Specialist fibre Internet service provider Cool Ideas faced a large distributed denial of service (DDoS) attack this past weekend. Attack traffic peaked at over 500Gbps, causing trouble for the ISP with its international partners.
Following the attack, Cool Ideas sent an e-mail to subscribers to explain what happened and what it is doing to defend against such large attacks in future.
In keeping with its zombie theme from the e-mail it sent following the last attack on its network, Cool Ideas titled its e-mail “65 Days Later”.
Please get off our network and take your massive DDoS attacks with you
The DDoS attack began at 10:30 on Saturday, 23 November. Alarms were sent to engineers, and the automated mitigation systems Cool Ideas had in place kicked in.
Cool Ideas explained that following the attack in September, it upgraded its upstream capacity in London to 14-times what it was before.
When facing a big attack, scrubbing devices in London would clean network traffic before sending it back to South Africa.
Sending traffic to an overseas clearing house is fairly standard practice for Internet companies in South Africa. There aren’t local facilities that can effectively handle the high volumes of attack traffic that operators like Cool Ideas have seen in the past few months.
“By late afternoon on Saturday, our engineers determined that the 14 additional lanes of capacity that we added were simply not coping with the number of zombies,” Cool Ideas said.
“We contacted our upstream providers Hurricane Electric (HE) and Cogent [Communications].”
Hurricane Electric said that it was seeing over 300Gbps of attack traffic to the Cool Ideas network and asked them to “please get off”, Cool Ideas said. Cogent saw attacks on a similar scale.
In total, the Cool Ideas network was facing well over 500Gbps of attack traffic.
Local attack traffic
Further complicating matters, Cool Ideas said that the most recent attack on its network included traffic from local sources.
“We connect to several Internet exchange points in South Africa, where things like Google and Microsoft are hosted, and found ourselves at the brunt of a local zombie attack,” Cool Ideas said.
“This affected some services in Cape Town. We worked with the friendly folks at NAPAfrica to stop the zombies at the exchange, and also implemented additional capacity and filtering devices at these exchange points.”
Cool Ideas said that the local attack traffic wasn’t serious, but it wants to make sure local attacks cannot cause problems.
“By late Sunday afternoon things were returning to normal and the service levels started improving,” Cool Ideas said.
“By 23:00 on Sunday the attack was fully mitigated and it ceased at around 01:00 on Monday.”
South Africa facing “mind-boggling” attacks
“The unprecedented scale and increased incidence of cyber attacks against South African internet and other companies are quite mind-boggling,” Cool Ideas stated.
It was referring to recent attacks against banks, hosting companies, and other Internet service providers such as RSAWEB and Afrihost.
“In short, this new attack surprised us with its scale. We thought we had bigger guns after we completed our London upgrades in October, but we were wrong. We are now getting even bigger guns — but this time we’re contracting them to the scrubbing ‘militia’,” said Cool Ideas.
“We are in the process of configuring scrubbing capacity with specialised facilities in the UK and the USA. We will still keep using our additional capacity and existing detection and scrubbing systems, but if a larger volume attack happens we will be able to hand off the bulk of it off to a more specialised provider.”
Timeline of attacks
For its more technically-minded subscribers, Cool Ideas included the following timeline of events: