When did the attacks start?
On Friday night around 8:00 p.m. and coinciding with the celebration of the «Squid Games», the operator Andorra Telecom began to suffer a distributed denial of service attack. Due to this attack, the most popular streamers and YouTubers residing in Andorra were unable to connect and had to leave the game so as not to interrupt their peers. The operator at all times has reported through Twitter all the problems caused by this DDoS attack, on some occasions its fiber network was affected, and also its 4G network, since it seems that the attacks are affecting the operator itself, and it does not matter how you provide the Internet connection.
Some of the most popular streamers and YouTubers such as Auronplay, El Rubius or TheGrefg could not stream on Twitch or participate in these games, so everyone realized that there was some problem in the connections from Andorra.
In addition to Friday afternoon, also on Saturday afternoon, around the same time, the attacks began, the operator promptly informed via Twitter, indicating that some users could have difficulties browsing the Internet, but in this case in a couple of hours they managed to solve the problem. The operator indicated that these attacks seek to harm streamers and youtubers who reside in the country, so this type of attack prevents them from carrying out their work in Andorra.
Finally, today Monday at 10 am, the operator has reported that DDoS attacks on their networks have begun again, and that customers may have problems connecting to the Internet.
⚠️ The internet xarxa is patint NOVAMENT a denial of service attack (DDoS). For this reason, some users may have difficulties browsing the internet. Ho estem mitigant.
— Andorra Telecom (@AndorraTelecom) January 24, 2022
As you can see, the operator is trying to mitigate this attack that affects many of its clients, and could even affect all of them.
What can the operator do to mitigate it?
The operator, depending on how its infrastructure is at the hardware level, can mitigate this attack by cutting off incoming communications from where the malicious traffic is originating, however, first we must know that there are two types of DDoS attacks:
- DDoS attacks where they are made millions of concurrent connections.
- attacks Volumetric DDoS. In this case, the DDoS attack consists of sending hundreds of Gbps from various sources, with the aim of collapsing the operator’s backbone network. In this case little can be done, apart from expanding your network infrastructure with faster links.
In the first case, when millions of concurrent connections are made, the objective of the DDoS attack is to saturate the different servers with connections, raising thousands of TCP connections simultaneously with the aim of blocking the end devices. Mitigating this type of attack at the operator level is usually quite simple, simply what you have to do is detect, based on some filters, which are the source IP addresses from where they are being produced, and at the network level, cut off all communications from those origins to any destination within the autonomous system of Andorra Telecom.
The second case is more complicated to solve, when they are doing a DDoS sending many Gbps against the network, the only way to solve this problem is expand the available throughput or bandwidth above the traffic that arrives, so that it does not collapse and there can be communications. Let’s imagine that Andorra Telecom has a throughput of 40Gbps against a neutral point or peering with another operator, if the DDoS attack exceeds this throughput, then the network is not capable of managing legitimate traffic because there is no more bandwidth. In this case, increasing it to 100Gbps for example would force the attacks to create a larger DDoS attack.
Another possible option for this second case is mitigate the attack before it arrives. If some IP addresses or address ranges are being attacked, BGP rel could be configured to stop advertising those routes, but of course these public IP addresses will not have internet connectivity (until they are advertised again). This is the best way to “mitigate” the DDoS attack if it affects several IP addresses, stop advertising them so that it does not affect the rest of the network, it is called Blackhole BGP.
What can YouTubers and streamers do?
Generally in other countries there are several Internet operators, therefore, if one operator has problems, surely another operator will not. The case of Andorra is somewhat exceptional, as there is only one Internet operator, both in terms of fiber and 4G service. If there are problems with this operator you will not be able to change, you just have to wait until the operator’s incident response team mitigates this attack when it occurs, or until the cybercriminals stop attacking the operator.
We must bear in mind that these attacks are not usually very long in time, that is, it is possible that if these attacks continue, they do so at a certain time and not all the time. The main problem is that streamers could have problems in the evenings, which is the peak time for this type of content.
As we have learned on the official Twitter of Andorra Telecom and in the Andorran press, the YouTubers have already denounced these events and the country’s authorities are investigating it, with the aim of trying to catch these cybercriminals. Meanwhile, Andorra Telecom’s cybersecurity team continues to work to continue mitigating these attacks.
