Assault on RSAWEB – A week of DDoS attacks
RSAWEB has joined the ranks of South African Internet service providers that have been targeted with sustained distributed denial of service (DDoS) attacks.
The attacks on RSAWEB’s network started on 21 October and have not let up. These impacted network performance and caused degraded connectivity for RSAWEB’s enterprise, consumer, and mobile subscribers.
RSAWEB reported three days later that it mitigated the DDoS it was experiencing, but added that the attacks did not let up despite this.
“The issue started last Monday. We are still seeing intermittent traffic attempting to exploit any vulnerabilities, however, we feel we have mitigated these issues,” RSAWEB CEO Mark Slingsby told MyBroadband.
Slingsby described the nature of the attack as somewhat unusual.
“We saw large short bursts with high volume small size packets targeting DNS, LDAP, and uPNP services,” said Slingsby.
“What was interesting is we were seeing source traffic from local peers inside SA, which is not typically the case.”
Mutating attack
A distributed denial of service attack is when an army of slave devices are used to send a flood of network traffic to other devices on the Internet.
If the flood of traffic is able to overwhelm a device, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.
When the target computer is a web server or critical network infrastructure, DDoS attacks can cause an outage.
Much like other Internet service providers and South African banks, RSAWEB can not determine the true source of the attack.
“Our systems registered short bursts from 4 to 25 gigabits per second (Gbps) on Wednesday and sustained attacks of 4-6Gbps for 10 minutes at a time in 30-minute intervals,” Slingsby told MyBroadband.
“The attack adjusted and changed pattern a few times coming into our network at different routing points from multiple source networks. We saw high volumes of bandwidth from compromised hosting vendors in Europe.”
Poorly configured MikroTik routers may be to blame
When the large-scale DDoS attack on Cool Ideas happened in September, MyBroadband received information that misconfigured routers installed at people’s houses were a big source of attack traffic.
MikroTik routers are a major culprit in DNS Amplification attacks. Not because there is anything inherently insecure about MikroTik, but because it is a router aimed at advanced users which is easy to misconfigure if you don’t know what you’re doing.
“We also suspect insecure MikroTik routers were utilised in the attack due to the default settings on the DNS service being insecure,” stated Slingsby.
He explained that when you enable the DNS service on a MikroTik router, it runs a recursive DNS cache on all interfaces.
“There is no default configuration to block it being utilised for DNS amplification attacks,” he said.
“With Mikrotik routers being extremely popular worldwide, this has allowed attackers to quickly and easily build up an army to attack any network of their choice.”