The 2016 Rio Olympics weren’t all about the games, but also about overcoming some of the largest distributed denial of service (DDoS) attacks, Arbor Networks researchers reveal.
This year’s Olympic games, which took place in Brazil, were targeted by sustained, sophisticated, large-scale DDoS attacks reaching up to 540 Gigabits per second (Gbps) fueled by an Internet of Things (IoT) botnet, coupled with a few other botnets. The attacks, researchers say, were directed towards public-facing properties and organizations affiliated with the Olympics.
According to Arbor Networks, many DDoS attacks were going on for months before the Olympics kicked off, some in the tens of Gbps or the hundreds of Gbps ranges. However, the DDoS activity intensified as soon as the actual games started, and “the longest-duration sustained 500gb/sec-plus DDoS attack campaign” was observed.
“By any metric, the Rio Olympics have set the bar for rapid, professional, effective DDoS attack mitigation under the most intense scrutiny of any major international event to date,” the Arbor Networks researchers say.
A single IoT botnet was responsible for most of the pre-Olympics attacks, while help received from other botnets allowed it to fuel the record-breaking DDoS campaign. The botnet, Arbor Networks reveals, is none other than LizardStresser, which was already known to abuse IoT devices to launch DDoS attacks upwards of 400Gbps.
The malware that creates the botnet was written in C, was designed to run on Linux, and had its source code leaked online in early 2015. After DDoS actors decided to build botnets using the leaked code, researchers observed intensified activity related to LizardStresser, including an increased number of unique command and control (C&C) servers.
The Olympics-related DDoS attacks used UDP reflection/amplification vectors to power a large portion of the attack volume. DNS, chargen, ntp, and SSDP were the main vectors, but direct UDP packet-flooding, SYN-flooding, and application-layer attacks targeting Web and DNS services were also observed.
In addition to their Olympic-grade size and the use of an IoT-powered botnet, these attacks had another distinctive feature: they were leveraging the less-familiar Generic Routing Encapsulation (GRE) IP protocol, which is used for unencrypted ad-hoc VPN-type tunnels, researchers say.
DDoS attacks leveraging lesser-known protocols were observed in late 2000 in an attempt to bypass router ACLs, firewall rules, and other forms of DDoS defense that took into account only the three most used protocols, namely TCP, UDP, and ICMP.
The attacks observed during the 2016 Rio Olympics also generated significant amounts of GRE traffic as the attack methodology has been incorporated into the LizardStresser IoT botnet. The use of this old technique is a novelty, but researchers suggest that it won’t be too long before other botnets-for-hire and ‘booter/stresser’ services add GRE to their repertoires.
Moreover, uncomplicated, high-volume packet-floods destined for UDP/179 were also observed, and researchers say that this might have been intended to masquerade an attack on the BGP routing protocol used to weave Internet-connected networks together. Many UDP reflection/amplification attacks target UDP/80 or UDP/443 so that defenders would believe that the attackers are using TCP instead (TCP/80 – used for non-encrypted Web servers, and TCP/443 – for SSL-/TLS-encrypted Web servers), and the same evasion technique might have been employed in these attacks as well.
“BGP runs on TCP/179; the irony is that one of the few best current practices (BCPs) actually implemented on a significant proportion (not all!) Internet-connected networks is to use infrastructure ACLs (iACLs) to keep unsolicited network traffic from interfering with BGP peering sessions,” the security researchers explain.
Despite the sophistication and scale of these attacks, nobody noticed them (except for the security teams engaged in mitigating them, of course), the security firm says. “The stunning victory of the extended DDoS defense team for the 2016 Rio Olympics demonstrates that maintaining availability in the face of large-scale, sophisticated and persistent DDoS attacks is well within the capabilities of organizations which prepare in advance to defend their online properties,” Arbor Networks concludes.
Related: MIT Network Under Frequent DDoS Assault: Report
Related: DDoS Attacks Abuse TFTP for Reflection and Amplification