F5 : New Research Shows Global Service Providers are Increasingly Under Fire from DDoS Attacks

Distributed denial-of-service (DDoS) attacks against service providers are significantly on the rise, according to new research from F5 Labs¹.

An analysis of global customer security incident data from the past three years-both mobile and landline-also found that brute force attacks, though still prevalent, are on the wane.

Other prominent observed threats include compromised devices and web injection attacks.

'In general, service providers have made important strides to defend their networks, but there is still room for improvement. This is particularly true when it comes to detecting attacks early without compromising an ability to scale and meet customer demands,' said Malcolm Heath, Senior Threat Research Evangelist.

DDoS attacks were by far the biggest threat to service providers between 2017 and 2019, accounting for 49% of all reported incidents during this period.

There was a notable jump in 2019, with attacks rising to 77% of all incidents-up from just 25% in 2017.

Denial of service attacks in the service provider space tend to be customer-facing (such as DNS) or focused on applications that allow users to, for example, view bills or monitor usage.

Most attacks were sourced from within the service provider's subscription base. Many of these, particularly in the case of DNS-related incidents, will leverage service provider resources to attack others.

F5 Labs found that most reported incidents focused on DNS DDoS such as reflection and water torture attacks.

Reflection attacks use service provider-hosted resources (such as DNS and NTP) to reflect spoofed traffic so that responses from the leveraged service end up going to the target, not to the initiator.

DNS 'Water Torture' is a form of reflection attack that uses intentionally incorrect queries to generate increased load on the target's DNS servers. However, requests still go through the service provider's local DNS servers, generating increased load strains, and occasionally rise to the level of Denial of Service.

The first indication of attack is usually an increase in network traffic discovered by a service provider's operations team. Other red flags include customer complaints, such as slow network service or non-responsive DNS servers.

'The ability to quickly compare the characteristics of normal, expected network traffic with deviations during attack conditions is of critical importance,' explained Heath.

'It is also crucial to quickly enable in-depth logging for network services like DNS in order to identify unusual queries.'

Read the full F5 Labs analysishere.

¹F5 Labs referenced data from the F5 Security Incident Response Team (F5 SIRT), specifically looking at incidents from 2017, 2018, and 2019 as reported by global telco service providers (both landline and mobile).