Qrator Labs Blog

The case of mysterious BGP session resets caused by a malformed OTC attribute

We recently ran into an unusual issue: BGP sessions were resetting with no obvious explanation shortly after routers received new routes. To understand what was happening, we collected and analyzed the BGP UPDATE messages that consistently triggered the errors.

It quickly became clear that all problematic routes had one thing in common: they carried a malformed OTC attribute. The real root cause, however, was not just the presence of a bad attribute, but the way different routers reacted to it. Before looking at that behavior, it helps to recap what OTC is and how it is supposed to work.

Resilience of national Internet segments in 2024

Executive summary

On average, global resilience continued to improve, but at a modest pace — from 25.7% in 2023 to 24.79% in 2024 (lower is better).
In 2024, Brazil ranked first in both the IPv4 resilience ranking (0.98%) and the IPv6 resilience ranking (2.15%).
The Netherlands and Germany took second and third place in both rankings in 2024, with results of 2.54%/3.4% and 2.54%/3.6% respectively.
The adoption of IPv6 continues to slow down. Partial IPv6 connectivity also remains an issue — some Tier-1 operators still do not peer with each other.
The current resilience ranking of national Internet segments is available here.

The hidden role of IoT in record-breaking DDoS

Recent years have seen distributed denial-of-service (DDoS) attacks grow larger and happen more often than ever before. In just the first three months of 2025, the number of DDoS attacks worldwide increased by 110% compared to the same period the year before.

One late-March incident involved a botnet of 1.33 million compromised devices, almost six times larger than the biggest botnet observed the year prior. That botnet blitzed an online betting platform, and over half of the attacking devices originated from a single country (Brazil). In the following quarter, its size grew to 4.6 million devices, and by the next quarter, it reached 5.76 million.

Q3 2025 DDoS, bad bots, and BGP incidents statistics and overview

Executive summary

The largest number of DDoS attacks in Q3 2025 targeted the FinTech (26.1%), E-commerce (22.0%), Media (15.8%), and Information and communication technology (14.5%) segments. Together, these four accounted for nearly 80% of all recorded attacks.
Among microsegments, the most frequently targeted in Q3 were Media, TV, radio, and bloggers (14.1%), Payment systems (13.9%), Food retail (13.0%), Digital education (7.2%), and Hosting platforms (6.6%).
The most intensive L3-L4 DDoS attack of Q3 targeted an organization in the Online retail microsegment, reaching a peak bitrate of 1.15 Tbps — slightly higher than the 2024 record of 1.14 Tbps.
The longest DDoS attack in Q3 lasted more than nine days (225.9 hours). For comparison, the 2024 record was 19 days (463.9 hours).
In Q3, we recorded another attack launched by a multi-million-device DDoS botnet that we have been tracking for the past six months. This time, the attack involved 5.76 million infected devices, primarily from Brazil, Vietnam, the United States, India, and Argentina.
In Q3, Brazil became the largest source of L7 DDoS attacks (19%), surpassing Russia (18.4%) and the United States (10.3%).
We attribute the emergence of such large-scale DDoS botnets and the growing share of developing countries among L7 DDoS sources to the rapid increase in the number of vulnerable devices connected to high-speed Internet and the active use of AI-powered tools by attackers.
After a sharp increase in bad bot activity in Q2 2025 — mainly driven by a single, exceptionally long-lasting attack — the figures dropped significantly quarter over quarter in Q3 (-37%).
At the same time, the bot index declined noticeably: the share of bot traffic in the total traffic to protected resources decreased from 2.34% to 1.36%.
In Q3 2025, the number of unique ASes responsible for route leaks remained almost unchanged compared to previous periods. However, the number of ASes involved in BGP hijacks was lower than usual due to a noticeable decline in July.
After a significant increase in Q2 2025, the number of global BGP incidents dropped sharply. In Q3, we recorded only five such incidents — four global route leaks and one global BGP hijack.

Massive L7 DDoS botnet expands to 5.76M devices, Qrator Labs reports

On September 1, 2025, Qrator.AntiDDoS detected and mitigated another large-scale attack carried out by the largest L7 DDoS botnet observed to date. The target was an organization in the government sector. In total, 5.76 million IP addresses were blocked during the incident.

The top 7 DDoS protection myths that are putting your business at risk

DDoS attacks are still one of the most dangerous types of cyber threats, and they are getting bigger and more complicated. In 2024, there were more than 15 million DDoS attacks reported around the world. Our most recent study estimates application-layer DDoS attacks are up 74% compared to last year. But many businesses still don't know how to keep themselves safe from these kinds of threats. In this article, we'll talk about seven of the most common myths about protecting against DDoS attacks

Q2 2025 DDoS, bots and BGP incidents statistics and overview

Executive summary

The total number of L3-L4 DDoS attacks in Q2 2025 increased significantly compared to Q2 2024 (+43%).
The largest share of L3-L4 DDoS attacks in Q2 targeted the “FinTech” (22.6%), “E-commerce” (20.6%), and “Information and communication technology” (16.1%).
The most intense L3-L4 DDoS attack of Q2 reached a peak bitrate of 965 Gbps — just shy of last year’s record (1,140 Gbps). The attack targeted an organization in the “Betting shops” microsegment and was likely linked to Alexander Ovechkin setting a new NHL all-time scoring record.
The longest L3-L4 DDoS attack of Q2 lasted just over four days (96.5 hours). For comparison, the 2024 record was 19 days (463.9 hours).
The number of L7 DDoS attacks in Q2 2025 rose dramatically compared to Q2 2024 (+74%).
The most frequent targets of L7 DDoS attacks in Q2 2025 were the “FinTech” (43.6%), “E-commerce” (22.6%), and “Information and communication technology” (18.2%) segments.
At the microsegment level, the largest share of L7 DDoS attacks targeted “Banks” (24.7%), “Software services” (12.9%), “Food retail” (10.9%), “Payment systems” (8.5%), and “Online retail” (6.1%).
The longest L7 DDoS attack in Q2 2025 lasted 65.5 hours.
In Q2, we recorded an attack that involved the largest DDoS botnet to date, comprising 4.6 million devices. This is 3.5 times larger than the previous record set in Q1 (1.3 million) and 20 times larger than the biggest botnet we detected in 2024 (227,000 devices).
The top three countries from which L7 DDoS attacks originated in Q2 2025 remained unchanged from 2024: “Russia” (17%), the “United States” (16.6%), and “Brazil” (13.2%), with Brazil’s share continuing to grow steadily over several consecutive quarters.
Bad bot activity in Q2 2025 increased by 31% compared to the previous quarter, with most of the traffic surge occurring in April and May.
This growth was primarily driven by a single prolonged attack targeting the “E-commerce” segment, which began in April and lasted for over a month, ending in May. As part of the mitigation efforts, we blocked approximately 2 billion bad bot requests — equivalent to an entire month’s worth of bot traffic.
The number of unique autonomous systems involved in route leaks and BGP hijacks in Q2 2025 remained roughly in line with the levels observed over the previous several quarters.
After a sharp decline recorded in the previous quarter, the number of global BGP incidents rose significantly in Q2 and set a new quarterly record. We observed 14 such incidents: 10 global route leaks and 4 global BGP hijacks.

Q1 2025 DDoS, bots and BGP incidents statistics and overview

Qrator Labs' findings on DDoS attacks, BGP incidents and bot activity in the 1st quarter of 2025.

Q3 2024 DDoS, Bots and BGP Incidents Statistics and Overview

Qrator Labs presents statistics on DDoS attacks, BGP incidents and bot activity in the 3rd quarter of 2024.

Q2 2024 DDoS, Bots and BGP Incidents Statistics and Overview

Dive into Q2 DDoS and BGP Incidents Statistics and Overview.

The Differences Between Layer 4 And Layer 7 DDoS Attacks

Learn about the distinct methodologies and impacts of layer 4 and layer 7 DDoS attacks, from SYN floods and UDP floods at the transport layer to HTTP floods and Slowloris attacks at the application layer. Understand how cybercrime services like booters facilitate these attacks and explore notable case studies, including the Dyn and GitHub incidents.

Meet the Сharming Radar Application Look and Updated Weekly Reports

In our ongoing commitment to providing a convenient tool for everyday use, we are excited to announce a complete revamp of the UI/UX design of the Qrator.Radar web application.

Our team enjoyed working to create a more user-friendly interface, improved navigation, and better data visualization.

These updates aim to improve our users’ experience and simplify the processes of connectivity troubleshooting and network anomaly analysis.

These and other interesting features await you on our updated Qrator.Radar website.

Dive in and explore all the changes we've made firsthand.

CHECK OUT THE NEW LOOK

https://radar.qrator.net

The Top 4 Ways to Mitigate HTTP/2 Rapid Reset (CVE-2023-44487)

In August 2023, a vulnerability in the HTTP/2 protocol, known as CVE-2023-44487 or "Rapid Reset," was discovered. This article provides an in-depth understanding of how CVE-2023-44487 works, its impact on HTTP/2, and offers 4 mitigation strategies to defend against this vulnerability.

Q1 2024 DDoS attacks statistics and overview

How Cybercriminals Use Fast Flux To Enhance Takedown Immunity

Discover how cybercriminals use fast flux to increase the resilience and takedown immunity of their malicious infrastructure. Understand the benefits of fast flux for attackers, the challenges it presents for security professionals, and the most effective strategies for combating this threat, such as domain seizures, botnet takedowns, and international cooperation.

The evolution of DDoS attacks: a journey from 1994 to today's Internet Battleground

Explore the history of DDoS attacks from their inception in 1994 to the sophisticated threats of the present day. Discover how bandwidth, processing speeds, and protection mechanisms have evolved, fueling the arms race between attackers and defenders. Understand the forces driving the evolution of DDoS tactics, from simple bandwidth overloads to complex amplification and application-layer attacks.

Best Practices To Prevent AI From Scraping Your Website

Explore essential strategies to safeguard your website against unauthorized AI data scraping while maintaining a superior user experience. Learn how rate limiting, robots.txt file, and selective IP bans can protect your digital assets.

2023 DDoS Attacks Statistics and Observations

The year 2023 turned out to be quite rich in events and trends in the field of cybersecurity. We witnessed a new term "white noise", the development of artificial intelligence led to increased bot activity, which significantly affected commercial companies. We detected signs of a resurgence in popularity of commercial DDoS attacks. The implementation of "remote office" technologies led to the expansion of communication channels and, as a result, increased intensity of attacks. But first things first.

2023 Internet Segment Reliability Report

The study delves into the Sustainability of National Internet Segments, revealing crucial insights into Internet reliability across countries.

Q3 2023 DDoS Attacks Statistics and Observations

We invite you to take a look to DDoS attacks mitigation and BGP incidents statistics recorded for the third quarter 2023.

Welcome to our new website

We are excited to announce the launch of our brand new Qrator.Radar website.

We completely redesigned our backend, having unified it for both Real-time BGP monitoring and the new radar.qrator.net site. This brings several advantages, including improved data consistency and performance.

Q2 2023 DDoS attacks statistics and overview

We invite you to take a look to DDoS attacks mitigation and BGP incidents statistics recorded for the second quarter 2023.

Q1 2023 DDoS Attacks and BGP Incidents

Let's take a deeper look at the Q1 2023 DDoS attacks mitigation statistics and observations from Qrator Labs' perspective.

Q4 2022 DDoS Attacks and BGP Incidents

Now that 2022 has come to an end, we would like to share the DDoS attack mitigation and BGP incident statistics for the fourth quarter of the year, which overall saw unprecedented levels of DDoS attack activity across all business sectors.

In 2022, DDoS attacks increased by 73.09% compared to 2021.

Let's take a closer look at the Q4 2022 data.

BGP Route Leak prevention and detection with the help of the RFC9234

All the credit is due to the RFC’s authors: A. Azimov (Qrator Labs & Yandex), E. Bogomazov (Qrator Labs), R. Bush (IIJ & Arrcus), K. Patel (Arrcus), K. Sriram.

What are route leaks in the context of BGP routing

According to RFC7908: “A route leak is the propagation of routing announcement(s) beyond their intended scope. That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS is in violation of the intended policies of the receiver, the sender, and/or one of the ASes along the preceding AS path. The intended scope is usually defined by a set of local redistribution/filtering policies distributed among the ASes involved. Often, these intended policies are defined in terms of the pair-wise peering business relationship between ASes (e.g., customer, transit provider, peer).”

Measuring Internet region: Africa

Eugene Bogomazov from Qrator Labs presented a paper during the African Peering and Interconnection Forum that took place on August 23, 2022. The paper highlights the results and conclusions of measurements taken from several networks in African countries. We publish these results here through this blog.

In this research, Qrator.Radar team evaluated the African Internet segment and its current state: how many ISPs operate in the region and their relations. Also, the study highlights routing security metrics and transit reliability.

Q3 2022 DDoS attacks and BGP incidents

With the end of the 2022' third quarter, we invite you to take a tour into DDoS attacks mitigation and BGP incidents statistics recorded from July to September.

The 2022 National Internet Segment Reliability Research

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Generally, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between ASes increases (the "Internet" stands for "interconnected networks" - and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are more important than others from the beginning, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, whether an international giant or a regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will always be maintained. For many ISPs at all "tiers", losing connection to even one Tier-1 peer would likely render them unreachable from some parts of the world.

Q2 2022 DDoS attacks and BGP incidents

The second quarter of the year has ended and, as usual, we take a look back at the mitigated DDoS attacks activity and BGP incidents that occurred between April and June 2022.

Q1 2022 DDoS attacks and BGP incidents

The first quarter of the year 2022 has passed; now, it is time to look at the events of Q1 in terms of mitigated DDoS activity and recorded BGP incidents.

Q4 2021 DDoS attacks and BGP incidents

2021 was an action-packed year for Qrator Labs.

It started with the official celebration of our tenth year anniversary, continued with massive routing incidents, and ended with the infamous Meris botnet we reported back in September.

Now it is time to look at the events of the last quarter of 2021. There are interesting details in the BGP section, like the new records in route leaks and hijacking ASes, but first things first, as we start with the DDoS attacks statistics.

Partnership with MANRS

Qrator Labs has become a MANRS partner to pursue more reliable and secure internet routing.

New botnet with lots of cameras and some routers

DDoS attacks send ripples on the ocean of the Internet, produced by creations of various sizes - botnets. Some of them feed at the top of the ocean, but there also exists a category of huge, deep water monstrosities that are rare and dangerous enough they could be seen only once in a very long time.

November 2021 we encountered, and mitigated, several attacks from a botnet, that seems to be unrelated to one described and/or well-known, like variants of Mirai, Bashlite, Hajime or Brickerbot.

Although our findings are reminiscent of Mirai, we suppose this botnet is not based purely on propagating Linux malware, but a combination of brute forcing and exploiting already patched CVEs in unpatched devices to grow the size of it. Either way, to confirm how exactly this botnet operates, we need to have a sample device to analyze, which isn’t our area of expertise.

This time, we won’t give it a name. It is not 100% clear what we are looking at, what are the exact characteristics of it, and how big this thing actually is. But there are some numbers, and where possible, we have made additional reconnaissance in order to better understand what we’re dealing with.

But let us first show you the data we’ve gathered, and leave conclusions closer to the end of this post.

Routing Loops

Hello, everybody!

My name is Alexander Zubkov and today I’d like to talk about routing loops.

Q3 2021 DDoS attacks and BGP incidents

The third quarter of 2021 brought a massive upheaval in the scale and intensity of DDoS attacks worldwide.

It all led to September when together with Yandex, we uncovered one of the most devastating botnets since the Mirai and named it Meris, as it was held accountable for a series of attacks with a very high RPS rate. And as those attacks were aimed all over the world, our quarterly statistics also changed.

This quarter, we've also prepared for your consideration a slice of statistics on the application layer (L7) DDoS attacks. Without further ado, let us elaborate on the details of DDoS attacks statistics and BGP incidents for Q3, 2021.

When giants fall there is always an aftershock

October 4, 2021, has all the chances to become a BGP awareness day.

Memes aside, yesterday, with the entirety of its ecosystem including vast resources like Instagram and WhatsApp, Facebook disappeared from the Internet.

The 2021 National Internet Segment Reliability Research

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Most of the time, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between AS’s increases (and do not forget that the Internet stands for “interconnected network” - and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are more important than others from the beginning, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, regardless of whether it is an international giant or regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will be maintained all the time. For many ISPs at all “tiers”, losing connection to even one Tier-1 peer would likely render them unreachable from some parts of the world.

Mēris botnet, climbing to the record

Introduction

For the last five years, there have virtually been almost no global-scale application-layer attacks.

During this period, the industry has learned how to cope with the high bandwidth network layer attacks, including amplification-based ones. It does not mean that botnets are now harmless.

End of June 2021, Qrator Labs started to see signs of a new assaulting force on the Internet – a botnet of a new kind. That is a joint research we conducted together with Yandex to elaborate on the specifics of the DDoS attacks enabler emerging in almost real-time.

Q2 2021 DDoS attacks and BGP incidents

The second quarter of 2021 was expected to be much quieter than the Q1 in DDoS attacks; hence we're looking at the late spring and early summer months of April, May and June, with somewhat cooled business buzz globally. Although, some attacking activity was in place during the European Football Championship in June-July, focusing mainly on the betting industry.

We're here to disclose available details of DDoS attacks statistics and BGP incidents for Q2, 2021.

Adaptation of Shortest Path Algorithms for Dynamic Routing Problems

Among many popular graph algorithms, several algorithms allow you to find the shortest paths. Each of them solves its own problem and, accordingly, has its own application in practice. For example, the A* search algorithm can use various heuristics to find the path of the minimum cost in video games, while the Floyd — Warshell algorithm allows you to efficiently find the shortest paths between all pairs of vertices in dense graphs and can be used in the Schultz method to determine the winner of the election [1]. However, computer networks are considered to be the area where shortest path algorithms are strongly sought-for.

This article by Roman Klimovitsky describes how such problems arise in Qrator Labs and how we solve them.

An extended internship story

For several years now, Qrator Labs has been working with different universities to find students interested in specific tasks we deal with, for them to either get new experience or mark a future career path in network and computer engineering.

At the moment, several Qrator Labs employees started out as interns, picking one of the programs provided at the universities they studied. Of course, not everyone chooses computer engineering as a field of specialization — out of 23 students that participated in the university programs during 2019 and 2020, 9 were invited for internships. Only four of them became our colleagues in those years, which makes their stories quite special.

Measuring Traffic Rate by Means of U-models

Introduction

In one of our previous publications, we talked about a way to measure event stream rate using a counter based on exponential decay. It turns out that the idea of such a counter has an interesting generalization.

Our immersion plan is as follows. First, let us look at and analyze a few examples of how events are counted and the rate of the stream is estimated in general. The next step is to see a generalization, namely some class of counters, which we call the u-model. Next, we explore what useful properties u-models have and propose a technique for constructing an adequate rate estimate.

Overview of Morris's counters

We are glad to present you an article written by Qrator Labs' engineer Dmitry Kamaldinov. If you want to be a part of our Core team, write us at hr@qrator.net.

1 Introduction

On implementing streaming algorithms, counting of events often occurs, where an event means something like a packet arrival or a connection establishment. Since the number of events is large, the available memory can become a bottleneck: an ordinary \(n\)-bit counter allows to take into account no more than \(2^n - 1\) events.
One way to handle a larger range of values using the same amount of memory would be approximate counting. This article provides an overview of the well-known Morris algorithm and some generalizations of it.

Another way to reduce the number of bits required for counting mass events is to use decay. We discuss such an approach here, and we are going to publish another blog post on this particular topic shortly.

In the beginning of this article, we analyse one straightforward probabilistic calculation algorithm and highlight its shortcomings (Section 2). Then (Section 3), we describe the algorithm proposed by Robert Morris in 1978 and indicate its most essential properties and advantages. For most non-trivial formulas and statements, the text contains our proofs, the demanding reader can find them in the inserts. In the following three sections, we outline valuable extensions of the classic algorithm: you can learn what Morris's counters and exponential decay have in common, how to improve the accuracy by sacrificing the maximum value, and how to handle weighted events efficiently.

Q1 2021 DDoS attacks and BGP incidents

The year 2021 started on such a high note for Qrator Labs: on January 19, our company celebrated its 10th anniversary. Shortly after, in February, our network mitigated quite an impressive 750 Gbps DDoS attack based on old and well known DNS amplification. Furthermore, there is a constant flow of BGP incidents; some are becoming global routing anomalies. We started reporting those in our newly made Twitter account for Qrator.Radar.

Nevertheless, with the first quarter of the year being over, we can take a closer look at DDoS attacks statistics and BGP incidents for January - March 2021.

Qrator Labs' Value Partnership Programs

Why is it valuable to get into the Qrator Labs partnership program?

In Qrator Labs, we firmly believe that working together brings a better result. Which is the reason why, for years, we were trying to find meaningful partnerships with all kinds of companies. They either seek to provide their existing customers with the top-notch DDoS mitigation technology developed at Qrator Labs with many additional ecosystem solutions or want to succeed the other way around. By getting their product available for Qrator Labs' customers by integrating into the Qrator anycast filtering network.

Addressing a particular internetworking misconception

BGP Route leaks vs BGP Hijacks

Since 2014 Qrator Labs has developed a BGP monitoring and analytics service called Qrator.Radar. One of its main features is monitoring specific BGP anomalies that could result in an incident that we would further call either a BGP route leak or BGP hijack.

Both of them reroute traffic to third parties, compared to the no-anomaly state, but differently. Over the last few years, a lot of efforts have been invested in solving those issues, but there are still misunderstandings about what is what and how different tools are helping resolve different problems.

2020 Network Security and Availability Report

Cybersecurity Newsletter, February 14 - 28

Greetings, fellow newsletter subscriber! Once again, we are back with the best stories and articles published on the topic of cybersecurity in two weeks, between 14 and 28 February, the year 2021.

The day the whole world did not walk away

Yesterday, on February 19 Internet observed yet another demonstration of a handy Noction feature that is probably supposed to get you rich but is more likely to make you infamous.

Starting from 09:48 UTC, we saw around 200 thousand routes of previously non-existent prefixes with broken AS_PATH. But first things first.

The day started with a rather harsh and buzzing sound of email notifications for critical routing events, which, as you can see, are cut off on such a high threshold that we consider those to be global.

Cybersecurity Newsletter, February 8 - 14

Hello and welcome back to the regular cyber and infosecurity letter! This time we are going through the relevant articles published 8 - 14 February 2021.

AS28548 - Cablevision - Route Leak

February 11, 2021 - AS28548 - Cablevision - leaked 2828 prefixes, creating 2828 conflicts for 763 ASNs in 80 countries. Maximum propagation: 93%. Severity: High.

Cybersecurity Newsletter, February 1 - 7

Greetings, fellow subscribers! As usual on Sundays, we are back with the most relevant and interesting articles published between February 1 and 7, 2021.

Cybersecurity Newsletter, January 18 - 31

Welcome back to the cybersecurity newsletter! This time, we are looking at the two weeks of the most relevant stories starting with January 18.

Prepending the trouble

January 27 of the year 2021 was marked with quite a peculiar route leak. AS61666 - GLOBO started announcing prefixes of its upstream provider MHNET - AS28146 to its another provider ALGAR - AS16735. In three minutes GLOBO leaked 1330 prefixes, and the whole routing incident lasted for 8 minutes - a time that was enough to create 1435 conflicts in 21 countries with 265 ASNs, mainly in Brazil (194 ASNs), United States (22 ASNs) and Venezuela (7 ASNs).

Cybersecurity Newsletter, first in 2021

Welcome back to the regular cybersecurity newsletter brought to you by Qrator Labs! With this letter, we want to look back at the previous two weeks that started the year 2021 and pick only the most relevant stories.

10(+) years in the Labs

At the beginning of the year 2021, Qrator Labs is celebrating its 10 year anniversary. On January 19 our company marks the official passing of a formal 10 years longevity mark, entering its second decade of existence.

Everything started a little bit earlier - ~~when at the age of 10 Alex saw the Robotron K 1820~~ - in 2008, when Alexander Lyamin - the founder and CEO of Qrator Labs, approached the Moscow State University superiors, where he worked as a NOC engineer at the time, with an idea of a DDoS-attack mitigation research project. The MSU's network was one of the largest in the country and, as we know now, it was the best place to hatch a future technology.

That time MSU administration agreed, and Mr Lyamin took his own hardware to the university, simultaneously gathering a team. In two years, by summer 2010, the project turned out to be that successful. It courted the DDoS attack of a bandwidth exceeding the MSU's upstream bandwidth capability. And on June 22 MSU superiors gave Mr Lyamin a choice - to shut down or find money to incorporate.

Alexander Lyamin chose to incorporate with his own means, which effectively meant that the needed infrastructure must be built from scratch. The initial design should be distributed instead of concentrated within one network, which resources were not enough for this specific task. And by September 1, 2010, those first server sites were ready and running.

AS9304 leaking 8764 prefixes through AS15412

One would expect 2021 to start somewhat differently compared with chaos of the previous year. In Qrator.Radar, we also hoped for the better. Unfortunately, as soon as January 6 - today, we proved wrong.

Cybersecurity Newsletter, December 14 - 20

Hello and welcome into the last letter on cyber and networking security for the year 2020! We want to wish you a Merry Christmas and a Happy New Year.

Now let's take a look at the articles and papers covering the week of December 14 to 20.

Cybersecurity Newsletter, November 30 - December 13

Greetings fellow subscriber! This week we are going to scroll through the two-weeks events in cybersecurity, everything that happened between November 30 and December 13, 2020.

Cybersecurity Newsletter, November 23 - 29

Greetings inside the regular weekly cybersecurity news round-up, covering the articles published between November 23 and 29 of the year 2020!

Cybersecurity Newsletter, November 16 - 22

Hello and welcome to the weekend's usual weekly cybersecurity news round-up, covering the articles published between November 16 and 22, 2020.

Cybersecurity Newsletter, November 9 - 15

Greetings! As usual on Sundays, this is a weekly cybersecurity news round-up, covering the articles published between November 9 and 15, 2020.

Linux Switchdev the Mellanox way

This is a transcription of a talk that was presented at CSNOG 2020 — video is at the end of the page

Greetings! My name is Alexander Zubkov. I work at Qrator Labs, where we protect our customers against DDoS attacks and provide BGP analytics.

We started using Mellanox switches around 2 or 3 years ago. At the time we got acquainted with Switchdev in Linux and today I want to share with you our experience.

Cybersecurity Newsletter, October 26 - November 8

Hello and welcome back to our weekly news recap! This time we are interested in the most exciting articles and papers published in two weeks - between October 26 and November 8, 2020.

Cybersecurity Newsletter, October 19 - 25

Greetings within weekly news round-up! This Sunday, we are again looking at the relevant articles and researches published between October 19 and 25, 2020.

Lumen aka CenturyLink is generating routing incidents via former Level3 network, again

AS203, belonging to what was formerly known as "Level3", acquired by "CenturyLink" in 2016, latter rebranded as "Lumen" in 2020, is a frequent visitor within the incident reports of the Qrator.Radar team. We are not here to blame anyone, but such occurrence of routing incidents for a single organization is worrying - we hope this article would help you to understand how even a small event could reach enormous impact with specific prerequisites met.

Cybersecurity Newsletter, October 12 - 18

Welcome to the regular networking and cybersecurity newsletter. Let's take a look at the most interesting articles published between October 12 and 18, 2020.

Cybersecurity Newsletter, October 5 - 11

Hello and welcome to the regular networking and cybersecurity newsletter! Relevant articles published between October 5 and October 11, 2020, are following.

Cybersecurity Newsletter, September 28 - October 4

Welcome to the regular networking and cybersecurity newsletter, brought to you by Qrator Labs!
This time we are interested in the most interesting materials published between September 28 and October 4, 2020.

AS1221 hijacking 266 ASNs in 51 countries

On Tuesday, September 29, 2020 AS1221 - Telstra announced 472 prefixes in a BGP hijack event that affected 266 other ASNs in 50 countries, with the most damage rendered to the U.S. and U.K. based networks. Worldwide it affected more than 1680 IPv4 prefixes, creating almost 2000 path challenge conflicts.

Cybersecurity Newsletter, September 21 - 27

Welcome to the regular networking and cybersecurity newsletter.
Let's take a look at the relevant articles published between September 21 and 27, 2020.

Cybersecurity Newsletter, September 14 - 20

Welcome to the networking and cybersecurity newsletter!
Let's take a look at the interesting articles and repositories published between September 14 and 20, 2020.

Cybersecurity Newsletter, September 7 - 13

Let's take a look at the most relevant materials published between September 7 and 13, 2020.

The 2020 National Internet Segment Reliability Research

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Most of the time, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between AS’s increases (and do not forget that the Internet stands for “interconnected network” - and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are from the beginning more important than others, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, regardless of whether it is an international giant or regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will be maintained all the time. For many ISPs at all “tiers”, losing connection to just one Tier-1 peer would likely render them unreachable from some parts of the world.

Cybersecurity Newsletter, August 31 - September 6

Welcome to the regular networking and cybersecurity newsletter! With this letter, it is all about the most exciting articles published between August 31 and September 6, 2020.

(Yet another one) CenturyLink BGP incident and the blinking Internet

On Sunday, August 30, 2020, it all started with a simple question: “What’s happening?”

A downdetector.com screenshot at the beginning of the incident

Approximately around 10 UTC, the global Internet started experiencing a very specific state of connectivity - inside the network of one of the largest Tier-1 operators in the world, CenturyLink (primary AS3356), something bad was undoubtedly going on.

Cybersecurity Newsletter, August 24 - 30

Welcome to the regular networking and cybersecurity newsletter! This time we are taking a look at the articles and materials published between August 24 and 30, 2020.

AS42910 leaking hundreds of prefixes, affecting Akamai and Western Asia region

Yesterday, on August 24, 2020, Qrator.Radar BGP monitoring saw a rather large route leak originating from the AS42910 - Premier DC, containing 1403 prefixes mainly from the United States (571) and, peculiarly, Akamai. And then almost all the Western Asia region countries.

Cybersecurity Newsletter, August 17 - 23

Hello and welcome to the regular networking and cybersecurity newsletter brought to you every weekend! This time we are looking at the articles and materials published between August 17 and 23, 2020.

Cybersecurity Newsletter, August 10 - 16

Hello and welcome to the regular networking and cybersecurity newsletter brought to you every weekend by Qrator Labs! This time we are looking at the articles and materials published between August 10 and 16, 2020.

What is happening with the BY internet segment in terms of BGP and IPv4/IPv6

Before we start investigating what is happening with the Internet within and outside of Belarus, let us quote a couple of sentences we are repeating in annual National Reliability Research & Report:

“Strictly speaking, when the BGP and the world of interdomain routing were in the design stage, the creators assumed that every non-transit AS would have at least two upstream providers to guarantee fault tolerance in case one goes down. However, the reality is different; over 45% of ISP’s have only one connection to an upstream transit provider. A range of unconventional relationships among transit ISPs further reduces reliability. So, have transit ISPs ever failed? The answer is yes, and it happens with some frequency. The more appropriate question is — under what conditions would a particular ISP experience service degradation? If such problems seem unlikely, it may be worth considering Murphy’s Law: “Anything that can go wrong, will.”

Why are we repeating this rather than start with the facts and timesteps as usual? Because this is precisely the case, from our point of view, with Belarus’ internet segment. Let us take a look at two diagrams representing a BGP network of Belarus a month ago, at the beginning of July 2020:

Cybersecurity Newsletter, August 3 - 8

Greetings to all the readers of our regular networking and cybersecurity newsletter! With this issue, we are looking at everything that has happened between August 3 and 8, 2020.

Cybersecurity Newsletter, July 27 - August 1

Greetings within our regular networking and cybersecurity newsletter! This time are going to have a closer look at articles and academic papers published between July 27 and August 1, 2020.

AS10990 and the peerless CDN combined with routing optimization tale

On the border of July 29 and 30, depending on where in the world you were, a routing anomaly occurred. Following the NANOG question regarding what exactly was happening, Qrator.Radar team loaded the researching instruments and dived into the investigation. Nevertheless, before we start, let us take a general overview of that play's main actors.

Cybersecurity Newsletter, July 20 - 25

Welcome to our regular weekend newsletter containing every remarkable story on networking and cybersecurity published between July 20 and 25, the year 2020.

264462 massive route leak

In the morning of Tuesday, July 21 a Brazilian AS 264462 belonging to “Comercial Conecte Sem Fio Ltda me” as it is stated in the whois record for this particular ASN, leaked massive 13046 network prefixes in a networking incident that lasted for 1 hour and 23 minutes, starting at 9.15 UTC and ending at 10.38.

Cybersecurity Newsletter, July 13 - 18

As always, greetings within the latest cyber- and networking security newsletter brought to you by Qrator Labs. This time we are going to take a look at the most important and relevant stories published between July 13 and 18 of the year 2020.

Cybersecurity Newsletter, July 6 - 11

Hello and welcome to our weekly recap of the news and articles worth attention on the topics of networking and cybersecurity published July 6 to 11, 2020.

Cybersecurity Newsletter, June 22 - July 4

Ladies and gentlemen, after a short vacation, we are back with the most relevant and essential news on cyber and network security.

This time we are going to make the 2-week overview, covering stories published roughly from June 22 to July 4. Enjoy!

Cybersecurity Newsletter, June 15 - 20

Here we are again with the newest information on what happened in cyber and network security from June 15 to June 20. There has been a lot of events, so let's roll with the most critical ones.

Cybersecurity Newsletter, June 8 - 13

Wow, that's been a week! Here's the blogpost copying our newsletter that covers all the newest information on what happened in cyber and network security from June 8 to June 13.

Looking back at 3 months of the global traffic shapeshifting

There would be no TL;DR in this article, sorry.

Those have been three months that genuinely changed the world. An entire lifeline passed from February, 1, when the coronavirus pandemics just started to spread outside of China and European countries were about to react, to April, 30, when nations were locked down in quarantine measures almost all over the entire world. We want to take a look at the repercussions, cyclic nature of the reaction and, of course, provide DDoS attacks and BGP incidents overview on a timeframe of three months.

In general, there seems to be an objective pattern in almost every country’s shift into the quarantine lockdown.

A different route leak species

On April 23, 2020, an AS205310 leaked routes from one of its upstreams to another (from AS8220 to AS15943), affecting 90 000 prefixes.

In some cases, such an incident could lead to massive network degradation across dozens of ISPs. However, it did not. Why?

Because some companies install and maintain their filters properly. And even taking into regard the fact that AS15943 is directly connected to Tier-1 ISPs, they didn’t even notice the incorrect routes. They simply never reached Tier-1s, shrinking in size after each hop.

AS263444 hitting the headline again

Today, on April 22, 2020, in the world of BGP routing, a thing that usually occurs in rare circumstances, happened. A year and 11 days ago, on April 11 2019, we wrote our first incident report about a thing that has never been observed before - a hijack by, with the highest probability, BGP optimizing software. Later that year, in summer, Cloudflare was brutally hit by the same type of incident. And today, a year after the first incident with AS263444 belonging to Open X Tecnologia Ltda, the same autonomous system… no, you guessed wrong.

Today it leaked 9328 prefixes from 1250 autonomous systems including all your favorite names: Akamai, Cloudflare, Vodafone, NTT, Amazon, NVIDIA and many others.

 leaker |     min_start_time     |      max_end_time      | duration | prefix_count | origin_count | min_avg_max_propagation | max_duration 
--------+------------------------+------------------------+----------+--------------+--------------+-------------------------+--------------
 263444 | 2020-04-22 01:25:00+00 | 2020-04-22 01:47:00+00 | 00:22:00 |         9328 |         1250 | 2, 21, 176              | 00:22:00

Weekend route leak by AS7552

On Sunday of April 5, 2020, only a few days after last week route leaks an AS7552 belonging to Viettel - according to Wikipedia the largest telecommunication service provider in Vietnam - was leaking routes for more than 3 hours in a row.

The leak affected 4825 network prefixes from 326 operators, spreading from AS7552 upstreams: AS3491 and AS4637 towards AS1273 - Vodafone, which helped spread it to almost all major Tier-1 ISPs. Most of all Vietnamese, Cambodian and Australian networks were affected, with more than 25% of ISPs in the first two countries.

This is how you deal with route leaks

That, we must say, is the unique story so far.

Here’s the beginning: for approximately an hour, starting at 19:28 UTC on April 1, 2020, the largest Russian ISP — Rostelecom — was announcing prefixes belonging to prominent internet players: Akamai, Cloudflare, Hertzner, Digital Ocean, Amazon AWS, and other famous names.

Before the issue was resolved, paths between the largest cloud networks were somewhat disrupted — the Internet blinked. The route leak was distributed quite well through Rascom (AS20764), then Cogent (AS174) and in a couple of minutes through Level3 to the world. The issue suddenly became bad enough that it saturated the route decision-making process for a few Tier-1 ISPs.

Serious Times — Serious Leaks

At 17:13 UTC on March 31, 2020, the AS50048 (NEWREAL-AS) leaked, in total, 2658 IPv4 network prefixes to the Tier-2 transit provider Transtelecom. Those prefixes included Orange, Akamai, Rostelecom and more than 300 other companies’ networks.

Qrartor.Ingress Whitepaper

Established in 2009, Qrator Labs provides DDoS mitigation services and is an acknowledged expert in this industry. The Qrator Labs expert team has been conducting research in the field of DDoS protection since 2006 and has been continuously improving algorithms, technologies and techniques of DDoS attack mitigation. In 2010 the company launched its own Qrator traffic filtration network as a technological basis for the commercial service dedicated to the protection of network services from similar threats. Algorithms and technologies used for mitigation of attacks against the web services of its customers are the company’s specialty and focus.

Turns out internet businesses are sustainable during pandemics. Why? Home Office DNA

“In 1665, Cambridge University closed because of the plague. Issac Newton decided to work from home. He discovered calculus & the laws of motion.”

We live in a truly remarkable moment. With the year 2020 and the COVID-19 outbreak employees all over the world are staying home for quarantine, trying their best to sustain the normal flow of life, which means continue working. And this is something new compared to all the previous infectious pandemics humanity has survived through — this time we have the Internet.

Annual Network Security and Availability Report

Closely watched events of 2019

Route leak by the big Russian carrier AS8359 (MTS)

February 7, 2020 - one of the biggest carriers and ISPs in Russia - MTS - AS8359, created two route leaks involving prefixes belonging to such companies as Imperva, GCore, IPTP, Akamai and many others. MTS took those prefixes from HKIX (AS4635) and sent them to Level3 (AS3356) for further distribution.

Faster ENUM

tl;dr

github.com/QratorLabs/fastenum

What are enums

(If you think you know that — scroll down to the “Enums in Standard Library” section).

Imagine that you need to describe a set of all possible states for the entities in your database model. You'll probably use a bunch of constants defined as module-level attributes:

...or as class-level attributes defined in their own class:

That helps you refer to those states by their mnemonic names, while they persist in your storage as simple integers. By this, you get rid of magic numbers scattered through your code and make it more readable and self-descriptive.

But, both the module-level constant and the class with the static attributes suffer from the inherent nature of python objects: they are all mutable. You may accidentally assign a value to your constant at runtime, and that is a mess to debug and rollback your broken entities. So, you might want to make your set of constants immutable, which means both the number of constants declared and the values they are mapped to must not be modified at runtime.

How elliptic curve cryptography works in TLS 1.3

A couple of reader alerts:

In order to (somewhat) simplify the description process and tighten the volume of the article we are going to write, it is essential to make a significant remark and state the primary constraint right away — everything we are going to tell you today on the practical side of the problematics is viable only in terms of TLS 1.3. Meaning that while your ECDSA certificate would still work in TLS 1.2 if you wish it worked, providing backwards compatibility, the description of the actual handshake process, cipher suits and client-server benchmarks covers TLS 1.3 only. Of course, this does not relate to the mathematical description of algorithms behind modern encryption systems.

This article was written by neither a mathematician nor an engineer — although those helped to find a way around scary math and reviewed this article. Many thanks to Qrator Labs employees.

(Elliptic Curve) Diffie-Hellman (Ephemeral)

The Diffie–Hellman legacy in the 21 century

Of course, this has started with neither Diffie nor Hellman. But to provide a correct timeline, we need to point out main dates and events.

There were several major personas in the development of modern cryptography. Most notably, Alan Turing and Claud Shannon both laid an incredible amount of work over the field of theory of computation and information theory as well as general cryptanalysis, and both Diffie and Hellman, are officially credited for coming up with the idea of public-key (or so-called asymmetric) cryptography (although it is known that in the UK there were made serious advances in cryptography that stayed under secrecy for a very long time), making those two gentlemen pioneers.

In what exactly?

Qrator Labs Leverages Mellanox Spectrum Switches

2019 National Internet Segments Reliability Research & Report

This report explains how the outage of a single AS can affect the connectivity of the impacted region with the rest of the world, especially when it is the dominant ISP on the market. Internet connectivity at the network level is driven by interaction between autonomous systems (AS’s). As the number of alternate routes between AS’s increases, so goes the fault-resistance and stability of the internet across the network. Although some paths inevitably become more important than others, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust system.

The global connectivity of any AS, regardless of whether it is a minor provider or an international giant, depends on the quantity and quality of its paths to Tier-1 ISPs. Usually, Tier-1 implies an international company offering global IP transit service over connections to other Tier-1 providers. But there is no guarantee that such connectivity will be maintained. Only the market can motivate them to peer with other Tier-1’s to deliver the highest quality service. Is that enough? We explore this question in the IPv6 section below. For many ISPs at all levels, losing connection to just one Tier-1 peer would likely render them unreachable in some parts of the world.

Measuring Internet Reliability

Let’s examine a case where an AS experiences significant network degradation. We want to answer the following question: “How many AS’s in the region would lose connectivity with Tier-1 operators and their global availability along with it?”

Cybersecurity News Roundup, August 12 - 18

For those of you still now subscribed to the Cybersecurity Newsletter - the form is at the top of the page.

Best news, articles and scientific papers published since August 12 till 18 are below.

Qrator filtering network configuration delivery system

TL;DR: Client-server architecture of our internal configuration management tool, QControl.
At its basement, there’s a two-layered transport protocol working with gzip-compressed messages without decompression between endpoints. Distributed routers and endpoints receive the configuration updates, and the protocol itself makes it possible to install intermediary localized relays. It is based on a differential backup (“recent-stable,” explained further) design and employs JMESpath query language and Jinja templating for configuration rendering.

Qrator Labs operates on and maintains a globally distributed mitigation network. Our network is anycast, based on announcing our subnets via BGP. Being a BGP anycast network physically located in several regions across the Earth makes it possible for us to process and filter illegitimate traffic closer to the Internet backbone — Tier-1 operators.

On the other hand, being a geographically distributed network bears its difficulties. Communication between the network points-of-presence (PoP) is essential for a security provider to have a coherent configuration for all network nodes and update it in a timely and cohesive manner. So to provide the best possible service for customers, we had to find a way to synchronize the configuration data between different continents reliably.

In the beginning, there was the Word… which quickly became communication protocol in need of an upgrade.

Cybersecurity News Roundup, August 5 - 11

This post represents a regular Cybersecurity Newsletter issue, available at the dedicated subscribe page.

This time, we are between August 5 and 11 with the best articles, blog posts, and preprints.

Cybersecurity News Roundup, July 29 - August 4

This blogpost represents a regular Cybersecurity Newsletter issue, available at the dedicated subscribe page.

This time, we're between July 29 and August 3 with the best articles posted.

How difficult is it to disrupt a service nowadays

Today we often talk about SLA and redundancy. And the increasing role of clouds in the overall Internet infrastructure. Someone says that they will play a crucial role in traffic share in the nearest future. However, there are other huge ISPs - Tier-1, aka the biggest transit operators, which have transnational cables and indeed are part of the historical Internet backbone. They often play the role of last resort in the filtration process of bad routes. Because they have hundreds of customers. Also, almost all of these customers believe in what they got from the provider ISPs. That is the main reason why modern internet drafts rely on Tier-1s as flag carriers and hope that they’ll apply a new security mechanism among all the others.

Is this always a real scenario?

What is going to happen on February 1, 2020?

TL;DR: starting February 2020, DNS servers that don’t support DNS both over UDP and TCP may stop working.

Bangkok streetview

Bangkok, in general, is a strange place to stay. Of course, it is warm there, rather cheap and some might find the cuisine interesting, along with the fact that about half of the world’s population does not need to apply for a visa in advance to get there. However, you still need to get acquainted with the smells, and the city streets are casting cyberpunk scenes more than anything else.

In particular, a photo to the left has been taken not far from the center of Thailand’ capital city, one street away from the Shangri-La hotel, where the 30th DNS-OARC organization meeting took place on May 12 and 13. It is a non-profit organization dedicated to security, stability, and overall development of the DNS — the Domain Name System.

Slides from the DNS-OARC 30 meeting are recommended for everyone interested in how the DNS works, though perhaps the most interesting is what is absent in those slides. Namely, a 45-minute round table with a discussion around the results of DNS Flag Day 2019, which occurred on February, 1, 2019.

And, the most impressive result of a round table is the decision to repeat DNS Flag Day once again.

Legacy Outage

Two days ago, May 5 of the year 2019 we saw a peculiar BGP outage, affecting autonomous systems in the customer cone of one very specific AS with the number 721.

Right at the beginning, we need to outline a couple of details for our readers:

All Autonomous System Numbers under 1000 are called “lower ASNs,” as they are the first autonomous systems on the Internet, registered by IANA in the early days (the late 80’s) of the global network. Today they mostly represent government departments and organizations, that were somehow involved in Internet research and creation in 70-90s.
Our readers should remember, that the Internet became public only after the United States’ Department of Defense, which funded the initial ARPANET, handed it over to the Defense Communication Agency and, later in 1981, connected it to the CSNET with the TCP (RFC675)/IP (RFC791) over X.25. A couple of years later, in 1986, NSF swapped the CSNET in favor of NSFNET, which grew so fast it made possible ARPANET decommission by 1990.
IANA was established in 1988, and supposedly at that time, existing ASNs were registered by the RIRs. It is no surprise that the organization that funded the initial research and creation of the ARPANET, further transferring it to another department because of its operational size and growth, only after diversifying it into 4 different networks (Wiki mentions MILNET, NIPRNET, SIPRNET and JWICS, above which the military-only NIPRNET did not have controlled security gateways to the public Internet.

TLS 1.3 enabled, and why you should do the same

As we wrote in the 2018-2019 Interconnected Networks Issues and Availability Report at the beginning of this year, TLS 1.3 arrival is inevitable. Some time ago we successfully deployed the 1.3 version of the Transport Layer Security protocol. After gathering and analyzing the data, we are now ready to highlight the most exciting parts of this transition.

As IETF TLS Working Group Chairs wrote in the article:
“In short, TLS 1.3 is poised to provide a foundation for a more secure and efficient Internet over the next 20 years and beyond.”

TLS 1.3 has arrived after 10 years of development. Qrator Labs, as well as the IT industry overall, watched the development process closely from the initial draft through each of the 28 versions while a balanced and manageable protocol was maturing that we are ready to support in 2019. The support is already evident among the market, and we want to keep pace in implementing this robust, proven security protocol.

Eric Rescorla, the lone author of TLS 1.3 and the Firefox CTO, told The Register that:
“It's a drop-in replacement for TLS 1.2, uses the same keys and certificates, and clients and servers can automatically negotiate TLS 1.3 when they both support it,” he said. “There's pretty good library support already, and Chrome and Firefox both have TLS 1.3 on by default.”

Bad news, everyone! New hijack attack in the wild

On March 13, a proposal for the RIPE anti-abuse working group was submitted, stating that a BGP hijacking event should be treated as a policy violation. In case of acceptance, if you are an ISP attacked with the hijack, you could submit a special request where you might expose such an autonomous system. If there is enough confirming evidence for an expert group, then such a LIR would be considered an adverse party and further punished. There were some arguments against this proposal.

With this article, we want to show an example of the attack where not only the true attacker was under the question, but the whole list of affected prefixes. Moreover, it again raises concerns about the possible motives for the future attack of this type.

BGP perforating wound

It was an ordinary Wednesday on 4.04.2019. Except that at some point of the midday timeline an AS60280 belonging to Belarus’ NTEC leaked 18600 prefixes originating from approximately 1400 ASes.

Those routes were taken from the transit provider RETN (AS9002) and further announced to NTEC’s provider - RU-telecom’s AS205540, which, in its turn, accepted all of them, spreading the leak.

Russian Internet Segment Architecture

As many of our readers know, Qrator.Radar is constantly researching global BGP connectivity, as well as regional. Since the Internet stands for “Interconnected Networks,” to ensure the best possible quality and speed the interconnectivity of individual networks should be rich and diverse, with their growth motivated on a sound competitive basis.

The fault-resistance of an internet connection in any given region or country is tied to the number of alternate routes between ASes. Though, as we stated before in our Internet Segments Reliability reports, some paths are obviously more critical compared to the others (for example, the paths to the Tier-1 transit ISPs or autonomous systems hosting authoritative DNS servers), which means that having as many reachable routes as possible is the only viable way to ensure adequate system scalability, stability and robustness.

This time, we are going to have a closer look at the Russian Federation internet segment. There are reasons to keep an eye on that segment: according to the numbers provided by the RIPE database, there are 6183 autonomous systems in Russia, out of 88664 registered worldwide, which stands for 6.87% of total.

This percentage puts Russia on a second place in the world, right after the USA (30.08% of registered ASes) and before Brazil, owning 6.34% of all autonomous systems. Effects of changes in the Russian connectivity could be observed across many other countries dependant on or adjacent to that connectivity, and ultimately by almost any ISP in the world.

ClickHouse DB in DDoS mitigation

Two-layered scheme for packet filtration with machine learning

In general, Qrator Labs filtering service involves two stages: first, we immediately evaluate whether a request is malicious with the help of stateless and stateful checks, and, secondly, we decide whether or not to keep the source blacklisted and for how long. The resulting blacklist could be represented as the list of unique IP-addresses.

Eliminating opportunities for traffic hijacking

Scheme for BGP connection to Qrator filtering network

A little historical overview

BGP hijacks - when an ISP originates an advertisement of address space that does not belong to it;
BGP route leaks - when an ISP advertises prefixes received from one provider or peer to another provider or peer.

This week it has been 11 years since the memorable YouTube BGP incident, provoked by the global propagation of a more specific prefix announce, originated by the Pakistan Telecom, leading to an almost 2 hour in duration traffic disruption in the form of redirecting traffic from legitimate path to the bogus one. We could guess if that event was intentional, and even a correct answer wouldn’t help us completely prevent such incidents from happening today. While you read this, a route leak or a hijack is spreading over the networks. Why? Because BGP is not easy, and configuring a correct and secure setup is even harder (yet).

In these eleven years, BGP hijacking became quite damaging attack vector due to the BGP emplacement in the architecture of modern internet. Thanks to BGP, routers not only acquire peer information, and therefore all the Internet routes - they are able of calculating the best path for traffic to its destination through many intermediate (transit) networks, each representing an individual AS. A single AS is just a group of IPv4 and/or IPv6 networks operating under a single external routing policy.

And thanks to BGP in its current state attackers are capable of conducting massive heists of traffic, efficiently hijacking target network’s prefixes, placing themselves in the middle. And that’s just the beginning - in the era of state-sponsored cyber actors, it is evident that the keystone of Border Gateway Protocol, which is trust, is no longer sufficient enough to prevent malicious outbreaks of routing incidents, deliberate or not, to occur. Since BGP plays such an essential role in the existence of the internet as we know it (it is the only exterior gateway protocol to control traffic flow between different Internet Service Providers all over the world), for a decade we’ve seen attempts to patch things up.

Internet Issues & Availability Report 2018-2019

While working on the annual report this year we have decided to avoid retelling the news headlines of the previous year and, though it is almost impossible to ignore memories absolutely, we want to share with you the result of a clear thought and a strategic view to the point where we all are going to arrive in the nearest time - the present.

Leaving introduction words behind, here are our key findings:

Average DDoS attack duration dropped to 2.5 hours;
During 2018, the capability appeared for attacks at hundreds of gigabits-per-second within a country or region, bringing us to the verge of “quantum theory of bandwidth relativity”;
The frequency of DDoS attacks continues to grow;
The continuing growth of HTTPS-enabled (SSL) attacks;
PC is dead: most of the legitimate traffic today comes from smartphones, which is a challenge for DDoS actors today and would be the next challenge for DDoS mitigation companies;
BGP finally became an attack vector, 2 years later than we expected;
DNS manipulation has become the most damaging attack vector;
Other new amplification vectors are possible, like memcached & CoAP;
There are no more “safe industries” that are invulnerable to cyberattacks of any kind.

In this article we have tried to cherrypick all the most interesting parts of our report, though if you would like read the full version in English, the PDF is available.

“No Filters” or An Easy Way to Shoot In the Foot

Several times in our posts we discussed consequences of lack of ingress filtering. Such mistake configuration can work fine most of the time, but one day may result in an outage at regional or even global scale. And yesterday, 25.11.2018, it happened again, this time in Russia.

Mistake, Mistake, Blackhole

Three Mistakes in a Boat (To Say Nothing of the Outage)

Yesterday, on 12.11.2018 a BGP configuration mistake happened at Mainone Cable Company (AS37282), a Nigerian ISP. It mainly hit two content providers: Google (AS15169, AS36384, AS36492, AS43515) and Cloudflare (AS13335). Leaked routes were accepted by its direct upstream, China Telecom (AS4809), further advertised in Russia to TTK (AS20485) and finally learned by NTT (AS2914) in Europe. After reaching the Tier-1 providers level leaked prefixes propagated globally, redirecting traffic to unusual Europe-Russia-China-Nigeria route.

Wrong, wrong, WRONG! methods of DDoS mitigation

That is a quote from one of my favorite bands. Dave Gahan from Depeche Mode is a living proof that you can say the word “wrong” 65 times in 5 minutes and still be a rock star. Let’s see how that’s going to work for me.

Userspace traffic generation

An artist’s concept showing MoonGen + DPDK + Lua traffic generation stack

DDoS attacks mitigation in the wild requires various techniques to be tested and learned. Hardware and software network solutions need to be tested in artificial environments close to real-life ones, with massive traffic streams imitating attacks. Without such experience, one would never acknowledge the specific capabilities and limitations every sophisticated tool has.

In this article, we are going to disclose certain methods of traffic generation used in Qrator Labs.

DISCLAIMER

We notoriously advise any and every reader not to try any offensive use of the tools we write about in this research. Organization of DoS attacks is legally persecuted and could lead to lengthy imprisonment. Qrator Labs responsibly conducts all tests within an isolated laboratory environment.

National Internet Segments’ Reliability Survey

2018 Internet Reliability Top 20 On The World Map

The report explains how the outage of a single AS affects the global connectivity of the region, especially when it is the biggest ISP of a given country. Internet connectivity at the network level is driven by the interaction between autonomous systems (AS’s). As the number of alternate routes between AS’s increases, so goes the fault-resistance and stability of the internet in a given country. However, some paths become more important than others and having as many alternate routes as possible is the only viable way ensure the system is adequately robust.

The global connectivity of any AS, regardless of whether it is a minor provider or an international giant, depends on the quantity and quality of its paths to Tier-1 ISP’s. Usually, Tier-1 implies an international company offering global IP transit service over connections to other Tier-1 providers. But there is no obligation to maintain such connectivity. Only the market can motivate them to peer with other Tier-1’s to deliver the highest quality service. Is that motivation enough? We explore this question in the IPv6 section below. If an ISP loses its connection to at least one of its Tier-1 peers, it would likely become unreachable in some parts of the world.

Leaked Censorship

For the last 30 years basic idea behind the Internet’ design hasn’t changed - it connects people and services with each other. However, some authorities may have a different angle on what services their citizens should be able to connect to. A regulator might require ISPs to block off selected content or IP-address space for the end-users. How is that implemented? There are many options, but the most popular one is with the help of static routes, that may be propagated locally in BGP. Mistakes in this ‘local propagation’ have happened before: most notable was the YouTube hijack back in 2008, but less famous events were continually happening all over the decade. Today we observed another one, created by Iranian ISP that affected Telegram messenger.

Football-driven visitor

Photo courtesy: Kommersant / Dmitry Korotaev

During the World Cup 2018 active period traffic of online stores has decreased by almost 1.5 times. Online games and Forex sites attendance felt even stronger, Qrator Labs found. The days of Russian team’s plays made the drop even more pronounced and evident. Such dynamics are tied not only to the popularity of football matches but also the holiday season, explain market participants.

Integration with RPKI and IRR Data

Dear colleagues, we are glad to inform you that our team has finished integration with IRR data sources and ROA records. It should significantly increase the quality of hijacks detection, plus improve transparency of what is happening to route objects in different registries.

The Day the Internet Survived

Recently, several severe routing incidents were spreading globally: hijack of the 5% of an entire IPv4 address space from Brazil, route leak between Russia and Asia through Kyrgyzstan, and at last, previous Friday there was an event that could lead to an outage of a significant part of all the BGP ecosystem. Fortunately, it didn’t happen.

BGP hijacks - Malicious or Mistakes?

A few days ago several cybersecurity resources reported details of an entirely malicious traffic redirection that combined DNS, and BGP hijacking. The primary goal of this attack was to steal money from different cryptocurrency wallets and services. Moreover, it was successful, since Amazon did not detect it in time. Today, on April 26, another significant incident happened that seems to be also unnoticed by the majority of players.

Cisco SMI Vulnerability And Beyond

The situation we observed last week was both peculiar and strange when panic for Cisco Smart Install Protocol remote code execution vulnerability (cisco-sa-20160323-smi) started circling. There was confirmed botnet activity that was wiping configuration files exploiting this vulnerability and leaving a message “Don’t mess with our elections.” Moreover, there were rumors that significant amount of ISPs and even Internet segments get down due to this malicious actions.

Understanding the facts of memcached amplification attacks

Originally this post has been published at the APNIC blog.

Memcached payload

Cybersecurity attacks have become a weekly occurrence in many news columns. One recent example was that of one of our customers, QIWI payment system, successfully mitigating a 480 Gbps memcached amplified UDP DDoS attack.

While we at Qrator Labs would rather stay out of the news, such instances justify all the preparation that we put into mitigating for such attacks. To help others learn from our experience, I thought I’d recap several facts about amplification attacks, so that you too will be prepared ‘when’ the day comes.

Qrator Labs 2017 Report on Cybersecurity

We would like to present you, the reader, a shorter version of the annual Qrator Labs report on cyber- and infosecurity, as well as DDoS, that covers the year 2017. Special thanks to our longstanding partner — Wallarm, for supporting us with content on notable vulnerabilities and hacks.

In 2017 Qrator Labs and Wallarm noticed increasing diversification of threats from a widening variety of attack methods. The range of critical vulnerabilities on today’s web is so broad that attackers can choose from many different methods to create problems for almost any organization. A growing number of tools can operate automatically making centralized command & control unnecessary.

If 2016 could be named the year of botnets and terabit attacks, then 2017 was the year of ransomware and routing. The incidents, like Google in Japan and Level3 in the United States, Rostelecom in Russia, and many others demonstrate the persistently strong risks from human factors rooted in mismanagement and insufficient automation. A brave engineer who confidently cancels an important automated script could create the possibility of severe issues in internet service availability and accessibility.

Memcached Amplification

Last week there were several notable network incidents, which were the result of a new method for DDoS attacks amplification, using memcached database. Several DDoS mitigation providers, including Qrator Labs and Akamai, have confirmed that they were hit by this new attack kind. The new type of DDoS attack was able to break the record and reach 1.3 Tbps bandwidth. As a reaction to this new threat, Qrator.Radar team has added detection of the open-to-world memcached database in our daily scan.

The memcached amplification attacks reaching 500 Gbps

A long time ago in a git repository far-far away, a commit made by Brian Aker introduced a brilliant feature of the default listening to UDP traffic in memcached.

Days in between February 23, 2018, and the Monday of February 26, 2018, were marked by multiple memcached-amplification DDoS attacks across entire Europe.

Past threats / future protocols

As many readers of the Qrator Labs blog know, DDoS attacks target aims at different network levels. In particular, a substantial botnet presence allows an intruder to carry out attacks on the L7 (application layer) and mimic regular users. Without such a botnet the attacker is forced to limit packet attacks (any of those allowing the source address forgery at some stage of execution) to the underlying transit networks levels.

Naturally, in both these scenarios attacker tends to use some existing toolkit — just like a website developer does not write it entirely from scratch, using familiar frameworks like Joomla or Bootstrap (or something else depending on one’s skills). For example, the well-known framework for executing attacks from the Internet of Things for a year and a half is Mirai, open-sourced by its authors in an attempts to shake the FBI off the tail in October 2016.

Measurement as the key to transparency

We built a tool to visualize network latency measured with RIPE Atlas.

If you are looking for services such as IP-transit, MPLS channels or DDoS mitigation you can choose from a variety of products. However, it is difficult to compare offers and companies regarding actual service quality. Some organizations compare market offers, but often they look at the market share or the company’s financial condition and other business metrics that are not necessarily relevant to the quality of a service per se. Also, most of these comparisons are not available free of charge.

Fortunately, the situation is changing. Recently we have been given an opportunity to create global scale measurements with services such as PlanetLab, NLNOG RINGand, of course, RIPE Atlas. RIPE Atlas has become the biggest measurement platform, with a rich API as the primary user interface. However, an output of API requests is not always human-readable; it still requires a set of tools on top of the API, to make data easily understandable. So we decided to work on a fix.

Moscow Traffic Jam

Moscow is famous for the traffic jams, with the governments continually fighting that particular problem. Nevertheless, the beginning of 2018 was marked with the new traffic bottleneck created with the help of BGP misdirection. At 12:01 UTC 17.01.2018, AS8901 belonging to Moscow City Government started leaking prefixes between its upstreams: the Rostelecom (AS12389) and Comcor (AS8732). Redirection peaked at 70000 affected prefixes.