Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/17/2017
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Pulse Wave' DDoS Attacks Emerge As New Threat

DDoS botnets are launching short but successive bursts of attack traffic to pin down multiple targets, Imperva says.

Threat actors have found a new way to optimize the resources available to them for launching highly effective distributed denial-of-service (DDoS) attacks.

Instead of using a DDoS botnet to direct a sustained stream of denial of service traffic at a single target, some attackers are now using their attack infrastructure to direct short bursts of traffic at multiple targets - an assault dubbed pulse wave attacks.

Security vendor Imperva, which has observed the new flavor of DDoS in recent months, describes pulse wave attacks as a series of short-lived bursts of attack traffic "occurring in clockwork-like succession."

In the gaps between the pulses, threat actors appeared to be switching targets on the fly and directing similar bursts of attack traffic at other victims. The attack strategy seems designed to double a botnet's output while being as effective as the usual longer-duration DDoS attacks.

One interesting characteristic of the pulse wave attacks Imperva observed was how quickly the threat actors were able to ramp up DDoS traffic.

In a traditional DDoS attack, the volume of denial-of-service traffic that is directed at a target takes some time to ramp up because of the effort needed to mobilize geographically dispersed botnets. In most cases, attack traffic gradually builds up and then either abruptly falls off or gradually declines.

In the pulse wave attacks that Imperva observed, attack traffic kept ramping to reach peak magnitudes very quickly, and in repeated bursts.

Such attacks are much more likely to be effective against a target that is secured by a DDoS mitigation service that provides failover to the cloud, says Igal Zeifman, marketing director at Imperva.

"In such cases, because the attack peaks in its first few seconds, the network pipe is immediately congested, cutting the communication to the cloud and preventing a proper failover," he says.

"Even if a cloud is re-configured to automatically activate itself when the network becomes unavailable, lack of communication still prevents the exchange of security information that would allow it to start scrubbing the traffic," he explains.

This means the cloud mitigation service will need to resample traffic from scratch, causing a further delay and increasing the attacker's chances of taking down the network again, Zeifman says. In fact, a pulse wave attack with no ramp-up time represents a worst-case scenario for networks that are protected by hybrid DDOS mitigation approaches, according to Imperva.

Martin McKeay, senior security advocate at Akamai, says the company has been looking into this type of DDoS attack as well. But so far at least, Akamai has seen no strong evidence of attackers switching targets on the fly as Imperva reported. "Our current supposition is rather that the attackers are more likely stopping attacks before detection thresholds are hit, essentially stopping the attack before setting off the alarms and then starting back up again," McKeay says.

There may be another explanation for pulse wave attacks. "The attack is actually against a subnet range, where the observer is only protecting a portion of the subnet," McKeay says. "The botnet would appear to be going flat-out at a high rate and it would look like the attack was 'switching' targets, when that switch was either attacks owned by the same target that weren’t protected, or were owned by another entity and simply happened to be sharing IP space."

Fundamentally, such attacks do not involve a radically different command-and-control set up than a usual DDoS attack, but it is slightly more sophisticated, he says. "Overall, we believe that this kind of attack is further evidence of the commoditization of DDoS and the continuing rise of 'pay-for-play' attacks," McKeay says.

Roland Dobbins, principal engineer at Arbor Network's security engineering and response team, says that contrary to Imperva's assertions, a well-designed hybrid DDoS mitigation service can indeed handle a pulse-wave type attack. A DDoS mitigation mechanism that makes use of connectionless signaling protocols cannot be disrupted even if the inbound link bandwidth is fully saturated by a DDoS attack, he says.

"[Imperva's] assertions of communications failure in the event of a pipe-filling attack are unfounded — even with 100% of inbound link bandwidth saturated by a DDoS attack, the on-premise component of the solution will still be able to signal the upstream component to do the heavy lifting of attack mitigation," Dobbins says. DDoS mitigation best practices in fact call for measures to deal with the sort of DDoS attack modulation described in the report, he adds.

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info and to register.

Pulse wave attacks enable more efficient utilization of a botnet's resources, Imperva's Zeifman says. The botnet never shuts down and simply switches targets between the pulses - thereby allowing the threat actor to pin down multiple targets at the same time. Because the botnet never shuts down, the attackers are also able to keep ramping up to peak magnitude quickly and repeatedly, he says.

Some of the most ferocious DDoS attacks that Imperva says it mitigated during the first quarter of this year in fact were comprised of pulse wave attacks. The biggest of these lasted for multiple days at a time and generated attack traffic of up to 350 gigabits-per-second, the company said.

Many of the targets of these attacks have been organizations in the financial services and gaming sectors. The persistence of these pulse attacks and the sheer size of some of them suggest that whoever is behind them is very sophisticated and well resourced, Imperva noted.

The size of the pulse wave attacks can be matched by some of the larger botnets that Imperva has observed. "However the ability [of pulse wave attacks] to switch targets in real time is something new and would likely require a different type of resource - maybe a small number of high-power servers or some other type of resources that can be controlled in such a precise manner," Zeifman adds.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...