Reflection attacks are nothing new, having been around since the early 2000’s. But there was some recent activity where we saw disparate customers, with disparate services all attacked within a few days of each other with the same attack vectors, with varying differences in the size and duration of the attack. Customers ranged from:
- Gaming datacenter in Taiwan
- A BPO in Manila
- An ISP from Ontario
- A cloud hosting provider in London UK
All these customers suffered an amplification attack using UDP source port 53 and 389, as well as UDP source port 0 (the fragmented tailing packets of a large response). A typical ratio of these attacks pretty much looked like this:
Fig 1. Source Ports involved in a recent DNS/CLDAP reflection Attack
It got me thinking why this strategy was employed on a subset of customers that had nothing in common with each other? Was there a fire sale going on at one of the booter/stressor sites?
I decided to see what other commonalities existed in the various attacks and reviewed the flow records generated by these attacks. It turned out that all these recent attacks shared a significant amount of the same IP ranges. A breakdown of the top networks involved in just the last 2 days for a disparate set of customers can be seen in the following graphs:
Fig 2. Top Networks by Data Transfer
Fig 3. Top Networks by Source Address counts
While these attacks were trivial for us to mitigate, they did generate a fair amount of bandwidth, with peaks in excess of 300 Gb/s. No real surprises in which networks were involved, although seeing CLDAP continue to be a problem in the Microsoft (AS8075) network, even after being identified by some of our industry peers (ie. Akamai, etc.) as being a problem as far back as 2016. Also surprising was the amount of bandwidth seen from AS8075 with a much smaller set of servers than some of the other networks.
Identifying and blocking connections from these sources are fairly simple; having the capacity is another matter. Most datacenters and Tier2 ISP’s would not be able to absorb 250+ Gb/s of a reflection attack. Given the capability and popularity of this latest reflection network, it would be wise for CIO’s/CSO’s to implement a game plan on how to deal with this, sooner than later.
Not all of our customers use our DDoS protection to mitigate attacks against their infrastructure but choose instead to develop their own strategy using our traffic analysis service, to see where traffic is transiting their networks as shown by the displays shown in this article.
Should you wish to see the actual IPs involved in the above described attacks you can find them here.
If you have any questions, feel free to ping us for a free consultation on options and best practices for your network.
Jag Bains
CTO
DOSarrest Internet Security
