Recently, one of our customers experienced a targeted volumetric DDoS attack. The attack was successfully mitigated by our DDoS Mitigation Service, but became so powerful at a certain point that some of the Belnet network's uplinks became saturated.
The question which you might be asking is whether such anti-DDoS protection is useful, since there was still a, although limited, impact.
Let's look at the situation from the point of view of the attackers. For some obscure reason, at a given moment, they decide to launch a DDoS attack on one of our customers. From our graphs, we can see that the attack during those first minutes is rather small. The attack is nevertheless very quickly detected and mitigated by the DDOS solution which this customer purchases from us. In fact, the effect of the attack on his network traffic is barely visible.
Now I can only speculate, but I can well imagine our attackers getting frustrated because they are not achieving the desired effect of disruption. They will have to spend more money in order to increase the volume of the attack and accordingly their chances of success. A few minutes and a few data points in our charts later, we can actually see a sudden increase in the volume of the attack.
At that moment, some of our uplinks, which are the highways to the Belnet network, start to get saturated. Only now is there impact, but not the one the attackers were hoping for. Our customer, until now unaware of the flood of traffic, only experiences the same inconvenience as all the other organisations on our network. In fact, some IP ranges become unstable due to saturation on the uplinks. Websites which can only be reached via these routes are therefore slow to load. However, the service under attack remains operational. Perhaps - and I sincerely hope so - to the great frustration of the attackers.
Meanwhile, alarms are activated and the incident is escalated to the level of third-line support at Belnet, being the Networks team of which I am a member. We start the procedure to activate a new layer in our anti-DDoS protection. This consists of a gigantic worldwide cleaning network outside the Belnet network which absorbs and filters the traffic of the affected customer.
"Why isn't that protection mechanism activated automatically?" you may be asking. Although the scrubbing center is very efficient in filtering the malicious network traffic, some more sensitive services may be affected in this process. Therefore Belnet has chosen to make a conscious decision before activating this extra layer of protection.
We were just about to activate the scrubbing center when the attackers decided to call off the DDoS attack, which ended up not doing what it paid for. After all, the services of the targeted organisation remained available for the entire time.
Unfortunately, there is no watertight protection against cybercrime, and certainly not against DDoS attacks. At Belnet, we have multiple levels of protection: a fully automated layer supplemented by specific mechanisms which can be activated when needed. In addition, we are continuously taking actions to further improve the quality of our DDOS mitigation and accelerate our response and escalation times. Nevertheless, it remains an arms race between attackers and targets. Our objective? To thwart the attackers to such an extent that they give up the fight.
Returning to our original question, an anti-DDOS protection is indeed useful. Without protection, the target's services would have been severely disrupted, much to the satisfaction of the attackers who might have been willing to pay even more to perhaps continue the attack for many more hours.
About the author
Jo Segaert studied industrial sciences engineering in Ghent and has been working as a network engineer at Belnet for almost 8 years. His ultimate goal is to fully automate his own job. To achieve this, he has to step outside the field of telecommunication and immerse himself in data engineering, data analysis and programming. Outside of Belnet, he has more interests than time. Sometimes he is reading a book about macro-economics, then you can find him at a Balfolk dance festival.