A recent report has highlighted a new and concerning distributed-denial-of-service (DDoS) attack pattern known as ‘bit-and-piece.’ This pattern specifically targets communications service providers (CSPs) classified as relevant entities under the NIS directive. The ‘bit-and-piece’ attack strategy exploits a vast attack surface at the autonomous system number (ASN) level of CSPs, distributing small, precisely targeted traffic across numerous IP addresses to evade detection. In response to this emerging threat, multiple DNS software and service providers have committed to updating their DNS software to counter such DDoS attacks effectively. This Info Note reviews new DDoS attack patterns and the actions required to mitigate this threat.

Contextual Information

Back in January 2016, ENISA released a paper outlining DDoS attacks on DNS root servers, underscoring the global impact of these attacks on several servers.

The DDoS Threat and Recent Attack Patterns

The Nexusguard quarterly report, drawing data from numerous global DDoS attacks, has revealed that CSPs faced the brunt of 65.5% of DDoS attacks in Q3 2018. These attackers have contaminated diverse pools of IP addresses across hundreds of IP prefixes, with small-sized junk traffic. Consequently, the year-over-year average attack size in the quarter dropped by a significant 82%.

According to Juniman Kasman, Chief Technology Officer for Nexusguard, perpetrators have adopted smaller, bit-and-piece techniques to inject malicious data into legitimate traffic. This strategy allows attacks to bypass detection mechanisms, making it challenging for CSPs to identify large-scale DDoS attacks in advance. These diffuse traffic patterns necessitate collaboration with cloud services at the network edge to minimize attack impacts.
The ‘bit-and-piece’ attacks primarily leverage open domain name system (DNS) resolvers to execute DNS Amplification attacks. Attackers send a limited number of responses to targeted IP addresses, leaving minimal traces. Researchers also suspect that attackers conducted reconnaissance missions to map network landscapes and identify mission-critical IP ranges of targeted CSPs. By injecting bits of junk data into legitimate traffic, typically below detection thresholds, they operated unnoticed through traditional DDoS detection systems.

Responses from Service Providers

Major DNS software and service providers are actively planning updates to their DNS software to combat these emerging attack patterns. These updates will impact all authoritative servers not complying with the original DNS standard from 1987 (RFC1035) or the newer EDNS standards from 1999 (RFC2671 and RFC6891).
The DNS Flag Day initiative, initiated to address inefficiencies in DNS implementations, has led to changes in DNS operations to protect against DDoS attacks. DNS software and service providers listed on the initiative’s site have agreed to remove non-compliant DNS implementations from their software or services.

DDoS Attack Kill Chain

As outlined in the 2018 ENISA Threat Landscape Report, the kill chain for this threat involves several stages.

  • Reconnaissance: Attackers gather information about the target, identifying vulnerabilities and potential weaknesses.
  • Weaponization: Attackers prepare the tools and resources needed for the DDoS attack, including botnets, malware, or other attack vectors.
  • Delivery: The attack tools and resources are delivered to the compromised devices or machines that will participate in the attack.
  • Exploitation: Attackers initiate the DDoS attack, taking advantage of the compromised devices to generate a high volume of malicious traffic or requests.
  • Installation: Malware or attack scripts are installed on the compromised devices to maintain control and continue the attack.
  • Command and Control (C2): Attackers maintain communication with the compromised devices, enabling them to adjust the attack parameters or execute additional commands.
  • Execution: The DDoS attack is executed, flooding the target with traffic and causing a disruption in service.
  • Evasion: Attackers may employ tactics to evade detection or mitigation efforts, such as IP spoofing or changing attack vectors.
  • Persistence: Attackers attempt to maintain control over the compromised devices for future attacks or other malicious activities.
  • Exfiltration: In some cases, attackers may attempt to extract sensitive data from the target during the chaos caused by the DDoS attack.
  • Impact: The target experiences downtime or service disruption due to the overwhelming volume of malicious traffic.
  • Post-Attack Cleanup: After the attack, attackers may cover their tracks, remove traces of malware, or attempt to regroup for future attacks.

It’s important to note that the DDoS attack kill chain is a conceptual framework used to understand the various stages of a DDoS attack, but it may not always follow this exact sequence in every attack.

Recommendations

For domain holders, mitigating broadly distributed, small-sized attack traffic presents unique challenges at the CSP level. Therefore, domain owners are advised to:

  • Check if hosted websites are prepared for DNS Flag Day deliberations.
  • Utilize the dnsflagday.net website’s diagnostic tool to identify DNS issues and receive guidance on necessary steps to prevent impact.
  • Implement security measures such as increasing bandwidth on web servers, enhancing network perimeter defense, and considering traffic sinkholing as potential solutions to bolster DDoS protection.

In conclusion, understanding and proactively countering evolving DDoS threats like ‘bit-and-piece’ attacks are critical to maintaining robust cybersecurity in today’s digital landscape.