A pioneering distributed denial-of-service (DDoS) attack pattern has emerged, targeting internet service providers (ISPs) with something researchers have dubbed the bit-and-piece “Mongol” attack.
The approach involves spreading out junk traffic across large numbers of IP addresses in order to evade detection, according to Nexusguard’s Q3 2018 Threat Report. The attackers inject small amounts of junk into the legitimate traffic flowing from the IPs, which easily bypass detection thresholds because there’s so little of it per address. The goal is to achieve enough collective volume for a DDoS attack by contaminating several pools of IP addresses across hundreds of IP prefixes (at least 527 Class C networks were impacted in the third quarter alone, according to Nexusguard findings).
“Perpetrators are using smaller, bit-and-piece methods to inject junk into legitimate traffic, causing attacks to bypass detection rather than sounding alarms with large, obvious attack spikes,” said Juniman Kasman, CTO for Nexusguard. “Diffused traffic can cause communications service providers to easily miss large-scale DDoS attacks in the making.”
Nexusguard found that another result of this tactic was a steep decline in the year-over-year average attack size in the quarter – it fell by 82 percent.
According to Nexusguard, this threat vector involves a large amount of reconnaissance, hence the “Mongol” moniker.
“Mongol military tactics enabled the Mongol Empire to conquer nearly all of continental Asia, the Middle East, and parts of eastern Europe during the 13th and 14th centuries,” according to the report. “Highly agile and mobile, horse-riding Mongol soldiers were often sent on scouting missions to gather intelligence about routes and search for terrain most suited to their preferred combat tactics.”
Similarly, Nexusguard analysts believe that attackers using the new diffused traffic method conduct extensive reconnaissance missions to map out the network landscape and identify vulnerable IP address ranges.
“In the past, attackers tended to zero in on a small number of high-traffic IPs to cause congestion,” the firm noted in the report. “This sophisticated tactic leads us to believe that such intelligence might be coming from insiders with knowledge of those IP prefixes that are most vulnerable to DDoS attacks.”
By targeting the specific IP prefix that an internet provider uses to anchor subscribers’ IP addresses – these prefixes are unique to each ISP – the perpetrators are able to thwart traditional ISP-level defensive tactics. Diverting polluted streams to a cleaning site or simply taking them offline (commonly known as black-holing) becomes challenging in this case; black-holing all traffic to an entire IP prefix will also block access to a wide range of legitimate services, Nexusguard explained.
“Mitigating broadly distributed, small-sized attack traffic is more difficult at the CSP level, in comparison to the traditional volumetric attack method on a small number of targeted IPs,” according to the report. “The convergence of polluted traffic that slips through the ‘clean pipes’ of upstream ISPs forms a massive traffic flow that easily exceeds the capacity of mitigation devices, leading to high latency at best, deadlock at worst.”
These “bit-and-piece” attacks also often dovetailed with a more tried-and-true attack method: The use of open domain name system (DNS) resolvers to achieve amplification. Attackers use publicly accessible open DNS servers to flood a target system with DNS response traffic. The primary technique consists of an attacker sending a DNS name lookup request to an open DNS server with the source address spoofed to be the target’s address. When the DNS server sends the DNS record response, it is sent instead to the target. Because the size of the response is considerably larger than the request, the attacker is able to increase the amount of traffic directed at the victim.
The report found that ISPs were the most popular DDoS target in the quarter, accounting for 65.5 percent of all attacks observed.