A number of South African Internet Service Providers (ISPs) have been targeted by Distributed Denial of Service (DDoS) attacks over the past few weeks, with the latest victim being Cybersmart.
Cybersmart customers experienced intermittent issues from 19-22 October as attackers attempted to bring down the ISP’s network with a series of complex attacks.
In a communication to customers, Cybersmart said that the large-scale DDoS attack affected customer connectivity as well as the functionality of its support desk.
“There has been a significant increase in DDoS attacks on South African ISP’s over the past few weeks,” the ISP told its customers.
“We continue to work hard to mitigate against these types of attacks, as well as reduce our response time in these scenarios.”
An unprecedented attack
Speaking to MyBroadband about the recent spate of DDoS attacks conducted against ISPs, Cybersmart CTO Laurie Fialkov said he suspects that someone is targetting local service providers.
“We have for a long time suspected there is a person or organization targetting ISPs in South Africa,” Fialkov said.
Cybersmart had extensive DDoS mitigation in place which worked well previously, but the attackers which targeted the ISP were particularly adept.
“This industry is ever-evolving for both the good and the bad, and this weekend we were introduced to some really good bad guys who initiated this attack against us and taught us a thing or two,” Fialkov said.
“What made it even more tricky for us is that weekend there was a lot of maintenance scheduled by third-party providers on national links which ran way over the advertised maintenance windows, so when the DDoS happened, which manifested in occasional 20- to 30-second break in service, we suspected it was related to the maintenance that was being done.”
Cybersmart subsequently spent a few hours looking in the wrong place for the source of the disruption before it realised it was under attack.
The first attack was one the ISP had seen before, where a few machines on the network are targeted with the aim of saturating one or more links. This can be mitigated by “blackholing” the machines being attacked.
“Not to be outdone, a new attack happened late morning on Sunday,” Fialkov said. “This was an attack we had never seen before.”
“Unlike the previous, attack which targetted a specific set of IPs, this attack targeted thousands of IPs within our IP range, with the aim not to saturate the bandwidth but rather to overwhelm the processor on the targets. It does not take an extreme amount of malformed packets to overwhelm an FTTH router.”
The attack disrupted the ISP’s helpdesk and VoIP services, which resulted in clients being unable to get hold of support staff.
This attack was also eventually mitigated, and after almost immediately mitigating a DNS Amplification attack shortly afterwards, Cybersmart seems to have earned some respite from its besiegers.
This recent spate of attacks follows after Cool Ideas and other ISPs were targeted by DDoS attacks that interrupted service delivery.
Cool Ideas customers suffered major connectivity issues, especially when attempting to access international servers.
Supporting Fialkov’s suspicion, Cool Ideas co-founder Paul Butschi also said that this DDoS attack was targeted at the ISP.
“This was a very much a targeted attack on our network. The volume of the attack was a magnitude of four times larger than before,” he said.
Atomic Access also contacted MyBroadband, stating they suffered under the same DDoS attack as Cool Ideas.
Supersonic managing director Calvin Collet stated at the 2019 MyBroadband Conference that the MTN-owned ISP had also been targeted, although it had managed to mitigate the worst of the effects.
It is impossible to determine which organisation or individual might be targeting South African ISPs, or what their aim is in disrupting local Internet networks.