Attacking in numbers
Big Interview

Attacking in numbers

mark dehus lumen.jpg

DDoS attacks are on the rise – and telcos are being targeted in new ways. Explaining the latest data from Black Lotus Labs, Mark Dehus tells Melanie Mingas what it means

Hand-in-hand with the pandemic-related surge in traffic and network demand has come a wave of cybersecurity attacks, unmatched in volume and frequency.

This year alone, high-profile attacks have targeted the UN and governments around the world. In September, Russian search engine and web portal Yandex claimed it repelled “the biggest attack in the history of the internet”, starting with 5.2 million requests per second (RPS) on 7 August and culminating with just short of a 22 million RPS by 5 September.

At Black Lotus Labs, the threat intelligence arm of Lumen Technologies, 7,185 DDoS attacks were mitigated in Q3 alone – a 35% rise when compared with Q2 of this year – with the largest bandwidth attack coming in at 612Gbps, itself a 46% increase on the largest attack scrubbed by the lab in Q2. The trend has been building all year, with the previous report noting a 14% increase in attacks compared with Q1.

Rounding it off, the Q3 report confirmed the three most targeted verticals in the 500 largest attacks of the quarter were software and technology, retail… and telecoms.

According to Mark Dehus, director of information security and threat intelligence at Black Lotus Labs, the trend has two elements.

The first is that “the level of sophistication required to launch attacks continues to be relatively low, especially reflective DDoS attacks” – more on those later.

“The other aspect is the growth over the last couple of years in extortion-based DDoS attacks, where the actors send an email in advance and say they will launch an attack and ‘if you pay us in bitcoin, we just won’t happen to attack’.

“Both of these are key to the growth in DDoS attacks over the last year,” Dehus adds.

Each quarterly DDoS report examines in-house intelligence from the Lumen DDoS mitigation service. There are three headline trends at present: larger and more pervasive DDoS attacks; the extended reach of IoT vulnerabilities and command and controls (C2s); and cybercriminals of varying expertise launching attacks with more frequency and complexity.

In terms of the attacks it scrubs, Black Lotus Labs has seen the largest bandwidth attacks in Q3 increase by 49% in terms of bandwidth size, when compared with Q2. In addition, it noted a 91% leap in the largest packet-based rate attack it scrubbed, reaching 252Mpps.

“Bandwidth is getting larger, but the rate at which they are able to send packets is also a factor. A lot of it is heavily reliant on reflective type attacks,” Dehus says.

Reflective surfaces

In part, the spike in DDoS attacks is attributed to User Datagram Protocol (UDP)-based reflection – a key tool for those looking to launch attacks, particularly on the Dark Web, according to Black Lotus Labs.

In short, a spoofed reflection DDoS attack is where an actor imitates another entity, initiates a barrage of communications and elicits a flood of traffic back to the unsuspecting victim, all while using UDP servers misconfigured as open reflectors to make it particularly difficult to trace.

Back in May the Belgian Government was hit with a reflective DDoS attack that took the entire government offline for a whole day. On this occasion, the country’s parliament, universities, and some scientific institutions were targeted via the attack on Belnet, which also saw Belnet customers taken offline.

While the attack was relatively simple in nature, the impact set a precedent.

“This attack was rather impactful in that over 78% of their traffic transitioned. It was quite incredible,” Dehus says.

In his words, reflective attacks are akin to prank phone calls, “calling a bunch of different pizza delivery restaurants, ordering pizza and saying ‘I’ll pay cash, send it to somebody else’s door’, then tonnes of pizza shows up”.

As simple as that sounds, these attacks are actually very difficult for victims to mitigate, often requiring professional assistance.

In Belgium part of the impact was created by combining multiple vectors in the same attack, another growing trend. In fact, in the Q3 report, attacks of this nature represented 44% of all the labs’ DDoS mitigations, with the most common combination being: DNS amplification, TCP RST, TCP SYN-ACK amplification and UDP amplification.

“It’s definitely a concerning trend that continues to grow every year,” Dehus says.

Calling for all network providers and operators to help in cleaning up the reflective surfaces, Dehus says that telcos and ISPs must sweep their networks to mitigate threats. He adds: “Help find and clean up the reflective surfaces, be mindful to have some kind of DDoS mitigation service that’s able to be leveraged for your customers, or partner with somebody.”

He continues: “Black Lotus Labs overall has not only been able to help find reflective surfaces in our networks and our customers’ networks; we have gone beyond that to help actively track more than 2,100 DDoS command and control servers – the brains behind some of those DDoS botnets – and work to actively clean them up, actually blackholing some of them on our network so they cannot traverse and have a significant impact.”

New voice trends

These trends aside, Dehus says the emerging trend to watch is voice.

“Voice attacks we have seen grow in the past three or four months. That’s an alarming trend because voice services typically haven’t been attacked as much in the past and aren’t as well prepared to defend against DDoS mitigation,” Dehus says.

The trend started in late Q3 and, although not explicitly detailed in the latest report, is counted under attacks against telecommunications providers, which as a whole encompassed 34% of the largest 500 attacks.

Dehus says: “The attack types used against voice providers recently were also multi-vector; in Q3 those types of attacks represented 44% of all attacks Lumen mitigated.”

“DDoS attacks are rampant, and the frequency doesn’t seem to be slowing down. If anything, attacks are evolving to use more complex methods, and are being aimed at services, such as voice, that have not typically been targets in recent years,” he adds.

Black Lotus Labs doesn’t just observe these attacks. It also works with voice customers that have been targeted, “being mindful of them becoming a target, being a growing trend and being prepared in the situation or scenario where they are provided with a launch letter or attack”.

He adds: “In Q3 there was an interesting attack in the voice market that we had difficulties mitigating, owing to the type of attack.

“At the time the organisation wasn’t a Lumen DDoS mitigation customer. Our Black Lotus Labs got involved and, leveraging our visibility, we gave them some of the visual insights in terms of how they could protect themselves from some growing trends that we haven’t seen until this quarter – again, targeting voice services in particular,” Dehus says.

Bigger and faster

For Dehus and his team at Black Lotus Labs, reducing threats takes a concerted effort from all. As the report states, a network without sufficient protection could mean operators and ISPs are “unwittingly participating in attacks against other organisations”.

He advises: “[Organisations should] adopt a model that uses protection of the internet as a key component of their business services.” That is, leveraging the network to collected telemetry data to understand where the attacks are originating from, and where they are destined for.

“If they can understand where some of the reflective surfaces are being used in malicious ways, knowing that means they can lock those services down so they can’t be used that way.

“Or, if it is their own customers who have services that are vulnerable to reflective attacks, they can work with different customers to help shut those surfaces off, or put in other mechanisms that can restrict the impact they can have on the internet,” he says.

Looking ahead to 2022, Dehus says that volume is set to be the defining factor.

Whereas an attack of 1Tbps was a point of concern back in 2016, today’s attacks are “2.5Tbps-plus and they are becoming more common”, he explains.

“That is getting to a scale that is a challenge to deal with. For a lot of companies, even larger ones, if you have a 2.5Tbps attack you have to rely on a key provider to help clean that up, maybe multiple providers.

“Unless the industry acts quickly to help clean up some of the reflective surfaces that are out there, we are going to continue to see this grow, both in the size and the scale of attacks launched,” Dehus adds.

Given the challenges posed by the reflective surfaces that continue to exist – and the low-level of sophistication required to launch an attack – there’s only one way for telcos to take the target off their backs.

Gift this article