Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Pulse Wave' DDoS Attacks Emerge As New Threat

DDoS botnets are launching short but successive bursts of attack traffic to pin down multiple targets, Imperva says.

Threat actors have found a new way to optimize the resources available to them for launching highly effective distributed denial-of-service (DDoS) attacks.

Instead of using a DDoS botnet to direct a sustained stream of denial of service traffic at a single target, some attackers are now using their attack infrastructure to direct short bursts of traffic at multiple targets - an assault dubbed pulse wave attacks.

Security vendor Imperva, which has observed the new flavor of DDoS in recent months, describes pulse wave attacks as a series of short-lived bursts of attack traffic "occurring in clockwork-like succession."

In the gaps between the pulses, threat actors appeared to be switching targets on the fly and directing similar bursts of attack traffic at other victims. The attack strategy seems designed to double a botnet's output while being as effective as the usual longer-duration DDoS attacks.

One interesting characteristic of the pulse wave attacks Imperva observed was how quickly the threat actors were able to ramp up DDoS traffic.

In a traditional DDoS attack, the volume of denial-of-service traffic that is directed at a target takes some time to ramp up because of the effort needed to mobilize geographically dispersed botnets. In most cases, attack traffic gradually builds up and then either abruptly falls off or gradually declines.

In the pulse wave attacks that Imperva observed, attack traffic kept ramping to reach peak magnitudes very quickly, and in repeated bursts.

Such attacks are much more likely to be effective against a target that is secured by a DDoS mitigation service that provides failover to the cloud, says Igal Zeifman, marketing director at Imperva.

"In such cases, because the attack peaks in its first few seconds, the network pipe is immediately congested, cutting the communication to the cloud and preventing a proper failover," he says.

"Even if a cloud is re-configured to automatically activate itself when the network becomes unavailable, lack of communication still prevents the exchange of security information that would allow it to start scrubbing the traffic," he explains.

This means the cloud mitigation service will need to resample traffic from scratch, causing a further delay and increasing the attacker's chances of taking down the network again, Zeifman says. In fact, a pulse wave attack with no ramp-up time represents a worst-case scenario for networks that are protected by hybrid DDOS mitigation approaches, according to Imperva.

Martin McKeay, senior security advocate at Akamai, says the company has been looking into this type of DDoS attack as well. But so far at least, Akamai has seen no strong evidence of attackers switching targets on the fly as Imperva reported. "Our current supposition is rather that the attackers are more likely stopping attacks before detection thresholds are hit, essentially stopping the attack before setting off the alarms and then starting back up again," McKeay says.

There may be another explanation for pulse wave attacks. "The attack is actually against a subnet range, where the observer is only protecting a portion of the subnet," McKeay says. "The botnet would appear to be going flat-out at a high rate and it would look like the attack was 'switching' targets, when that switch was either attacks owned by the same target that weren’t protected, or were owned by another entity and simply happened to be sharing IP space."

Fundamentally, such attacks do not involve a radically different command-and-control set up than a usual DDoS attack, but it is slightly more sophisticated, he says. "Overall, we believe that this kind of attack is further evidence of the commoditization of DDoS and the continuing rise of 'pay-for-play' attacks," McKeay says.

Roland Dobbins, principal engineer at Arbor Network's security engineering and response team, says that contrary to Imperva's assertions, a well-designed hybrid DDoS mitigation service can indeed handle a pulse-wave type attack. A DDoS mitigation mechanism that makes use of connectionless signaling protocols cannot be disrupted even if the inbound link bandwidth is fully saturated by a DDoS attack, he says.

"[Imperva's] assertions of communications failure in the event of a pipe-filling attack are unfounded — even with 100% of inbound link bandwidth saturated by a DDoS attack, the on-premise component of the solution will still be able to signal the upstream component to do the heavy lifting of attack mitigation," Dobbins says. DDoS mitigation best practices in fact call for measures to deal with the sort of DDoS attack modulation described in the report, he adds.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Pulse wave attacks enable more efficient utilization of a botnet's resources, Imperva's Zeifman says. The botnet never shuts down and simply switches targets between the pulses - thereby allowing the threat actor to pin down multiple targets at the same time. Because the botnet never shuts down, the attackers are also able to keep ramping up to peak magnitude quickly and repeatedly, he says.

Some of the most ferocious DDoS attacks that Imperva says it mitigated during the first quarter of this year in fact were comprised of pulse wave attacks. The biggest of these lasted for multiple days at a time and generated attack traffic of up to 350 gigabits-per-second, the company said.

Many of the targets of these attacks have been organizations in the financial services and gaming sectors. The persistence of these pulse attacks and the sheer size of some of them suggest that whoever is behind them is very sophisticated and well resourced, Imperva noted.

The size of the pulse wave attacks can be matched by some of the larger botnets that Imperva has observed. "However the ability [of pulse wave attacks] to switch targets in real time is something new and would likely require a different type of resource - maybe a small number of high-power servers or some other type of resources that can be controlled in such a precise manner," Zeifman adds.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19698
PUBLISHED: 2019-12-10
marc-q libwav through 2017-04-20 has a NULL pointer dereference in wav_content_read() at libwav.c.
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.