Summary

Last Sunday, on July 28, Venezuela held their presidential elections. The acting president declared victory, while the opposition claims otherwise and calls on support. Shortly after the declaration of victory, news outlets reported widespread protests across Venezuela. Most of the news reported focuses on the turbulent situation in the streets, but ASERT could see the conflict spilling into the digital space.

Increased Internet Traffic Volume

Our first observation of activity peaking in Venezuela came from an increase in internet traffic volume flowing into the country. Figure 1 shows the internet traffic patterns of the past 10 days. On July 29, the day after the election, traffic increased in volume - an additional 109 Gbps of ingress traffic representing a 16% surge compared to the previous day.

Tenfold Increase on DDoS Attack Counts

The surge in traffic and the protests prompted us to examine DDoS attacks across the country. For the past two years, we’ve witnessed DDoS attacks as a form of protest or political activism in the digital space and expected the same in Venezuela. True to current trends, we observed a tenfold increase in DDoS attacks on July 29. The spike in DDoS attacks (Figure 2) is at least partially responsible for the overall traffic increase seen in Figure 1.

The attacks that we noticed were all UDP-based reflection/amplification attacks. Ninety percent of the attacks used DNS reflection/amplification (Figure 3), reflecting an upward trend in this vector across LATAM. This vector requires a resilient DDoS mitigation system to scrub the traffic as alternative techniques like Flowspec, a mechanism for rapidly propagating access-control lists (ACLs) across networks using BGP, is insufficient to counter these attacks.

None of the DDoS attacks observed the day after the elections were very high bits-per-second (BPS) or packets-per-second (PPS). Instead, it appears as though the attackers preferred attack frequency over impact volume. Looking at Figure 4 & 5, it was actually in the weeks leading up to the election when BPS and PPS rates soared higher. It's also important to know that DDoS attacks are often overkill. Even a small amount of traffic, sent at the right time, at an unprepared target can result in network outages. 

Carpet-Bombing DDoS Attacks Observed

Nearly every attack against Venezuela on the days in question targeted a singular Telecommunications Provider. Within the Telco’s network two distinct /24 CIDR blocks were targeted simultaneously, what we call Carpet-Bombing DDoS, a DDoS  attack targeting methodology that directs attack traffic broadly across the network topology. Based on a cursory review of the political landscape, we determined that the party claiming victory in the Venezuelan election hosts their infrastructure in the same targeted Telco network. 

Conclusion

ASERT observed an unusual growth of internet ingress traffic the day after the Venezuelan elections. We could see real world protests continue into the digital networks within Venezuela, resulting in a huge surge of DNS reflection/amplification attacks against the networks hosting one of the political parties public facing web properties. This kind of activity happens all the time in countries all around the world and is why DDoS Protection Solutions are a requirement to ensure digital security.