For DDoS professionals, whose livelihoods revolve around dealing with DDoS attacks day in and day out for clients of all sizes across a wide range of industries, there comes a point when it feels like you’ve seen (and mitigated) it all.
However, as any experienced DDoS mitigation professional knows, that is not the time to start feeling relaxed and confident; instead, it’s the time to keep both eyes firmly fixed on the horizon because with the way expert DDoS attackers are constantly innovating and creating ever more potent attacks, something wicked this way comes.
And during the second quarter of 2017, something wicked this way came.
Dragged into the undertow
Over the last few quarters, DDoS attack trends were dominated by the short-burst and low-volume assaults that generally come courtesy of a DDoS-for-hire service – attacks launched by the average Joe who happened to have a bit of Bitcoin to spare. These new attack types also happen because a professional DDoSer “probes” a target, sending a short burst, just long enough for intelligence gathering. Others have also taken “Hit and Run” off the roads and onto the information superhighway, trying to overwhelm and exhaust the resources of the targeted organization.
Judging by this new type of assault, unfortunately, DDoS amateur hour is decidedly over.
Newly known as the pulse wave DDoS attack, this assault eschews the typical DDoS pattern, which is a slow ramp-up to a peak, and then either a quick drop-off or a slower descent. The pattern might be repeated, or it might not be. When plotted on a graph these attacks typically look like jagged waves.
Instead, the pulse wave attack has no ramp-up. It goes from zero to sixty within seconds, slamming the target with enough traffic to immediately clog the network. The pulses end almost as quickly as they begin, but these short and crippling bursts come in quick succession at regular intervals – one or more pulses come every ten minutes. Pulse wave attacks are immediate, frequent, persistent, and large. A single pulse might be large enough to congest a network pipe.
This particular assault pattern was first noticed by the team at Incapsula, experts on how to stop DDoS attacks, and even they have called this type of attack ferocious. There are several big bad reasons for that.
The damage done
Pulse wave attacks aren’t being blasted indiscriminately across the internet. Their creators are too focused and, frankly, smart for that. Instead these attacks have been precisely designed to do three things.
- Firstly, the team at Incapsula has seen these attacks take aim at high-value targets like fintech and online gaming entities – organizations in massively competitive industries that are badly hurt by the downtime stemming from these attacks.
- Secondly, these attacks are designed to cause incredible havoc for organizations using an appliance-first on-premise and cloud-second hybrid DDoS protection approach. The immediate burst immediately overwhelms the network, not only causing the denial of service but also preventing the mitigation appliance from communicating with and activating the cloud scrubbing server. The network is shut down entirely for the duration of the pulse, and by the time the network has recovered, the next pulse is hitting. Even if the scrubbing server can be set to activate automatically when attack traffic is detected, the scrubbing server will be delayed by first the verification process and then while it samples attack traffic to create an attack signature – information that could have been relayed by the mitigation appliance if the network weren’t clogged.
- Thirdly, this attack type is perfect for allowing attackers to smash multiple targets concurrently using one botnet. After a target has been hit with a pulse, there’s a lull in that particular attack until the next pulse hits. During the downtime, Incapsula’s team posits that the botnet is hitting another target with a pulse. This allows attackers to make the most use of their botnet resources, and it’s also what allows pulse wave attacks to start off with a bang, no ramp-up necessary. The botnet is already operating at full capacity having been walloping other targets when the first pulse of a new attack takes place. It’s like putting a sheet of cookie dough into an oven in which you’re already baking brownies: you don’t need it to heat up because it’s already hot.
Altogether, these attacks are brilliantly designed, scarily efficient, and need to be a concern for major organizations everywhere, even ones that have never had an issue mitigating DDoS attacks before.
The way forward
This is just the beginning of a trend that could spell the end of appliance-first mitigation solutions. As detailed in the Incapsula whitepaper on this emerging DDoS strategy, these attacks will likely only get more powerful and more widespread as other botnet operators pick up on the success the pulse waves are enjoying, and with their lack of scalability, hardware mitigation solutions will only become an even bigger weak spot.
For organizations with a managed DDoS mitigation service wondering what can be done to help protect against these attacks, it’s important to review the time to mitigation clause in their provider’s service level agreement because with the way these attacks start out with 10+ Gbps, every second counts.
For organizations with an appliance-first solution, it may just be time to start looking into something more scalable like a fully cloud-based solution positioned at the perimeter of the network to keep attack traffic from ever reaching said network and unleashing the mayhem these attacks have been precisely designed to cause.
Businesses, websites and many mitigation providers will be scrambling in the coming months to learn to deal with this new breed of DDoS unpleasantness. Eventually it will get to a point where pulse wave attacks can be easily handled, and then it will be time for DDoS experts to await the next hideous development. It’s the circle of life on the internet.