'Carpet-bombing' DDoS attack takes down South African ISP for an entire day

Carpet bombing - the DDoS technique that's just perfect for attacking ISPs, cloud services, and data centers.

ddos-bomb.png

Mysterious attackers have taken down a South African internet service provider over the weekend using a DDoS technique called carpet bombing, ZDNet has learned.

The DDoS attacks took place on Saturday and Sunday, September 21 and 22, and have targeted Cool Ideas, one of South Africa's largest ISPs.

During the DDoS, attackers successfully managed to bring down Cool Ideas' external connections to other ISPs, as can be seen from open-source reporting tools.

sa-ci-ddos.png

Image via ihr.iijlab.net

As a result of this attack, Cool Ideas customers experienced "intermittent connectivity loss and degraded performance" for any connection trying to access an international service or website, the company said on its public status page.

Attackers launched a follow-up attack

While Cool Ideas did not respond to a request for comment that ZDNet sent yesterday, Paul Butschi, Cool Ideas co-founder, told a local news outlet that the attackers kept an eye on how the ISP handled the attack and they reacted accordingly.

As soon as Cool Ideas managed to mitigate the first DDoS attack wave and announced it was slowly resuming service, another DDoS attack hit within minutes, taking down the ISP's systems once again.

In addition, Butschi revealed that this was the second major DDoS attack the provider faced, with another hitting the company on September 11.

sa-ci-ddos-three.png

Image via ioda.caida.org

Furthermore, earlier today, a fourth attack hit the ISP again. Unlike the first attacks, this one hit the ISP's website, rather than its network, ZDNet learned from a source who wanted to remain anonymous but provided evidence of the attack.

DNS+CLDAP amplification attacks, carpet bombing style

All the attacks that have hit Cool Ideas were so-called DDoS amplification attacks that leveraged the DNS and CLDAP protocols.

Hackers sent junk traffic to unpatched DNS and CLDAP servers, which, in turn, reflected traffic towards Cool Ideas' network at an amplified size -- hence the DDoS amplification attack term.

But what stood out was that the hackers didn't carry out a classic DDoS attack where they went after a key server in Cool Ideas' network.

Instead, they used a technique known as carpet bombing, where they sent the junk DDoS traffic to random IP addresses in Cool Ideas' network.

During a carpet bombing attack, everyone customer on Cool Ideas' network received some junk traffic. The junk traffic wasn't large enough to bring down each customer's connection; however, it was large enough to overwhelm the servers sitting at Cool Ideas' network border, which went down and eventually brought down the ISP's external connectivity as well.

Carpet bombing can bypass rudimentary DDoS mitigation

One might wonder why didn't attackers target Cool Ideas' edge servers directly, to begin with. The reason is quite simple -- because these systems were protected by DDoS mitigation solutions and would have sinkholed all the junk traffic before it could do any harm.

By aiming the DDoS attack at random IPs in Cool Ideas' IP address pool, the DDoS mitigation system didn't see a DDoS attack aimed at a particular target, but rather saw high levels of traffic heading to the thousands of the ISP's customers. Weird and abnormal, but not what a classic DDoS attack looks like.

As the DDoS traffic grew, the edge routers were slowly overwhelmed and eventually crashed, all while the DDoS mitigation solution failed to detect any attack.

In an interview with ZDNet, network security researcher Tucker Preston said that carpet bombing is a technique that's "predominately used against ISPs" and isn't usually used anywhere else.

"This technique frustrates rudimentary mitigation options such as black-hole routing while also evading flow-based detection," Preston told us.

DDoS attacks on ISPs aren't that hard to pull off

Furthermore, while one might think that bringing down an entire internet service provider is a rather hard task to pull off, the reality is that these attacks happen quite often.

For example, attacks on entire ISPs have happened before and have targeted ISPs in Liberia and Cambodia, just to name the most high-profile ones that ZDNet covered in previous reports. Both were also carpet bombing attacks.

"Generally these attacks are successful enough to cause network-wide service disruptions and prolonged slowdowns," Preston told ZDNet about some of the attacks he's seen targeting ISPs.

"Sometimes attacks are timed during peak browsing hours to frustrate users even more," he said. "Determined attackers do appear to be motivated to cause as much dissatisfaction as possible for the customer, resulting in losses for the provider as well as bad press."

Furthermore, attackers don't always need a big DDoS botnet to disrupt ISPs, nor do they need to constantly hammer a provider's network with junk traffic.

"Days-long attacks targeting ISPs aren't unheard of; however short bursts timed to disrupt service at peak hours can be equally as effective," Preston said. "The ubiquity of real-time applications such as VOIP and gaming means end-users expect a reliable connection free of packet loss."

But Preston also said that, nowadays, most ISPs have the tools to mitigate such attacks. For example, they can deploy the DOTS (DDoS Open Threat Signaling) protocol on DDoS mitigation platforms and work together to sinkhole bad traffic aimed at one of the participating members long before it reaches the target's network.

Furthermore, Preston also points out that solutions like BGP flowspec can also help ISPs prevent DDoS attacks that use the carpet bombing approach. [More on this topic in the video below -- a presentation on BGP flowspec by Charter security engineer Taylor Harris.]

The DDoS carpet bombing technique isn't something new. It's been documented for more than a decade. DDoS mitigation firm Netscout noted in a recent presentation that carpet bombing attacks have spiked in 2018.

Netscout researchers blamed the technique's rise in popularity on the proliferation in recent years of DDoS botnets and DDoS-for-hire services. Nowadays, the technique has become widely used, and is now often seen in attacks on big targets large enough to have their own AS number and IP address pools, such as ISPs, data centers, web hosting firms, cloud providers, or large company networks.

If any of these companies failed to invest in modern DDoS mitigation tools and protocols, they often suffer outages as a result. Until most of these companies do upgrade their protections, DDoS carpet bombing will still remain a present threat, even if there are many solutions to deal with this type of DDoS attack already.