
While it's not unexpected that DDoS attacks are taking aim at communications service providers (CSPs), it's how they are doing them that is of concern. According to Nexusguard's "Q3 2018 Threat Report," the new methods of attacks exploits the large attack surface of ASN-level (autonomous system number) CSPs by spreading tiny attack traffic across hundreds of IP addresses to avoid detection.
Nexusguard said the continued discovery of new attack patterns should serve as a warning for enterprises to pick service providers with the best DDoS-proof systems.
"Perpetrators are using smaller, bit-and-piece methods to inject junk into legitimate traffic, causing attacks to bypass detection rather than sounding alarms with large, obvious attack spikes,” said Juniman Kasman, chief technology officer for Nexusguard, in a prepared statement. “Diffused traffic can cause communications service providers to easily miss large-scale DDoS attacks in the making, which is why these organizations will need to share the load with the cloud at the network edge to minimize attack impact.”
As a result of the new types of attacks, the attack sizes were 82% smaller in Q3 2018 compared to the same quarter a year ago.
Nexusguard analysts came to the conclusion that the attackers conducted reconnaissance missions to map out the network landscape and identify the mission-critical IP ranges of the targeted CSPs.
After the mapping, the attackers put bits and pieces of junk into legitimate traffic, whose size easily bypassed detection thresholds. Due to the scale involved, mitigating broadly distributed, small-sized attack traffic is more difficult at the CSP level in comparison to the traditional attack methods on a small number of targeted IP addresses.
The “bit-and-piece” attacks observed in the quarter often used open domain name system (DNS) resolvers to launch what is commonly known as DNS Amplification, which includes a targeted IP address receiving only a small number of responses in each campaign. The method of attack makes it difficult for CSPs to trace the infected traffic back to its origins.
Nexusguard said that "black-holing" all traffic to an entire IP prefix would be costly for the CSPs, because black-holing would also block access to a large number of legitimate services.
The report also found that China advanced its lead in global attack origins by contributing more than 23% of the worldwide campaigns, while 15% of the attacks originated in the U.S.
The report also found that Simple Service Discovery Protocol amplification attacks increased 639.8% in Q3 of last year compared to Q2 2018 because of the new patterns targeted at CSPs.
According to a report last month by ABI Research, the security analytics market will reach revenues of $12 billion by 2024.