Q4 2020 update DDoS attacks: more complex ‘carpet bombing’
February 2021 by NaWas by NBIP
NaWas by NBIP has reported its fourth quarter 2020 update about DDoS attacks in Europe. The large scale attacks on the infrastructure of ISP’s, which started in August 2020, continued with more complex attacks called carpet bombing in the last three months of 2020. In total 540 attacks were detected, an average of more than four per day, while the largest was 167 Gbps. Compared to Q3 not only more attacks were registered, but also an increasing amount after working hours. All DDoS attacks in Q4 can be divided into five different categories: DNS amplification (43%), LDAP amplification (26%), UDP flood (14%), NTP amplification (10%) and TCP flood (7%).
Carpet bombing and LDAP amplification
Carpet bombing and LDAP amplification represent 69% of all DDoS-attacks in the fourth quarter of 2020. Carpet bombing involves a large number of individual attacks that are carried out simultaneously. Instead of using the actual IP address (usually a /32), the attacker targets the entire subnet, with the result that the reflected packets are routed to hundreds or thousands of destinations within the network. LDAP amplification exploits a specific weakness in older LDAP servers that are still in use - the CLDAP protocol. Originally intended to see what services are available on an internal network server, some servers have the UDP port 389 open to the “outside”.
Combine forces is most effective defense
For individual companies it’s almost impossible to avoid a DDoS attack, because that requires a solid infrastructure that costs a lot of money. Combining forces and expertise is the most effective defense, according to the non-profit organisation NaWas by NBIP. NBIP has developed the NaWas community driven Scrubbing Centre, to which internet service providers in Europe can connect for DDoS defense. NaWas is capable of separating ‘right’ and ‘wrong’ internet traffic and grew from 6.3 million to 9 million protected IP addresses during 2020.