Afrihost, Axxess, and Webafrica informed subscribers on Monday morning that they may experience intermittent connectivity.
Webafrica stated in its network status notice, published just after 08:00, that another distributed denial of service (DDoS) attack affecting its network has been discovered and is being investigated.
The network status notices from Afrihost and Axxess indicate that it is not only end-user connectivity that is affected, but network performance in its hosting environments as well.
This latest attack comes after a massive DDoS attack measuring over 100Gbps brought the three Internet service providers to their knees on Sunday.
Liquid Telecom told MyBroadband that the original attack, which started around 15:39 on Sunday afternoon, was aimed at one of its clients. The company declined to name the client.
At 22:40 last night, Liquid Telecom told MyBroadband that the attack had been mitigated. It continued to monitor the incoming traffic, as attackers can sometimes mutate their attack and continue their barrage.
Webafrica reported that there was another attack around midnight, but that it was mitigated within 10 minutes. Eight hours later, a new assault had started.
“The attack, which relates to a specific customer, is re-occurring sporadically and our Cyber Response team is actively responding to each attack whilst also proactively managing the situation,” Liquid Telecom told MyBroadband.
Afrihost, Axxess, and Webafrica all use an upstream service provider called Echo Service Provider. Webafrica migrated to Echo earlier this year.
On Sunday night, Afrihost CEO Gian Visser said that the DDoS attack did not appear to be specific to Echo or Afrihost.
Distributed denial of service attack
A distributed denial of service attack is when an army of slave devices are used to send a flood of network traffic to other devices on the Internet. If the flood of bogus traffic is able to overwhelm a device, it can’t respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.
When the target computer is a web server or critical network infrastructure, DDoS attacks can cause an outage like the one Afrihost, Axxess, and Webafrica clients are experiencing.
Attackers use several strategies to amplify the effectiveness of their DDoS attacks. DNS Amplification, also referred to as DNS reflection, is one popular strategy.
Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.
DNS servers are a popular choice for such attacks because they are critical Internet infrastructure designed to field millions of requests per second. They are also usually connected to high-bandwidth links to enable them to deal with large amounts of traffic.
Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term DNS Amplification.
Cool Ideas was hit by a similar attack in September. Much like Afrihost, Axxess, and Webafrica, it was targeted over a weekend.
It also posted updates for subscribers as it made progress in mitigating the attacks, only for the attack to increase in intensity.
Several other Internet service providers have been hit with DDoS attacks, including Atomic Access which was targeted on the same weekend as Cool Ideas.
In the past few weeks, Cybersmart and RSAWEB have also been targeted.
It is not only ISPs that are the target of these attacks. The South African Banking Risk Information Centre (SABRIC) reported last week that local banks were targeted with DDoS attacks.
SABRIC CEO Susan Potgieter said that the wave of attacks targeted various public-facing services across multiple banks.
“These attacks started with a ransom note which was delivered via email to both unattended as well as staff email addresses, all of which were publicly available,” said Potgieter.
“Threat intelligence which has surfaced has revealed that this is a multi-jurisdictional attack with entities from several countries being targeted and should therefore not be viewed as a targeted attack on South African companies only.”
No customer data was compromised, but there were minor disruptions to services such as online banking.