The current waves of DDoS attacks are becoming more sophisticated every year. In addition, according to the current Threat-Intel Report by NetSCOUT, more sophisticated attack methods such as CarpetBombing can be found in the "DDoS mainstream". For this reason, we would like to present a generally unknown, but already ITW-seen (**) attack method, which we have successfully used in several DDoS RedTeaming engagements.

Brief background: Mobile providers and also some broadband providers use a technology called 0 Carrier-Grade NAT (CGNat) / Large Scale NAT, which gathers several users behind central IPs.

We have observed with a handful of protection providers that the last-line-of-defence (*) is now and then an IP block for attacker IP, not real scrubbing. This may be valid for blocking the first wave and for a few seconds, especially to prevent damage to the infrastructure being protected. The disadvantage is that a (too long) IP block can be abused by an attacker to block IPs. One can either use IP spoofing for this or, much more mundanely, use attack bots with mobile connections to block the mobile IPs.

This might lead to several hundred up to 15,000 users being locked out of the service at the same time, thanks to the Carier Grade NAT mentioned above. This can be extremely harmfull when you have a lot lot mobile-customers/clients.

We successfully applied this attackmethod several times in DDoS RedTeamings, both for volumetric and application attacks.

Attack mitigated by IP block, monitoring sees the target "online

  • *) for the somewhat simpler providers, it is also the first line/only line of defence ^-^
  • **) ITW // ENISA Threat Landscape 2021 Report/Chpt 8: localised DDoS where an attacker interferes with the connectivity of a specific area ... using mobile devices/connection

References