The statistics from the DDoS Mitigation service offer us some interesting insights into the rapidly changing DDoS landscape. For example, in the first quarter of 2022, among the things we saw was an increase in the number of large-scale, targeted attacks.
Belnet customers using the DDoS Mitigation service have a dashboard and monitoring platform that allows them to visualise attacks in real-time and better understand their cause and impact.
The same data is also analysed on a regular basis by Belnet itself. Indeed, it gives us an insight into certain trends and changes in the DDoS landscape. Currently, about 20 organisations have purchased the service. The data and conclusions we present below therefore do not include the entire Belnet community.
Completely new anti-DDoS service by the end of 2022
In order to be even more responsive to the changing needs of our customers and the rapidly changing cyber threats, Belnet has begun updating its DDoS Mitigation service. The new solution, scheduled for launch by the end of this year, will be able to protect a great many more customers than is the case today. Currently, the market is being surveyed and rounds of negotiations are in the offing. After the final selection of the solution, we will communicate further about the selected solution's additional functionalities and protection options.
What do we notice from DDoS monitoring (comparison Q4 2021 and Q1 2022)?
Volume and type of attacks
- We are seeing a steady increase in the volume of filtered data traffic. In the fourth quarter of 2021, it was 29,644 billion packages. In the first quarter of 2022, it was 33,293 billion. This is an increase of 12.3%.
- During the first three months of 2022, Belnet had to engage its external cloud scrubbing centre about 3 times more often than in Q4 2021. This is because there were more attacks on specific clients that were so powerful that they threatened to saturate the Belnet network's uplinks. Even if the number of activations of this additional layer of protection remains small, it avoids an impact on the network that cannot be underestimated with each activation.
- IP Fragmentation attacks were the most common type of attacks, followed by UDP Flood and SYN Flood attacks. The number of TCP Push attacks has decreased significantly in proportion.
Duration of the attacks
- The duration of attacks depends heavily on mitigation techniques. We find that attacks that can be mitigated quickly usually do not last as long. We assume that attackers usually do not want to invest further once they find that their attack is proving unsuccessful.
- However, sometimes cybercriminals continue their attack for hours anyway. For example, in Q1 2022, a government organisation was targeted by a DDoS that lasted more than 48 hours in total.
Targets
- Certain types of organisations face more DDoS attacks due to the nature of their operations. Thus, we see that in both Q4 2021 and Q1 2022, most attacks were directed against public sector institutions and the federal government.
- The majority of the attacks occurred during business hours. This makes sense, given that it is at these times that attackers can achieve the greatest impact upon / hindrance to their target.
Our expertise: mitigation of volumetric DDoS attacks
Over the years, Belnet has accumulated a great deal of expertise and experience in the identification and mitigation of volumetric DDoS attacks. The DDoS Mitigation service we have offered since 2016 within the 'Trust & Security' pillar of our service offering protects individual customers from volumetric and session attacks.
The service deliberately does not focus on protection against application attacks (known as "Layer 7" attacks). This is a deliberate choice: the central role of an ISP such as Belnet lends itself extremely well to mitigating volumetric attacks. However, protection against attacks at the higher layers of the OSI model is not scalable at the level of an ISP. Indeed, such applicative attacks are strongly related to the nature of the applications used at a given organisation, and our experience shows that these vary greatly depending on the type of institution connected.
External scrubbing centre
What about the organisations that have not yet purchased a DDoS Mitigation service? They will still receive reactive assistance from Belnet when they come under attack. Where necessary, they can rely on the expertise of our technical teams to install certain filters to fend off the attack. This is always done in collaboration with and after approval of the customer being attacked. Given that these filters must be set up manually, this takes more time than a proactive approach.
When an attack on a specific Belnet customer (who may or may not have individual protection) is so powerful that it threatens to saturate the rest of the network, Belnet can call upon an external cloud scrubbing centre. This constitutes an additional protective mechanism and was implemented in May 2021.
It consists of a gigantic worldwide scrubbing network – outside the Belnet network – which absorbs and filters the affected customer's traffic. The scrubbing centre serves primarily to protect the Belnet network itself and thus not to protect individual customers.
Volumetric attacks attempt to flood an organisation's network with large amounts of attacker-generated traffic in an attempt to consume all available network bandwidth for a particular application, causing it to slow down or fail.
Session attacks attempt to take down a server or application firewall with a large number of connection requests. They gobble up server resources, making it impossible to open new legitimate connections, and the server or firewall may even crash.
Application attacks (called "Layer 7" or L7 attacks) target weaknesses in specific systems or applications. For example, such an attack sends a request that requires a lot of work behind the scenes, causing the application to slow down or even crash.
IP Fragmentation is a common type of DDoS attack, where the attacker overpowers a network by using datagram fragmentation mechanisms. In this process, data packets are deliberately broken down into small pieces before being sent to the target. That way, the server is constantly recompiling them, causing it to become overloaded.
A SYN Flood is a type of DDoS attack that aims to make a server unavailable to legitimate traffic by using up all available server resources. By repeatedly sending initial connection request packets (SYN packets), the attacker can overload all available ports on a targeted server machine, making the target device slow or unresponsive to legitimate traffic.
A UDP Flood is a type of DDoS attack in which a large number of User Datagram Protocol (UDP) packets are sent to a specific server with the goal of saturating that server's processing and response capability. The firewall protecting the attacked server may also crash as a result of UDP flooding, leading to inaccessibility for legitimate traffic.
TCP Push is a type of attack in which attackers flood a server with false push requests. The server must process each request received, using so much computing power that it can no longer respond to legitimate traffic.