1. Background
As early as 2016, a report from BitSight, an American cybersecurity ratings company, showed that Brazil is one of the riskiest countries to do business in. According to the cyber threat report released by SonicWALL, Brazil suffered more than 33 million intrusion attempts in 2021, and suffered ransomware attacks second only to the United States, Germany and the United Kingdom. IDC data shows that since the beginning of the Covid-19 pandemic, Brazil has been suffering from increasing cyber-attacks.
According to the data from the NSFOCUS Global Threat Hunting System, the trend of DDoS attacks against Brazil is unusual – there is a significant increase in July and August, which is suspected to be related to the upcoming Brazilian election in October.
2. Typical Attack Events
In a series of DDoS attacks monitored by NSFOCUS Global Threat Hunting System, critical sectors including government agencies, educational institutions, news agencies, and communication operators in Brazil were attacked.
2.1 Attacks Targeting Critical Sectors
2.1.1 Government Agency
At 9:10:20 AM, July 31 (Note: all time in this article refers to the Beijing Time), a reflection DDoS attack against the Brazilian government website Pilar City Hall (pilar.al.gov.br) was detected. In addition, there were another 15 websites of city halls in Brazil hit by massive DDoS attacks, too.
At 13:08:38 on August 29, a DDoS reflection attack against the website of the Brazilian federal government was detected.
2.1.2 Educational Institution
At 18:12:26 on July 17, a DDoS reflection attack against the Education Bureau of Santa Catalina State in Brazil was detected.
2.1.3 News Portal
At 5:39:59 AM on August 10, a DDoS reflection attack was detected. The target was the official website of the Globo portal owned by Organizacoes Globo, the largest media group in Latin America.
2.1.4 Communication Operator
At 6:9:46 AM on August 10, a DDoS reflection attack against the website of Kyatera, a Brazilian optical fiber service provider, was detected.
2.2 Carpet-bombing Attacks
Attackers used to target a single target IP with different attack methods in an attempt to evade protection polices. Unlike the previous attacks, carpet-bombing attacks are launched mostly using a common attack method that remians unchanged during the attack, but the traffic size on each IP address is too small to reach the cleaning threshold of the DDoS Defense system. However, the aggregation of multiple IP attack traffic in one segment may exceed the maximum bandwidth of the access switch and indirectly affect the user-intended services of the entire IP segment.
NSFOCUS Global Threat Hunting System detected carpet-bombing attacks targeting Class C addresses 201.158.xx.0/24 and 138.186.xx 0 / 24. Our research found that the two Class C segments belongs to the well-known Brazilian internet services providers Webfibra and Weblacerda respectively.
3. Analysis of DDoS Attacks in Brazil
From July 1st to August 31st, NSFOCUS Global Threat Hunting System has spotted 224,090 IP addresses/domains in Brazil under DDoS attacks.
3.1 Distribution of Victim IP Addresses
3.1.1 Distribution by Region
Typically, the geographical distribution of DDoS attacks is positively correlated with the level of local economic regions in Brazil, Rio de Janeiro State, as an important economic center of Brazil, accounted for 36.71%, becoming the most concentrated area of the DDoS attacks, and State of Espirito Santo, as a developed coastal city of Brazil, the proportion was as high as 35.51%. Distribution of DDoS attacks targeting in other areas was relatively balanced.
3.1.2 Distribution by Victim ISPs
With the international economic downturn, cyber-attacks are intensifying, and the attack methods are becoming more and more sophisticated. Internet service providers (ISPs) are facing the growing threat of DDoS attacks. In this attack event, up to 1195 ISPs were targeted in Brazil from July through August. K2 Telecom, GTI Telecom, and Fazzy, all of which are important ISPs in Brazil, were the top three most attacked ISPs.
3.1.3 Distribution by Victim Industry
DDoS attacks usually target the financial or critical infrastructure industry. According to data from NSFOCUS Global Threat Hunting System, industries affected by reflection DDoS attacks were diversified. Most of the victim IP addresses belonged to fiber optic operators, accounting for 86.35%. Apart from the popular industries including Internet companies, educational institutions, and gaming, most victim industries in the crosshair were critical facilities and national government departments, including fiber optic operators, government agencies, banks, etc. For these industries, reflection DDoS attacks are highly targeted and can easily paralyze national communication facilities, causing serious consequences.
3.2 Distribution by Attack Duration
According to the data from NSFOUS Global Threat Hunting System, most DDoS attacks lasted less than 5 minutes, with a high proportion of transient attacks, indicating that attackers attached great importance to attack cost, efficiency and technical confrontation, and tended to launch short-lived pulse wave attacks to worsen or knock down user-intended services on the targets. In the long run, the cost-efficient and highly frequent pulse wave attacks seriously affect the service quality delivered from the targets and put security operations staff under great strain.
3.3 Specific Victim Domain Names
According to the data from NSFOCUS Global Threat Hunting System, all the victim domain names were critical sectors in Brazil, including governments, telcos, education, etc., which indicates that attackers had clear purposes and targets when launching the DDoS attacks. Below are parts of victim domain names:
Conclusion
The acceleration of the digital era fuels cyber threats to intensify. The DDoS attack, as a highly destructive and hard traceable attack, is favored by attackers in cyber warfare. From the massive DDoS attacks in Brazil, the following findings can be obtained:
1. The attack that lasted for a long time and affected extensive industries is likely to be linked to the approaching Brazilian election.
According to the data from the NSFOCUS Global Threat Hunting System, many critical industries in Brazil were hit by DDoS attacks from early July through the end of August. These industries include governments, network operators, educational institutions, news media and other critical industries. It is not difficult to see that this is a long-duration, more purposeful DDoS attack, and there is a strong likelihood of being linked to the upcoming Brazilian election in early October.
2. Critical infrastructure is still the main target of large-scale DDoS attacks.
From the Russia-Ukraine cyberwar at the beginning of the year to the current DDoS attacks in Brazil, the main targets of the attackers are the country’s i critical infrastructure, including government websites, official websites of communication operators, energy systems, etc. Once these facilities are paralyzed, they will disrupt the normal operation of a nation and even affect socio-economic development.
3. There is still a lot to be done on DDoS protection.
With the blooming development of Internet technology, the DDoS attack, a popular attack method keeping evolved over the past two decades, still has a strong vitality. Whether it’s a large country or a small business, it is necessary to strengthen the security ecological cooperation and common collaborative protection, carry out large-scale DDoS attack and defense exercises, and improve DDoS protection system to ward of DDoS attacks.