Owing to their large attack surface, ASN-level CSPs  are exposed most to the rising risk of DDoS attacks. While DDoS attack is nothing new, different techniques can be combined to achieve the denial of service effect in an increasingly stealthy and yet more cost-effective way.

In the third quarter we identified a new, sneaky tactic whereby attackers contaminated a diverse pool of IP addresses across hundreds of IP prefixes (at least 159 ASN, 527 class C networks from our findings) with small-sized junk traffic. As a consequence, both the maximum and average attack sizes fell measurably from the same period a year ago.

Like the meticulous way ancient Mongol troops planned and executed battles, attackers carried out a classic “reconnaissance” mission to map the target CSP’s network landscape to identify all mission-critical IP ranges. Whereas in the past, attackers mainly zeroed in on a smaller number of high-traffic IP prefixes to cause traffic congestion.

Then, the attacker injects pieces of small-sized junk traffic into legitimate traffic across a diverse pool of IP addresses across multiple IP prefixes. Because the size of attack traffic hidden in legitimate traffic within the space of each IP is very small and is well below detection thresholds, they can easily bypass detection.

As opposed to handling traffic to a small number of victim IPs, mitigating vastly distributed small-sized attack traffic is very difficult at the CSP level. The convergence of polluted traffic that has slipped through the “clean pipes” of upstream ISPs forms a massive traffic flow that easily goes beyond the capacity limits of mitigation device, leading to a high latency at best, or deadlock at worst. Blackholing all traffic to an entire IP prefix appears to be a way out, yet the obvious downside is also blocking access from legitimate users to a wide range of services.

We also noticed that the attackers behind the “bit-and-piece” attacks had leveraged open DNS resolvers to launch what is commonly known as DNS amplification. Because the destination (victim) IPs for the abused DNS resolvers to send (reflect) responses to are highly diversified, each destination (victim) IP receives only a small number of responses in each well-organized campaign, leaving no or little traces. As such, mitigating against DNS amplification attacks carried out this way will become much more difficult down the line.

At the end of the day, the continued evolution of DDoS trends suggest that CSPs must find ways to better protect their critical network infrastructure and tenants while enhancing their network’s security posture. The continued discovery of new attack patterns also reminds enterprises of the importance of selecting DDoS-proof service providers wherever possible.