Internet service providers in South Africa recently fell victim to large-scale distributed denial of service attacks (DDoS). Among the more prominent targets was Cool Ideas, a fibre ISP.
Cool Ideas has been the target of two attacks in the past month: the first on 11 September, and the second on 21 September. The second attack started on a Saturday. Heritage Day was that coming Tuesday, and many people would have taken the Monday off to turn it into a long weekend.
The attack on Cool Ideas continued throughout Sunday, and by Monday the ISP had been able to effectively mitigate the effects of the attack.
It was not the only South African ISP to be attacked that weekend. Atomic Access reported to MyBroadband that it had also been targeted. However, the attack on Cool Ideas was prominent enough to make international headlines.
ZDNet reported that Cool Ideas had been taken down using a “carpet bombing” attack, where the ISP’s individual customers were sent large quantities of garbage network traffic.
The traffic was not enough to flood the individual connections of Cool Ideas’ customers. However, the overall traffic on the network eventually added up to the point where the ISP’s core network infrastructure could no longer cope with the load.
This is in line with what Cool Ideas co-owner Paul Butschi told MyBroadband, who explained that there was no specific target and that the attack ranged across their whole IP address space.
It is a type of attack specifically used against organisations like Internet service providers with the aim of bringing down their whole network. Data centre operators, web hosting companies, and large corporate networks—anyone who runs their own pool of IP addresses—are also examples of potential targets of carpet bombing attacks.
Investment in modern DDoS protection
The ZDNet report went on to say that “carpet bombing” is nothing new, and said that companies which fail to invest in modern DDoS protection tools often suffer outages.
Cool Ideas disputed the implication, saying that it did have measures in place to detect and mitigate carpet bombing attacks. The company’s network engineers received timely alerts on 21 September that they were under attack and that their DDoS mitigation had kicked in.
The issue was the sheer size of the attack, Butschi said. He added that “blackholing” isn’t effective against carpet-bombing attacks as it results in the ISP killing off connectivity for lots of customers.
“You need to scrub carpet [bombing] attacks,” Butschi said.
Citing network security researcher Tucker Preston, the report suggested DDoS Open Threat Signaling and BGP Flowspec as methods to mitigate carpet bombing attacks.
Butschi also took the opportunity to correct the interpretation of a graph taken from the Internet Health Report.
The report stated that the graph shows the DDoS attack brought down Cool Ideas’ connections to other ISPs. However, Butschi said that it shows how they were announcing traffic via alternative up-stream providers to mitigate the DDoS attack, not that services went down.
DDoS on the Cool Ideas website?
Citing an anonymous source, the ZDNet report stated that Cool Ideas was the target of yet another DDoS attack the day after it mitigated the carpet bombing attack. This time, on its website.
According to the report, the source wanted to remain anonymous but provided evidence of the attack.
However, Butschi said that their website was not successfully attacked.
“They were using monitoring tools that are based internationally, so as we switch [route] advertisements, it shows our website as being offline,” he said.
DNS Amplification attack — Botnets and zombies
In the days following the attack, Cool Ideas took to using the metaphor of a zombie horde attacking and choking its network.
Butschi told MyBroadband that poorly configured “zombie” devices on the Internet were used to send a massive amount of “spoofed” traffic to their network.
DNS Amplification attacks, also referred to as DNS reflection, use improperly configured Domain Name System (DNS) servers to flood computers with network traffic.
Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.
DNS servers are a popular choice for such attacks, because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.
Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth.
In the case of Cool Ideas, DNS Amplification was used to greatly increase the effectiveness of the carpet bombing attack.
Butschi cautioned that it would be pure speculation to try and answer the question of who was behind the DDoS attack on Cool Ideas.
“There are many conspiracy theories around this,” he said. “It could be competitors, it could be the DDoS mitigators themselves.”