Under Attack: Hosting & Internet Service Providers

The digital universe depends on always-on IT networks and services, so ISPs and hosting providers have become favorite targets for cyberattacks.

Marc Wilczek, Digital Strategist & COO, Link11

February 16, 2021

5 Min Read

In less than a decade, cybersecurity has become a critical systemic issue for the world economy. More than ever, modern life and international commerce depend upon a functioning and accessible Internet. According to Cisco, 66% of the global population will have access to it within two years, by which time there will be 5.3 billion total Internet users. Further, more than 70% of the global population will have mobile connectivity, and the number of devices connected to IP networks will be three times greater than the total number of people on Earth.

In this context, cyber incidents and attacks are flourishing, but they're nothing compared to what will happen as the majority of the world joins the digital mainstream. And since ISPs and hosting providers are at the leading edge of the digital tidal wave, it's no surprise that they've become prime targets for cybercriminals.

Attacks Are More Costly to Combat
For organizations, building cyber resilience is growing more complex and costly. Accenture's "9th Annual Costs of Cybercrime Study" reports that malware, Web-based attacks, and distributed denial-of-service (DDoS) attacks are the most expensive attack types and are "the main contributing factors to revenue loss." But some sectors are victimized more often than others. For ISPs or hosting providers — and e-commerce, online gaming, and gambling — uptime is paramount, and every minute of downtime equals money lost. In 2020, a quarter of enterprise respondents reported the average hourly cost of server downtime ran between $301,000 and $400,000, as highlighted on Statista.

Botnets on the Warpath
The root cause of these financial setbacks are cybercriminals who use every means at their disposal — or "carpet bombing" — to exploit network vulnerabilities to cause havoc, extort money, or both. Carpet bombing is an example of an attack type that is becoming ubiquitous due to the easy availability of cheap DDoS services on the Dark Web. Almost anyone can pay for a botnet to seriously disrupt the company or government agency of their choice. The rapidly expanding Internet of Things (IoT) might also explain the rise in carpet bombing, since most devices are poorly protected against hostile takeovers and easily converted into bots.

ISPs and hosting providers are like red flags to carpet bombers. Some lack basic DDoS mitigation tools, while others use outdated ones. The results are predictable. In November 2018, customers of the Cambodian ISPs EZECOM, SINET, Telcotech, and Digi suffered a week of intermittent connections caused by a 150 Gbit/s DDoS attack. A few months later, a series of carpet-bombing DDoS attacks crippled a South African ISP for an entire day.

Extortion on the Rise
Since mid-2020, a new type of extortion campaign has moved into the spotlight. Cybercriminals claiming to be part of the nation-state-backed groups Fancy Bear, Lazarus Group, and the Armada Collective delivered ransom demands in emails that threatened the recipients with DDoS attacks of up to 2 Tbit/s unless they made a 20-Bitcoin payment within a week. Many organizations ignored the emailed threats without consequence. Others — including some well-known ones — suffered substantial operational setbacks as a result of subsequent attacks, as reported by the FBI.

The FBI attributed previous extortion campaigns in 2017 and 2019 to the same cybercrime groups, which at that time targeted financial institutions, retailers, and e-commerce firms.

Attacks Growing Exponentially
But carpet bombing isn't the only cyber threat out there. There are scores of others, and they're increasing in number and frequency so quickly that it's becoming increasingly difficult to beat them off using traditional tools or on-site appliances. One reason for this is that current attacks can be more than 100 times larger than a company's available pipe or backbone. As a result, the entire system collapses and all traffic (including legitimate IP traffic) is blackholed for hours or days. According to the US Department of Homeland Security, the scale of attacks has increased tenfold in recent years, and "it is not clear if current network infrastructure could withstand future attacks if they continue to increase in scale."

In October 2019, Amazon Web Services (AWS) was hit by a major DDoS attack roughly eight hours long that prevented users from connecting. The attack caused AWS to miscategorize legitimate customer queries as malicious. Google Cloud Platform experienced problems at roughly the same time, but the company says the incident was unrelated to DDoS. In February 2020, AWS reported a 2.3 Tbit/s attack — in other words, a little under half of all the traffic that telecom BT sees on its entire UK network during a normal working day.

Hosting providers and ISPs are increasingly being exposed to cyber threats, but during the pandemic, as use of these services has skyrocketed, cyberattackers have broadened their reach to include targets in vertical markets such as e-commerce, online gaming and gambling, healthcare, and educational services (think homeschooling).

No DDoS mitigation solution is foolproof, so it makes sense for organizations to beef up their existing tools with as much timely and reliable threat intelligence as possible. By blocking bad actors from their networks, ISPs can avoid falling victim to carpet-bombing attacks that can cripple their operations. If they're attacked, they should never pay a ransom. Doing so only emboldens the bad guys and supports further criminal activity.

About the Author(s)

Marc Wilczek

Digital Strategist & COO, Link11

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across the ICT industry. Before serving as chief operating officer at Link11, he was member of the management board of T-Systems' Computing Services & Solutions (CSS) division. Prior to that, he served as senior vice president, Asia Pacific/Latin America/Middle East & Africa at CompuGroup Medical, and as managing director, Asia Pacific, for Sophos. He is an Alfred P. Sloan Fellow and holds master's degrees from FOM Graduate School for Economics and Management in Frankfurt and London Business School.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights