How last week's outages, DDoS attacks impacted internet infrastructure

Dive Brief:

Last week European internet service providers in Belgium, France and the Netherlands, were hit by DDoS attacks, reports ZDNet. ZDNet was provided insights by NBIP, a non-profit Netherlands-based internet protections organization.
The attacks were launched against DNS infrastructure of ISPs in Benelux, a union made up of Belgium, the Netherlands, and Luxembourg, according to NBIP. "Most of [the attacks] were DNS amplification and LDAP-type of attacks."
In the U.S., Cisco and Cloudflare suffered outages on Aug. 30. Cloudflare's's outage was due to CenturyLink/Level 3's outage, caused by an "offending flowspec announcement [that] prevented Border Gateway Protocol (BGP) from establishing across multiple elements throughout the CenturyLink Network," according to the company. The offending flowspec rule is used to deflect a DDoS attack or other suspicious activity.

Dive Insight:

Last week's outages highlight two areas of concern: cyberattacks in the age of COVID-19 and the internet's longstanding fragility.

Between January and June, global internet disruptions increased 45%, according to ThousandEyes. About 4,500 ISP networks, including telecom, transit, and broadband providers, went down, compared to about 400 cloud provider outages between January and July.

CenturyLink/Level 3's outage rippled through industry, "we saw a widespread Internet outage online that impacted many multiple providers. This was not a Cloudflare-specific outage," said John Graham-Cumming, CTO of Cloudflare, in an email to CIO Dive. The company's automated systems "detected the problem and routed around them, but the extent of the problem required manual intervention as well."

When a service provider goes down, customers are often left waiting until the issue is resolved. However, "if you assume your provider could go down at any point you could utilize multiple providers, moving traffic from the outage to a good connection," said Frederic Bull, chief security officer at Gremlin.

Companies might be able to handle the increased traffic, and prepare with load testing. "I am of the opinion that all testing should involve failure of dependencies, otherwise you only protect against single events in isolation and will eventually fail," said Bull.

The interconnectedness of the internet, laced together by the BGP, is upheld by trust between ISPs and entities. The benefit and downfall of BGP is that the informational transaction occurs without questioning the integrity of the information.

Attacks on BGP or DNS are different, though they achieve a similar end result: overwhelm the target, said Bull. "BGP attacks are poisoning attacks against the routing" and DNS attacks increase traffic by "poisoning the DNS table, so folks that request websites are all told they live on the attack target."

ZDNet noted that it isn't confirmed whether the DDoS attacks targeting European ISPs are related or not. "My gut would say that some of these are likely unrelated," said Bull. CenturyLink's outage "was a bit more sophisticated" than a DDoS attack targeting DNS or LDAP. The worst kinds of DDoS attacks are "multi-honed."

Attackers could "increase traffic using a DNS amplification against you and all the dependencies they know you have," said Bull. From there, attackers could leverage a flaw in an LDAP parser and attack the ISP "between you and your dependency by poisoning their routing tables."

Editor's note: This article has been updated to include comments from Cloudflare CTO John Graham-Cumming.