In a new report, Incapsula warns about a new type of ferocious DDoS attack that uses “pulse waves” to hit multiple targets. Pulse wave DDoS is a new attack tactic designed by skilled bad actors “to double the botnet’s output and exploit soft spots in ‘appliance first cloud second’ hybrid mitigation solutions.”
Comprised of a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 gigabits per second (Gbps).
The lack of a gradual ramp-up to peak traffic first caught Incapsula’s attention, as it took only a few seconds to peak. The pattern of the attack is “highly repetitive” and consists “of one or more pulses every 10 minutes.” The attacks are persistent, lasting at least an hour, but “usually for several hours or even days at a time.”
The firm had “never before seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.” The attackers were able “to mobilize a 300Gbps botnet within a matter of seconds. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.”
How pulse wave DDoS attacks work and who's vulnerable
Incapusla says “pulse wave DDoS events most likely result from skilled bad actors portioning their attack resources to launch multiple assaults at the same time.” The time between each pulse is likely “being used to mount a secondary assault on a different target. With effective DDoSing it’s likely even more simultaneous attacks can be launched—further boosting resource utilization and the offenders’ bottom line.”
Appliance-first hybrid mitigation solutions are vulnerable to pulse wave attacks. In fact, Incapsula said the attacks are a “worst case scenario” for networks defended by hybrid solutions.
Most DDoS attacks ramp up slowly, giving “appliance first hybrid mitigation” solutions the required several minutes to complete the cloud activation and the traffic failover. However, the first burst from a pulse wave DDoS attack immediately cuts off all syncing and congests the network pipe. After traffic spikes, the appliance and cloud cannot communicate; the appliance cannot signal the cloud to start diverting traffic. “For the pulse duration, the entire network shuts down completely. By the time it recovers, another pulse shuts it down again, ad nauseam.”
The lack of communication also means the appliance cannot provide the information needed to create an attack signature.
Skilled attackers behind pulse wave DDoS
Incapsula believes “sophisticated bad actors” are behind the pulse wave attacks for a number of reasons. They are “technologically savvy” enough to understand mitigation solutions and come up with “specially crafted attacks to exploit appliance weaknesses.” Their firepower is telling, too; a “non-amplified, multi-100 Gbps attack requires a well-developed and power botnet.” Lastly, “the clockwork-like repetitiveness of pulse wave attacks—and their ability to reach peak traffic within seconds—highlights the level of control offenders have over their assault resources.”
Over the last several months, Incapsula saw pulse wave DDoS attacks used against high-value targets such as gaming and fintech companies. Unfortunately, other bad actors will grasp the benefit of splitting up attack traffic and pinning down multiple targets and then be inspired to imitate the attack; expect the range of targets to expand.
It is worth noting that Incapsula, which sells a cloud-based application delivery service and DDoS protection, advises moving away from the appliance-first mitigation solutions. You can get a more in-depth look at pulse wave attacks in Incapsula’s white paper.
This article was originally posted on CSO online August 16 2017.