UDP Amplification Attacks and the Necessity of Mitigation: Case Study on CableBahamas
Founded in March 1995, Cable Bahamas Ltd. has grown from a cable TV service provider to incorporate broadband Internet (March 2000) and telephony (2011). Through launching its REV suite of products – REVTV, REVON, and REVOICE, Cable Bahamas Ltd. became the first communications provider in The Bahamas to offer ‘triple play’ service and continue to revolutionize every area of business, delivering unbeatable services at the lowest rates in the country. Their network is comprised of 14 free-to-air broadcast systems on 11 islands, eight stand-alone cable TV systems, and four triple play systems networked by a submarine fiber. Together, this network services 99% of the Bahamian population. Their submarine fiber continues into the United States, connecting to a terrestrial fiber in South Florida, creating a terrestrial fiber ring around the state, and providing triple play services to four additional systems. These combined networks make up the complete Cable Bahamas network.
During a recent weeks-long network duress period, Cable Bahamas contacted a DDoS mitigation firm to assist in finding a solution to their pressing issues. Issues such as being attacked daily and weekly by heavy DDoS attacks and more specifically UDP amplification attacks.
Taking note of the magnitude of their issue, and also being familiar with the name, Cable Bahamas contacted Path Network to ask for help in this dire time. We at Path know that Cable Bahamas and other vulnerable institutions may not survive continued attacks that occur in the manner to be described, or may survive with heavy losses due to excessive downtime; and the experiences of those previously impacted should serve as a warning call for any online entity that isn't already serious about network protection to take notice. So Path hastily began its help.
What follows is a summary by Path’s Emergency Response Team as experienced from the front lines. It describes the action in detail, how it was remedied, and pertinent discussion.
The Attacks on Cable Bahamas: A Timeline
After being contacted by the team at Cable Bahamas, Path quickly went to work on the following:
- Deployed redundant GRE tunnels and peered with their network.
- Activated our intelligent analytics platform and began viewing inbound flows.
- Quickly mitigated multiple UDP floods of over a million packets per second, 10 Gbps+ attacks
- Our proprietary DDoS mitigation stack based on XDP filtering and eBPF rule-sets allow us to filter hundreds of millions packets per second on the very edge of the load balancers, per balancer. This alongside a firewall built on top of that, alongside filtering and rate limiting of matching packets, all being customer-configurable via a REST API. We’ve also deployed a "stateful" solution for mitigating SYN-floods and out-of-state TCP packets without affecting legitimate sessions. This was deployed for Cable Bahamas and quickly eliminated the rest of the attack traffic.
If this episode shows anything, it shows the need for robust, granular network security measures to be taken by any firm that takes itself seriously. Prominent issues such as those experienced by Cable Bahamas need to be handled by the most experienced, detail-oriented, and serious network security firm.
Although healthy, the transit currently deployed by Cable Bahamas does not allow for in-line on-premise filtering against modern attack sizes. Most amplification attacks exceed the edge capacity of standard networks. This means that the only solution for ensuring connectivity during DDoS attacks is cloud-based remote filtering, such as what’s provided by Path.
This case study of the situation and reaction regarding Cable Bahamas and Path Network comes to the conclusion that any solution other than remote-filtering would have been simply inadequate for the problem at hand, and instead possibly made the problem worse. Granular filtering and detailed packet analysis are necessary, not optional, for true network stability and DDoS mitigation; nothing can remain undisciplined.