Attacks/Breaches

8/17/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Pulse Wave' DDoS Attacks Emerge As New Threat

DDoS botnets are launching short but successive bursts of attack traffic to pin down multiple targets, Imperva says.

Threat actors have found a new way to optimize the resources available to them for launching highly effective distributed denial-of-service (DDoS) attacks.

Instead of using a DDoS botnet to direct a sustained stream of denial of service traffic at a single target, some attackers are now using their attack infrastructure to direct short bursts of traffic at multiple targets - an assault dubbed pulse wave attacks.

Security vendor Imperva, which has observed the new flavor of DDoS in recent months, describes pulse wave attacks as a series of short-lived bursts of attack traffic "occurring in clockwork-like succession."

In the gaps between the pulses, threat actors appeared to be switching targets on the fly and directing similar bursts of attack traffic at other victims. The attack strategy seems designed to double a botnet's output while being as effective as the usual longer-duration DDoS attacks.

One interesting characteristic of the pulse wave attacks Imperva observed was how quickly the threat actors were able to ramp up DDoS traffic.

In a traditional DDoS attack, the volume of denial-of-service traffic that is directed at a target takes some time to ramp up because of the effort needed to mobilize geographically dispersed botnets. In most cases, attack traffic gradually builds up and then either abruptly falls off or gradually declines.

In the pulse wave attacks that Imperva observed, attack traffic kept ramping to reach peak magnitudes very quickly, and in repeated bursts.

Such attacks are much more likely to be effective against a target that is secured by a DDoS mitigation service that provides failover to the cloud, says Igal Zeifman, marketing director at Imperva.

"In such cases, because the attack peaks in its first few seconds, the network pipe is immediately congested, cutting the communication to the cloud and preventing a proper failover," he says.

"Even if a cloud is re-configured to automatically activate itself when the network becomes unavailable, lack of communication still prevents the exchange of security information that would allow it to start scrubbing the traffic," he explains.

This means the cloud mitigation service will need to resample traffic from scratch, causing a further delay and increasing the attacker's chances of taking down the network again, Zeifman says. In fact, a pulse wave attack with no ramp-up time represents a worst-case scenario for networks that are protected by hybrid DDOS mitigation approaches, according to Imperva.

Martin McKeay, senior security advocate at Akamai, says the company has been looking into this type of DDoS attack as well. But so far at least, Akamai has seen no strong evidence of attackers switching targets on the fly as Imperva reported. "Our current supposition is rather that the attackers are more likely stopping attacks before detection thresholds are hit, essentially stopping the attack before setting off the alarms and then starting back up again," McKeay says.

There may be another explanation for pulse wave attacks. "The attack is actually against a subnet range, where the observer is only protecting a portion of the subnet," McKeay says. "The botnet would appear to be going flat-out at a high rate and it would look like the attack was 'switching' targets, when that switch was either attacks owned by the same target that weren’t protected, or were owned by another entity and simply happened to be sharing IP space."

Fundamentally, such attacks do not involve a radically different command-and-control set up than a usual DDoS attack, but it is slightly more sophisticated, he says. "Overall, we believe that this kind of attack is further evidence of the commoditization of DDoS and the continuing rise of 'pay-for-play' attacks," McKeay says.

Roland Dobbins, principal engineer at Arbor Network's security engineering and response team, says that contrary to Imperva's assertions, a well-designed hybrid DDoS mitigation service can indeed handle a pulse-wave type attack. A DDoS mitigation mechanism that makes use of connectionless signaling protocols cannot be disrupted even if the inbound link bandwidth is fully saturated by a DDoS attack, he says.

"[Imperva's] assertions of communications failure in the event of a pipe-filling attack are unfounded — even with 100% of inbound link bandwidth saturated by a DDoS attack, the on-premise component of the solution will still be able to signal the upstream component to do the heavy lifting of attack mitigation," Dobbins says. DDoS mitigation best practices in fact call for measures to deal with the sort of DDoS attack modulation described in the report, he adds.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Pulse wave attacks enable more efficient utilization of a botnet's resources, Imperva's Zeifman says. The botnet never shuts down and simply switches targets between the pulses - thereby allowing the threat actor to pin down multiple targets at the same time. Because the botnet never shuts down, the attackers are also able to keep ramping up to peak magnitude quickly and repeatedly, he says.

Some of the most ferocious DDoS attacks that Imperva says it mitigated during the first quarter of this year in fact were comprised of pulse wave attacks. The biggest of these lasted for multiple days at a time and generated attack traffic of up to 350 gigabits-per-second, the company said.

Many of the targets of these attacks have been organizations in the financial services and gaming sectors. The persistence of these pulse attacks and the sheer size of some of them suggest that whoever is behind them is very sophisticated and well resourced, Imperva noted.

The size of the pulse wave attacks can be matched by some of the larger botnets that Imperva has observed. "However the ability [of pulse wave attacks] to switch targets in real time is something new and would likely require a different type of resource - maybe a small number of high-power servers or some other type of resources that can be controlled in such a precise manner," Zeifman adds.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
3 Ways to Retain Security Operations Staff
Oliver Rochford, Vice President of Security Evangelism at DFLabs,  11/20/2017
A Call for Greater Regulation of Digital Currencies
Kelly Sheridan, Associate Editor, Dark Reading,  11/21/2017
New OWASP Top 10 List Includes Three New Web Vulns
Jai Vijayan, Freelance writer,  11/21/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.