Surprise, surprise: distributed denial of service (DDoS) attacks are on the rise again—and the attackers are getting much more complex and sophisticated in their approaches. In 2019, attackers not only widely weaponized a growing number of DDoS attack vectors but also modified existing attack vectors, adding new variations. One big target: ISPs and satellite communications providers.
Data from the latest NETSCOUT Threat Intelligence Report (2H2019) shows that satellite communications alone saw a 295 percent increase in attack frequency. This is yet another jump in attacks on this particular vertical market segment, which had already seen a 255 percent jump in attack frequency from 2H2018 to 1H2019.
These significant increases likely are due to events such as the high-impact carpet-bombing attacks that targeted financial organizations in countries across Asia Minor and Europe late last year. By sharing large netblocks with organizations that didn’t have their own IP space, the satellite communications providers experienced significant collateral damage from these attacks.
New Methods Bypass Traditional Defenses
Carpet-bombing tactics are among those used in the expanding attack activity seen in vertical sectors such as satellite communications. However, attackers are getting increasingly savvy; one of the techniques they’re using is to combine carpet-bombing techniques with TCP reflection/amplification attacks, making the new tactic stronger than the sum of its parts. In addition, hackers using advanced reconnaissance discovered how to use the client services of well-protected targets such as ISPs to amplify attacks against specific enterprises and service providers. Combined with advanced reconnaissance of the online business relationships between targeted organizations, these tactics allow attackers to push the limits on what defenders can handle in terms of accurately detecting, classifying, tracing back, and mitigating bespoke DDoS attacks.
While TCP SYN attacks are nothing new, they’re still a logical first weapon for attackers due to the combination of their simplicity and the increased firepower available via the growing number of unsecured Internet of Things (IoT) devices. TCP reflection/amplification works by sending spoofed TCP SYN packets to a server on the internet, which in turn sends multiple TCP SYN/ACK reply packets to the victim. Because the default setting on most Linux-based servers is to send as many as three replies when a TCP SYN packet is received, the amplification factor is 3:1. However, there are some internet devices that will send thousands of replies to spoofed TCP SYNs, and there are even devices that will never stop sending replies, even weeks or months after the attack.
Organizations with more-sophisticated defense postures should be able to stop TCP reflection/amplification attacks well enough on their own, but because attackers are adding carpet-bombing techniques to the mix, the game has changed. The attacker will deliberately randomize the least-significant octets in the spoofed TCP SYN attack-initiator packets, creating a stream of TCP SYN/ACK packets that, for the length of the attack, continuously sweep across an entire CIDR block. This target addressing technique makes it significantly more difficult to detect and mitigate the attack. Attackers began to use this new form of attack globally and widely in November 2019, once again likely due to the indefatigable rapid-turnaround skills of the booter/stresser community.
How many devices are vulnerable? Pinpointing the number is difficult, since basically every device offering a TCP-based service (HTTP/HTTPS, SSH, and so on) potentially can be used as a TCP reflector/amplifier. However, it’s safe to say the population of abusable TCP-enabled nodes is well in excess of 1 billion devices—and growing.
Increasingly under attack, satellite communications companies and ISPs must be ever vigilant and improve their security and risk posture. Techniques ranging from simple solutions such as patching to taking a deep dive to truly understand network architecture and traffic flows can help these companies better respond and defend against DDoS attacks.
To learn more about the key issues and trends facing satellite operators and service provider security teams, download the NETSCOUT Threat Intelligence Report.
Hildebrand is a senior strategic marketing writer at NETSCOUT.