NSFOCUS Managed Security Service Case: Protection Policy Tuning for Further Improved Result in a 170Gbps DDoS Incident

NSFOCUS Managed Security Service Case: Protection Policy Tuning for Further Improved Result in a 170Gbps DDoS Incident

maio 13, 2022 | Jie Ji

Incident Response

On mid-2021, a multinational telecom service provider was attacked by a sudden large-scale DDoS attack with the peak value of 170Gbps with maximum 5Gbps of malicious traffic leakage, with equivalent Mitigation Effect (mitigated malicious traffic/total ingress traffic) stays at least 97%. The service provider did not encounter service interruption during the whole incident. However, NSFOCUS Managed Security Service team always want to do more.

Incident Playback and Further Analysis

  • SYN Flood

Comprehensive analysis afterwards discovered that only SYN packets are included in the malicious traffic and no ACK packet or SYN /ACK packet was found, also the TSval used to indicate the local time when sending out the packet are never changed, thus this can be used to identify the malicious traffic more precisely.

  • UDP Flood

We also identified a UDP Flood attack targeting port 3283 (Apple Remote Desktop Protocol).

In the captured packets, the TTL (time-to-live) of all packets lies between 48 to 59 and packet length are all at 1006. Meanwhile, the data field of each packet was filled with the hostname of the source IPs (BUTL300MAC04).

According to the above characteristics, we have sufficient evidence to assume that the attack packets are generated by tools. By remotely triggering black hole (RTBH) aiming the source IP or filtering directly with ACL, such attacks can be effectively mitigated.

  • CLDAP Reflection Amplification

In the end, a CLDAP reflection amplification attack is also discovered. NSFOCUS suggested the service provider to block UDP source port 389 in case of similar future attacks.

Result

The service provider is satisfied with the mitigation efficiency and quality of attack incident report. The report helped the service provider to trace the source of the attack and corresponding policy tuning suggestions will help to get even better result in the future coming attacks.