DDoS Attacks Targeting ISPs are Different – Here’s How
ISPs face a few unique challenges and risks when it comes to DDoS attacks. Their size and complexity make them bigger targets for hackers, while their unique structural features require more tailored defenses.
ISPs can be both direct targets of hackers and targets-by-association, as they host hundreds or thousands of customers – large companies, banks, ecommerce sites, political organizations, etc.
A successful DDoS attack can severely impact an ISP’s own infrastructure and services, as well as those of its customers.
As a result, ISPs must adopt DDoS mitigation measures to protect it all – their network (including in-house DNS servers), telco services, media broadcasts, and the like, and their end customers. Unlike enterprises, however, which rely on prefab cloud-based solutions (Akamai, Imperva, Cloudflare, etc.) for DDoS protection, ISPs use their own on-premises protection mechanisms and must operate and maintain their DDoS defenses independently.
All these characteristics also make DDoS testing for ISPs a bit different than for enterprises in several ways. Let’s take a look:
Volumetric attacks
DDoS attacks on ISPs tend to be more voluminous and aggressive than those targeting enterprises and can easily reach 100-300 Gbps. This means that DDoS testing for ISPs must also simulate high-volume traffic, in contrast to the smaller volumes sufficient for enterprises.
Pipe saturation
A unique ISP requirement related to DDoS attacks is the need to protect its internet pipe from overwhelming traffic, which can disrupt all or many of its services. Pipe saturation can occur regardless of whether an attack was mitigated, or whether the ISP’s internet pipe capacity exceeds the volume of the attack.
For example, a DDoS mitigation solution capable of mitigating an attack of 100 Gbps and internet pipes with a total capacity of 150 Gbps should theoretically be able to handle a 100 Gpbs attack. But in practice, attacks do not always disperse evenly across the available internet pipes. So two pipes may be saturated while others are idle. If they are saturated, then the DDoS attack was successful and services behind the saturated pipes are inaccessible.
One reasonable strategy to mitigate the effects of pipe saturation in an emergency is to block traffic entirely from a designated region, to a designated region, of a specific kind, or with other predefined characteristics. This would, however, mean sacrificing some traffic to maintain the ISP functionality more broadly.
Application-layer attacks
Most application-layer (layer 7) attacks do not affect ISPs. Typically, the only victim is the end customer. However, some layer 7 attacks have become so intense that their sheer size can pose a risk to the ISP. While the threat level is very low, it is not zero and should nevertheless be kept in mind.
DNS attacks
ISPs must have their own DNS servers to function effectively. DDoS attacks targeting DNS servers, though, are not that easy to mitigate in comparison to network attacks. There are several specific tactics used by hackers in such DNS attacks, such as:
- Query floods: Flooding DNS servers with a massive number of DNS queries, until they can no longer respond.
- Garbage floods: Sending large UDP packets to the DNS port (53) that are not really DNS queries, which creates a bottleneck specifically at a router or firewall port the victim cannot easily close.
- Reflective amplification attacks: Spoofing the victim’s IP address in DNS requests and exploiting open DNS resolvers to amplify the traffic with small queries that trigger large, paralyzing responses.
- Recursive floods: Sending a flood of different false subdomain requests that consume the DNS recursive server’s resources in repeated unsuccessful attempts to get an answer from root servers.
To mitigate DDoS attacks, DNS providers often implement rate limiting, traffic filtering, and redundancy across multiple servers. These strategies need to be tested with realistic simulations, as unchallenged DNS servers tend to be relatively vulnerable to DDoS attacks.
One last word – personnel
ISPs, which face massive DDoS attacks, need to adopt a proactive defense. This includes periodic testing, as well as setting rate-limits and policies for protecting network infrastructure.
Any mitigation measures at the ISP level – because they are self-contained – are only as good as the team operating and maintaining them. And that takes the right kind of DDoS training. They need the knowledge and skills to respond as needed, when needed, every time.