DDoS tsunami: A Cambodian case study

By on 25 Jun 2019

Category: Tech matters

Tags: , ,

Blog home

A natural early warning sign of an approaching tsunami is a rapid and unexpected recession of water levels below the expected low tide.

Although Cambodia’s capital, Phnom Penh, is relatively safe from natural tsunamis — being some 150km from the nearest coastline — it experienced a data-tsunami of sorts last November as the economy was hit by a large-scale Distributed Denial of Service (DDoS) attack.

Totalling nearly 150Gbps, the half-day attack affected several of Cambodia’s biggest Internet Service Providers, including EZECOM, SINET, Telcotech, and Digi. Although relatively small in comparison to terabit attacks such as the one that hit Github last year, one senior network engineer believes it was only the start of something bigger and more worrying, and should be a lesson for the economy’s operators to take more notice of the early warning signs.

“It certainly highlighted how our DDoS management and mitigation efforts could be improved,” says Sokvantha Youk, Head of Engineering at EZECOM.

“We had noticed a growing trend in smaller DDoS attacks on our network for quite some time and were employing a range of best current monitoring and filtering practices including NFsen with Remotely-Triggered Black Hole (RTBH) routing in combination with commercial DDoS solutions. However, the size of our network — as it is with other larger ISP networks — can make it difficult to monitor for subtle changes in attacker tactics.”

Bit-and-piece attacks targeting ISPs on the rise

Sokvantha’s account coincides with a report last year by Nexusguard examining how attackers are taking advantage of the large attack surface of ISPs by spreading small volumes of junk traffic attack across hundreds of IP prefixes.

Termed ‘bit-and-piece’ attacks, the report noted how the attacks often leveraged open DNS resolvers to launch DNS Amplification attacks, whereby a targeted IP address receives only a small number of responses in each well-organized campaign, leaving little or no trace.

Attacks sizes per IP address ranged from over 300Mbps at the high-end, to just 2.5Mbps at the low-end, with the average at 33.2Mbps. The average attack size per IP prefix was 2.48Gbps. In a worst-case scenario, an attack of this size spread across 38 IP prefixes is potent enough to overwhelm a 10Gbps ISP line.

For 2018, Netscout estimated the cost of one hour of downtime from a DDoS attack at more than USD 220,000 [PDF 12.2 MB].

Beware following attack waves

A tsunami is not a single wave but a series of waves with the first not necessarily the most destructive.

Sokvantha says this was also the case with the November attack, with EZECOM experiencing two broad-scale sustained attacks in the following weeks.

“The first happened nine days after the initial attack (4-5 November). It was a UDP flood DDoS attack on random source/destination ports with smaller-sized IP range wave (typically <300Mbps per /24 subnet) that targeted more than 80+ subnets totalling nearly 75Gbps (peak 150Gbps) consistently for 6 hours.

“The second attack (27 November) was a massive UDP flood DDoS attack totalling nearly 400Gbps, attack to each and every /24 subnet sequentially (peak 13Gbps per /24 IP address) to more than 60 plus subnets, for a period of 10 to 12 hours.

“In response to these follow-up attacks, we decided to drop the top-most attacked UDP ports and drop source attacks closest to the attack edge. We are also tightening ports and other security to segregate customers further by their usage profile.”

It’s fair to say that how Cambodia’s ISPs and emerging networks continue to improve their cybersecurity efforts against DDoS and other evolving attacks will play a key role in Cambodia’s digital transformation plans.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *