Between March 19 and March 25, 2019, there was a very large amount of DDoS traffic sourced from a specific Egyptian Autonomous System (ASN) directed at Akamai Prolexic customers.
It's worth noting this is an ASN we rarely see in our pre-attack, or top source IPs during active attacks. When it showed up on the scene, it quickly overtook all other source IPs, before fading off a week later.
This is a phenomenon we have seen before. An ASN with compromised or ineffective security controls is uncovered by malicious bots, infected, and leveraged to launch DDoS campaigns until it is blacklisted by Internet carriers or properly secured.
This specific ASN is wholly responsible for making Egypt the leader in Mirai-like botnet activity during the March 19th-25th timeframe, at nearly double the next highest reported ASN (per Bad Packets Report).
At the time this blog is being published, Akamai has seen very little attack activity from the Egyptian ASN even though it remains active. It appears that after a week of large scale attacks, it was either effectively blocked by upstream providers or properly secured.
Where was the botnet directed?
Activity from this botnet was observed across eight industry verticals and targeted 19 Akamai Prolexic customers during the seven day span. These attacks targeted high-profile gaming customers in particular, ramping up to more than 90 attacks before all was said and done.
While other industries saw significantly fewer attacks, it only takes one effective attack to cause an outage, as almost all DDoS attacks observed by Akamai are large enough to do so. Rarely do we see attacks that can go unnoticed or without some sort of impact
What can be done?
First and foremost, partner with a cloud-based DDoS protection specialist. Bots are constantly evolving and looking for vulnerable services to launch attacks. So, unless your staff includes a team of specialists dedicated to observing, analyzing, collaborating with external bodies, and then evolving your protection, you are unlikely to keep up with the bad guys.
Next, reduce attack surfaces by removing any likely attack vectors directed towards unused services. The Akamai SOCC profiles each customer's traffic (across all subnets) 24/7 and determines which likely vectors can be safely and effectively proactively mitigated (0 Second SLA), engaging with customers before attacks start. Our Kona customers get the same protection by design, as they are isolated from L3/L4 attacks.
Finally, Akamai believes customers should run their DDoS protection in an always-on manner whenever possible. We continue to see very quick ramping attacks, where attack traffic can rise from 0 to more than 1Tbps in less than a minute.
Any delay in routing on to a cloud based DDoS provider with ample bandwidth capacity and mitigation capabilities (even a minute) will likely mean downtime.