Internet provider Andrews and Arnold (AAISP) appears to have become the target for a semi-sporadic Distributed Denial of Service (DDoS) assault, which began hitting their network yesterday and has caused some of their customers to lose connection.
Generally speaking DDoS attacks work by overloading a target server (e.g. a website or other network service) with masses of data requests from multiple internet connected computers / devices; usually Trojan/Virus infected computers that then become part of a botnet, which can be controlled by a single individual that usually hides their connection behind other servers.
At this point it’s crucial to reflect that DDoS attacks happen to ISPs all the time (we read about them on an almost weekly basis), they’re practically par-for-the-course, but most can be mitigated and few are ever significant enough to knock lots of end-users offline. In nearly all cases these incidents aren’t actually an attack against the ISP, but rather somebody targeting a specific customer on the ISPs network.
As such this should NOT be confused with the recent TalkTalk incident, which also involved a separate hacking attempt and was aimed at the ISPs web server. By comparison the assault against AAISP appears to have targeted part of their network and NOT their website, which is usually what happens when somebody is looking to knock a specific subscriber offline.
The nature of this assault, which seems both powerful and aimed at several areas of their network, meant that AAISP’s “usual anti-DOS systems have not helped“, although they were later able to “mitigated most of the problems.” Unfortunately the assault began again this morning and moved to a new target block, which has kept AAISP’s staff on their toes.
Adrian Kennard, Director of AAISP, told ISPreview.co.uk:
“Staff have been working on this to reduce the impact on all customers as much as possible, and are continuing to do so today. There are still a handful customers that are collateral damage from the attack and we are working on getting those customers on line right now.”
Apparently “many” of AAISPs customers have been affected by the DDoS, although only a handful were actually left without Internet connectivity and the provider is now attempting to identify which customers were being targeted by the assault (in practice they may not get to the bottom of this, just as most other ISPs rarely do).
In the meantime some of provider’s customers are having their WAN IP address changed to get them on-line, including a few that own blocks of IPs (this can sometimes be a bit more tricky for the customer). One of those is Basingstoke based fixed wireless broadband ISP HiWiFi, which has been tweeting about the incident since last night.
It’s worth pointing out that the Computer Misuse Act effectively makes DDoS illegal, although finding the perpetrators is rather more difficult, not least because such attacks are usually short-lived (the longer they go on the greater the chance of being traced and caught).