The F5 Security Incident Response Team (F5 SIRT) helps customers tackle security incidents in real time. F5 Labs, F5’s threat intelligence team, took the data collected by the F5 SIRT and examined the top security incidents over the past three years. Specifically, we looked at incidents from 2017, 2018, and 2019 reported by telecom service providers, both landline and mobile, across the globe. The data shows that the majority of reported security incidents were either distributed denial-of-service attacks (DDoS) or brute force attacks. However, we also noted some interesting trends in attacks using service provider-specific management protocols.
(Note that we do not mention specific organizations or divulge numbers in order to protect customer confidentiality.)
DDoS Attacks Trending Up for Service Providers
The most common attack for service providers, as an average for the three-year period we reviewed, was DDoS, at 49% of reported incidents. While the number of attacks was fairly constant in 2017 and 2018, DDoS saw a huge jump in 2019, accounting for 77% of all incidents handled by the F5 SIRT, up from just a third of all incidents in 2017 (see Figure 1).
What Does a Typical DDoS Attack Look Like at a Service Provider?
A denial-of-service attack against service providers usually targets either the core services that their customers use (such as DNS) or the applications that allow their users to view their bills, see usage, and the like. Such attacks can overwhelm the bandwidth of a service provider network, although this is rare. Attacks are often seen to be sourced from within the service providers’ subscription base and may not (in the case of DNS attacks) directly target the service provider but, instead, use their resources to attack others.
The F5 SIRT primarily had reports of DNS DDoS attacks such as water torture and reflection attacks. Reflection attacks use service provider-hosted resources (such as DNS or NTP) to reflect spoofed traffic so that the responses from the leveraged service end up going to the target, not to the initiator. DNS water torture attacks, also known as pseudo-random subdomain attacks, are a form of reflection attack. These attacks use intentionally incorrect DNS queries to generate response traffic directed to the DNS servers that are authoritative for the queried domains. However, these requests still go through the service provider’s local DNS servers, generating increased load on these servers that occasionally rises to the level of denial of service.
Typically, the first indication that a service provider’s operations team has is an increase in network traffic. The team is naturally focused on the performance of their network as a whole and, given the diversity of traffic types seen, it can take some effort to determine what exact services are being used as part of the attack, and thus, allow the attack to be mitigated.
The next most common indication of these attacks tended to be customer complaints, such as slow network service or complaints that DNS servers weren’t responding, impacting the customer’s ability to get their work done.
From a defensive point of view, as mentioned above, these attacks can appear to simply be either a general outage of a service, such as DNS, or a surge of network traffic. The ability to quickly compare the characteristics of normal, expected network traffic against samples of traffic while the attack condition exists is critically important. Additionally, the ability to quickly enable in-depth logging for network services like DNS in order to identify unusual queries is key to detecting and mitigating these attacks.
Authentication Attacks: Significant but Slowly Waning
Some attacks against service providers target various authentication systems with the goal of either breaching individual customers or trying to find administrative accounts to penetrate deeper into the target network. Brute force attacks were the second most commonly reported incident, accounting for 39% in 2018.
Brute force attacks involve a bad actor trying massive numbers of usernames and passwords against an authentication endpoint. Sometimes these are credentials that have been obtained from other breaches, which are then used to target the service in an attack known as “credential stuffing.” Other forms of brute force attacks simply use common lists of default credential pairs (for example, admin/admin), commonly used passwords, or even randomly generated password strings.
We saw this attack trend significantly downward over the three-year period we reviewed, from 72% of total F5 SIRT incidents in 2017 to less than 20% in 2019 (see Figure 2). As a reference point, it’s worth noting that we’ve seen an upward trend in this attack when looking specifically at the financial vertical. We’ll explore what’s happening in the financial sector in a future article.