Attacks/Breaches

8/17/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Pulse Wave' DDoS Attacks Emerge As New Threat

DDoS botnets are launching short but successive bursts of attack traffic to pin down multiple targets, Imperva says.

Threat actors have found a new way to optimize the resources available to them for launching highly effective distributed denial-of-service (DDoS) attacks.

Instead of using a DDoS botnet to direct a sustained stream of denial of service traffic at a single target, some attackers are now using their attack infrastructure to direct short bursts of traffic at multiple targets - an assault dubbed pulse wave attacks.

Security vendor Imperva, which has observed the new flavor of DDoS in recent months, describes pulse wave attacks as a series of short-lived bursts of attack traffic "occurring in clockwork-like succession."

In the gaps between the pulses, threat actors appeared to be switching targets on the fly and directing similar bursts of attack traffic at other victims. The attack strategy seems designed to double a botnet's output while being as effective as the usual longer-duration DDoS attacks.

One interesting characteristic of the pulse wave attacks Imperva observed was how quickly the threat actors were able to ramp up DDoS traffic.

In a traditional DDoS attack, the volume of denial-of-service traffic that is directed at a target takes some time to ramp up because of the effort needed to mobilize geographically dispersed botnets. In most cases, attack traffic gradually builds up and then either abruptly falls off or gradually declines.

In the pulse wave attacks that Imperva observed, attack traffic kept ramping to reach peak magnitudes very quickly, and in repeated bursts.

Such attacks are much more likely to be effective against a target that is secured by a DDoS mitigation service that provides failover to the cloud, says Igal Zeifman, marketing director at Imperva.

"In such cases, because the attack peaks in its first few seconds, the network pipe is immediately congested, cutting the communication to the cloud and preventing a proper failover," he says.

"Even if a cloud is re-configured to automatically activate itself when the network becomes unavailable, lack of communication still prevents the exchange of security information that would allow it to start scrubbing the traffic," he explains.

This means the cloud mitigation service will need to resample traffic from scratch, causing a further delay and increasing the attacker's chances of taking down the network again, Zeifman says. In fact, a pulse wave attack with no ramp-up time represents a worst-case scenario for networks that are protected by hybrid DDOS mitigation approaches, according to Imperva.

Martin McKeay, senior security advocate at Akamai, says the company has been looking into this type of DDoS attack as well. But so far at least, Akamai has seen no strong evidence of attackers switching targets on the fly as Imperva reported. "Our current supposition is rather that the attackers are more likely stopping attacks before detection thresholds are hit, essentially stopping the attack before setting off the alarms and then starting back up again," McKeay says.

There may be another explanation for pulse wave attacks. "The attack is actually against a subnet range, where the observer is only protecting a portion of the subnet," McKeay says. "The botnet would appear to be going flat-out at a high rate and it would look like the attack was 'switching' targets, when that switch was either attacks owned by the same target that weren’t protected, or were owned by another entity and simply happened to be sharing IP space."

Fundamentally, such attacks do not involve a radically different command-and-control set up than a usual DDoS attack, but it is slightly more sophisticated, he says. "Overall, we believe that this kind of attack is further evidence of the commoditization of DDoS and the continuing rise of 'pay-for-play' attacks," McKeay says.

Roland Dobbins, principal engineer at Arbor Network's security engineering and response team, says that contrary to Imperva's assertions, a well-designed hybrid DDoS mitigation service can indeed handle a pulse-wave type attack. A DDoS mitigation mechanism that makes use of connectionless signaling protocols cannot be disrupted even if the inbound link bandwidth is fully saturated by a DDoS attack, he says.

"[Imperva's] assertions of communications failure in the event of a pipe-filling attack are unfounded — even with 100% of inbound link bandwidth saturated by a DDoS attack, the on-premise component of the solution will still be able to signal the upstream component to do the heavy lifting of attack mitigation," Dobbins says. DDoS mitigation best practices in fact call for measures to deal with the sort of DDoS attack modulation described in the report, he adds.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Pulse wave attacks enable more efficient utilization of a botnet's resources, Imperva's Zeifman says. The botnet never shuts down and simply switches targets between the pulses - thereby allowing the threat actor to pin down multiple targets at the same time. Because the botnet never shuts down, the attackers are also able to keep ramping up to peak magnitude quickly and repeatedly, he says.

Some of the most ferocious DDoS attacks that Imperva says it mitigated during the first quarter of this year in fact were comprised of pulse wave attacks. The biggest of these lasted for multiple days at a time and generated attack traffic of up to 350 gigabits-per-second, the company said.

Many of the targets of these attacks have been organizations in the financial services and gaming sectors. The persistence of these pulse attacks and the sheer size of some of them suggest that whoever is behind them is very sophisticated and well resourced, Imperva noted.

The size of the pulse wave attacks can be matched by some of the larger botnets that Imperva has observed. "However the ability [of pulse wave attacks] to switch targets in real time is something new and would likely require a different type of resource - maybe a small number of high-power servers or some other type of resources that can be controlled in such a precise manner," Zeifman adds.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
WSJ Report: Facebook Breach the Work of Spammers, Not Nation-State Actors
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/19/2018
4 Ways to Fight the Email Security Threat
Asaf Cidon, Vice President, Content Security Services, at Barracuda Networks,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.