DDoS reflection/amplification attacks disrupting ISP networks

Attacks being used by gamers to settle disputes and by people with rudimentary hacking skills to target companies

Reflection/amplification distributed denial of service (DDoS) attacks have now become so large that entire ISP networks are getting disrupted, says a networking security expert.

Arbor Networks senior security engineering & response team (ASERT) analyst Roland Dobbins told Computerworld Australia that DDoS attacks are being used by gamers to settle disputes and by people with rudimentary hacking skills to target companies.

“The main characteristic of these attacks is that they are huge. The biggest one we have seen so far was 400Gb/s. Because these attacks are so large, they fill up the pipes of Internet service providers [ISPs], the peering and transit links,” he said.

According to Dobbins, the attacks are possible because many ISPs and enterprise networks have not implemented universal anti spoofing measures.

“The way these [DDoS] attacks work is that the attacker will try to get control of a computer on a network that does not enforce IP source validation. [The attacker] spoofs the IP address of his target and sends a bunch of queries to a misconfigured server.”

The misconfigured server answers these queries and “pummels” the target of the attack with unsolicited responses, he said.

“It’s as if I called up 20 pizza parlours in Sydney, pretended to be someone else and ordered a lot of large pizzas to be delivered to that person.”

The largest reflection/amplification DDoS attack recorded in Australia by Arbor Networks staff was 62Gb/s, he said. The attack, which took place in early 2014, appeared to be triggered by an online gaming dispute.

“Since October 2013, there has been an explosion in these attacks that online gamers use. One player gets a grudge against another and decides to be unsportsman like and resort to a DDoS attack. It’s like using a nuclear weapon to solve a playground dispute,” he said.

Dobbins had three tips for ISPs to avoid reflection/amplification DDoS attacks. The first was that ISPs should enforce anti-spoofing or source address validation at the edges of their network.

“The second thing they [ISPs] can do is make sure they utilise flow telemetry analysis from routers and switches. This provides real time visibility into network traffic. When these attack floods traverse their network, they can detect it and trace it back [to the source] immediately,” he said.

“The third thing they need to do is implement reaction and mitigation mechanisms. One of these is called an intelligent DDoS mitigation system [IDMS].”

“If they have these reaction and mitigation tools to deal with this attack traffic, they will be in a much better position to deal with these events and minimise disruption,” said Dobbins.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the Computerworld newsletter!

Error: Please check your email address.

Tags DDoS attacksarbor networksdistributed denial of service (DDoS)internet securityinternet service providers (ISPs)

More about Arbor NetworksGartnerRoland

Show Comments

Market Place