Xneelo, the hosting company formerly known as Hetzner South Africa, was a target of distributed denial of service (DDoS) attacks this past week.
“We did experience an unusual attack last week, which we were able to mitigate,” a spokesperson for Xneelo told MyBroadband. The attack did not affect the performance of Xneelo’s network or impact customer services, the company said.
It joins Cool Ideas, Cybersmart, RSAWEB, the South African banks, and Echo Service Provider as a recent target of DDoS attacks. Echo Service Provider is an upstream service provider for ISPs including Afrihost, Axxess, and Webafrica.
Xneelo declined to reveal further details about the attack, or say what made it unusual. This is because it doesn’t want to reveal anything that may be useful to future attackers.
Its network status notice on 22 October described it simply as “a specific style of DDoS attack”. Xneelo said the attack caused some packet loss to occur.
Xneelo said that it regularly experiences DDoS attacks against its network.
“Our DDoS mitigation is an automated process and attacks are typically mitigated without intervention,” it said.
“Usual” vs. “Unusual” DDoS attacks
A DDoS attack is when an army of slave devices is used to send a flood of network traffic to other devices on the Internet. If the traffic is able to overwhelm a device, it cannot respond to legitimate requests and appears offline to anyone on the Internet trying to reach it.
When the target computer is a web server or critical network infrastructure, DDoS attacks can cause an outage.
Attackers use several strategies to amplify the effectiveness of their DDoS attacks. DNS Amplification, also referred to as DNS reflection, is one popular strategy.
Reflection attacks work by requesting information from a server on the Internet, but then tricking it to send its response to the target computer the attacker wants to flood.
DNS servers are a popular choice for such attacks because they are designed to field millions of requests per second. They are also usually connected to high-bandwidth links to deal with large amounts of traffic.
Most importantly, attackers can often cause a DNS server to generate a response that is several times larger than their spoofed request. In other words, attackers use DNS servers to amplify their attack bandwidth. Hence the term, DNS Amplification.
A variant of this attack that is specifically used to target Internet service providers and data centre providers like Xneelo is called “carpet bombing”.
Carpet bombing is where individual customers are sent large quantities of garbage network traffic.
This traffic does not necessarily need to consume enough bandwidth to flood the individual connections of subscribers. In the case of Cool Ideas, the overall traffic on the network eventually added up to the point where the ISP’s core network infrastructure could no longer cope with the load.
Other attacks on ISPs
Cybersmart told MyBroadband last week that it faced an odd variant of the carpet bombing attack which sent enough garbage traffic to individual subscribers that it actually overwhelmed the ISP’s FTTH routers.
“This attack targeted thousands of [Internet Protocol addresses] within our IP range, with the aim not to saturate the bandwidth but rather to overwhelm the processor on the targets,” Cybersmart CEO Laurie Failkov told MyBroadband.
“It does not take an extreme amount of malformed packets to overwhelm an FTTH router.”
While the attack launched on Cybersmart last week is unlikely to work on a hosting provider like Xneelo, there was a similarly strange and much bigger attack against Liquid Telecom over the weekend.
Liquid Telecom fought off a DDoS attack on Sunday which had a bandwidth of over 100Gbps.
The attack was aimed at one of Liquid’s customers in South Africa and impacted people who use Afrihost, Axxess, and Webafrica for Internet access. Liquid declined to name the customer.
The three ISPs all use Echo Service Provider as one of their upstream providers.
Companies targeted by this recent spate of DDoS attacks have told MyBroadband that they don’t really want to talk about the details of the attack or their mitigation measures. This is because they want to avoid inviting or enabling further attacks.