Threat actors have found a new way to optimize the resources available to them for launching highly effective distributed denial-of-service (DDoS) attacks.
Instead of using a DDoS botnet to direct a sustained stream of denial of service traffic at a single target, some attackers are now using their attack infrastructure to direct short bursts of traffic at multiple targets - an assault dubbed pulse wave attacks.
Security vendor Imperva, which has observed the new flavor of DDoS in recent months, describes pulse wave attacks as a series of short-lived bursts of attack traffic "occurring in clockwork-like succession."
In the gaps between the pulses, threat actors appeared to be switching targets on the fly and directing similar bursts of attack traffic at other victims. The attack strategy seems designed to double a botnet's output while being as effective as the usual longer-duration DDoS attacks.
One interesting characteristic of the pulse wave attacks Imperva observed was how quickly the threat actors were able to ramp up DDoS traffic.
In a traditional DDoS attack, the volume of denial-of-service traffic that is directed at a target takes some time to ramp up because of the effort needed to mobilize geographically dispersed botnets. In most cases, attack traffic gradually builds up and then either abruptly falls off or gradually declines.
In the pulse wave attacks that Imperva observed, attack traffic kept ramping to reach peak magnitudes very quickly, and in repeated bursts.
Such attacks are much more likely to be effective against a target that is secured by a DDoS mitigation service that provides failover to the cloud, says Igal Zeifman, marketing director at Imperva.
"In such cases, because the attack peaks in its first few seconds, the network pipe is immediately congested, cutting the communication to the cloud and preventing a proper failover," he says.
"Even if a cloud is re-configured to automatically activate itself when the network becomes unavailable, lack of communication still prevents the exchange of security information that would allow it to start scrubbing the traffic," he explains.
This means the cloud mitigation service will need to resample traffic from scratch, causing a further delay and increasing the attacker's chances of taking down the network again, Zeifman says. In fact, a pulse wave attack with no ramp-up time represents a worst-case scenario for networks that are protected by hybrid DDOS mitigation approaches, according to Imperva.
Martin McKeay, senior security advocate at Akamai, says the company has been looking into this type of DDoS attack as well. But so far at least, Akamai has seen no strong evidence of attackers switching targets on the fly as Imperva reported. "Our current supposition is rather that the attackers are more likely stopping attacks before detection thresholds are hit, essentially stopping the attack before setting off the alarms and then starting back up again," McKeay says.
There may be another explanation for pulse wave attacks. "The attack is actually against a subnet range, where the observer is only protecting a portion of the subnet," McKeay says. "The botnet would appear to be going flat-out at a high rate and it would look like the attack was 'switching' targets, when that switch was either attacks owned by the same target that weren’t protected, or were owned by another entity and simply happened to be sharing IP space."
Fundamentally, such attacks do not involve a radically different command-and-control set up than a usual DDoS attack, but it is slightly more sophisticated, he says. "Overall, we believe that this kind of attack is further evidence of the commoditization of DDoS and the continuing rise of 'pay-for-play' attacks," McKeay says.
Roland Dobbins, principal engineer at Arbor Network's security engineering and response team, says that contrary to Imperva's assertions, a well-designed hybrid DDoS mitigation service can indeed handle a pulse-wave type attack. A DDoS mitigation mechanism that makes use of connectionless signaling protocols cannot be disrupted even if the inbound link bandwidth is fully saturated by a DDoS attack, he says.
"[Imperva's] assertions of communications failure in the event of a pipe-filling attack are unfounded — even with 100% of inbound link bandwidth saturated by a DDoS attack, the on-premise component of the solution will still be able to signal the upstream component to do the heavy lifting of attack mitigation," Dobbins says. DDoS mitigation best practices in fact call for measures to deal with the sort of DDoS attack modulation described in the report, he adds.
Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.
Pulse wave attacks enable more efficient utilization of a botnet's resources, Imperva's Zeifman says. The botnet never shuts down and simply switches targets between the pulses - thereby allowing the threat actor to pin down multiple targets at the same time. Because the botnet never shuts down, the attackers are also able to keep ramping up to peak magnitude quickly and repeatedly, he says.
Some of the most ferocious DDoS attacks that Imperva says it mitigated during the first quarter of this year in fact were comprised of pulse wave attacks. The biggest of these lasted for multiple days at a time and generated attack traffic of up to 350 gigabits-per-second, the company said.
Many of the targets of these attacks have been organizations in the financial services and gaming sectors. The persistence of these pulse attacks and the sheer size of some of them suggest that whoever is behind them is very sophisticated and well resourced, Imperva noted.
The size of the pulse wave attacks can be matched by some of the larger botnets that Imperva has observed. "However the ability [of pulse wave attacks] to switch targets in real time is something new and would likely require a different type of resource - maybe a small number of high-power servers or some other type of resources that can be controlled in such a precise manner," Zeifman adds.
- Majority of DDoS Attacks are Short, Low-Volume Bursts
- DDoS, Web Attacks Surge; Repeat Attacks Become the Norm
- New Breed of DDoS Attack On the Rise
- 10 Essential Elements For Your Incident-Response Plan