ISP News for the week ending April29th, 2022

Cloudflare blocks a 15rps DDOs Attack.
https://blog.cloudflare.com/15m-rps-ddos-attack/

Good news regarding the chip shortage.
“America’s ambitions to rebuild its semiconductor manufacturing industry took a step forward on Monday with the opening of a specialty chip fabrication plant in central New York.”
https://asia.nikkei.com/Business/Tech/Semiconductors/U.S.-opens-first-major-silicon-carbide-chip-plant-in-New-York

The United States joins 55 nations to set Internet rules
https://www.reuters.com/technology/us-joins-55-nations-set-new-global-rules-internet-2022-04-28/

Will a re-brand of Frontier help its image?
https://www.telecompetitor.com/frontier-rebrand-aims-to-be-the-unmistakable-icon-of-gigabit-america/

New on Californias Net Neutrality Law
California’s net neutrality law is similar to the federal rules repealed under former FCC Chairman Ajit Pai. California prohibits ISPs from blocking or throttling lawful traffic. It also prohibits requiring fees from websites or online services to deliver or prioritize their traffic to consumers, bans paid data cap exemptions (so-called “zero-rating”), and says that ISPs may not attempt to evade net neutrality protections by slowing down traffic at network interconnection points.
https://arstechnica.com/tech-policy/2022/04/isps-cant-find-any-judges-who-will-block-california-net-neutrality-law/

Mikrotik releases 7.3Beta37
*) bonding – fixed LACP flapping for RB5009 and CCR2004-16G-2S+ devices;
*) bridge – fixed packet marking for IP/IPv6 firewall;
*) dot1x – improved server stability when using re-authentication;
*) fetch – improved full disk detection;
*) gps – fixed minor value unit typo;
*) l3hw – improved offloading for directly connected hosts on CRS305, CRS326-24G-2S+, CRS328, CRS318, CRS310;
*) led – fixed QSFP+, QSFP28 activity LEDs when using 40Gbps modules (introduced in v7.3beta33);
*) lte – disabled wait for LTE auto attach;
*) mpls – fixed MPLS MTU and path MTU selection;
*) ovpn – fixed hardware offloading support on CHR;
*) ovpn – improved Windows client disconnect procedure in UDP mode;
*) ovpn – moved authentication failure messages to “info” logging level;
*) ppp – added warning when using prefix length other than /64 for router advertisement;
*) ppp – fixed “remote-ipv6-prefix” parameter unsetting;
*) ppp – fixed issue with multiple active sessions when “only-one” is enabled;
*) routerboot – properly reset system configuration when protected bootloader is enabled and reset button used;
*) rsvp-te – improved stability when “Resv” received for non-existing session;
*) sfp – improved QSFP/SFP interface initialization for 98DXxxxx switches;
*) switch – fixed missing stats from traffic-monitor for 98DXxxxx and 98PX1012 switches;
*) system – fixed RouterOS bootup when wifiwave2 package is installed (introduced in v7.3beta34);
*) system – fixed rare partial loss of RouterOS configuration after package upgrade/downgrade/install/uninstall;
*) user-manager – improved stability when received EAP attribute with non-existing state attribute;
*) vpls – fixed “pw-l2mtu” parameter usage;

DDoS attacks in high bandwidth bursts

https://www.darkreading.com/threat-intelligence/ddos-attacks-hitting-victims-in-high-bandwidth-bursts

Security firm Imperva culled the intelligence from nearly 5,600 network-level attacks encountered by its clients to find that attackers continued to increase the intensity of attacks as they also shortened attack duration. More than half of the attacks lasted eight minutes or less, with attackers repeatedly inundating the same companies with floods of data — including one attack that topped 1 Tbps, according to Imperva.

Denial of Service and the xISP Part 1

Most service providers have been the victim of a Denial of Service (DoS) attack at one point or another. Sometimes you may not realize you are under an attack. A few months ago, I posted a simple screenshot at https://blog.j2sw.com/networking/anatomy-of-a-ddos/ of what an active DDoS looks like.

Types of Attacks
In order to know what to look for you have to understand the four basic types of attacks. I will outline this and talk about how modern attacks are affecting Internet Service Providers (ISPs). In my next article, we will talk about identifying these types of attacks and some mitigation techniques you can employ.

Throw everything at you attack aka Buffer overflow
This type of attack is throwing enormous amounts of traffic at you to fill up your switch and router buffers, causing the device to exceed its capabilities. Your devices become crushed by an overwhelming volume of data throw at them. This attack isn’t always sheer bandwidth. Sometimes it is tens of thousands of remote connections.

Attacking vulnerable protocols
Attackers go after exposed services like ICMP to do amplification attacks. Fragmented packets, which keep the router tied up are also a common method of attacking a host.

Application attacks
These are the ones most consumers hear about. Vulnerabilities in operating systems, applications, and packages are exploited and used in attacks.

Hacks
The fourth kind is not lumped in with Application attacks, but I wanted to separate it for a few reasons. The first reason is that someone compromising a system is not always sophisticated. If a bad actor guessed the password on your router and erased the configuration, they have performed a Denial of Service against you. If you don’t keep your software up-to-date and someone exploits a backdoor and “hacks” your system, they have performed of DoS attack.

Modern Attacks against networks
Modern DoS attacks are always evolving. As network administrators find ways to mitigate these attacks, the bad actors find ways to tweak them and get around mitigation techniques employed by providers. Most of the exploits above involve sheer volumes of traffic or connections being directed at a host to take it offline. This attack is especially detrimental for service providers because it takes your customers offline if the attack is significant enough.

One of the most common techniques these days is the Distributed Denial of Service attack (DDoS). These are usually botnets involving thousands of compromised machines or devices acting against a host(s). These can be anywhere in the world. They could even be users inside your network with compromised machines or other devices. Distributed attacks are hard to mitigate because they can be legitimate traffic pointed at a web-server as an example. The traffic is not malicious from a technical perspective. You have thousands and thousands of machines sending legitimate requests to a web-server or other host on your network. This traffic looks legitimate but is overwhelming for your hardware and Internet pipe.

Image courtesy of https://www.imperva.com/blog/how-to-identify-a-mirai-style-ddos-attack/

So what does a DDoS look like and what are your options when it comes to Denial of Service Attacks? In my next article in this series, I will talk about some best practices you can do so you are not as vulnerable to these types of attacks.

Mikrotik DNS DDoS script

This content is for Patreon subscribers of the j2 blog. Please consider becoming a Patreon subscriber for as little as $1 a month. This helps to provide higher quality content, more podcasts, and other goodies on this blog.
To view this content, you must be a member of Justin Wilson's Patreon
Already a qualifying Patreon member? Refresh to access this content.