One Botnet to Rule Them All

We live in a time of creative genius, of collaborative effort, of innovations occurring at a speed of which previous eras could scarcely have imagined, let alone seriously contemplated. From advancements and improvements in technology, medicine, communications and even the arts, this is an amazing time to be alive.

With one caveat, of course, that caveat being that it’s not just benevolent creators and innovators who are tirelessly striving to find new, better ways of doing things. It’s also jerks. Unfortunately, jerks are also working harder to be better at their jerky endeavors, and they are succeeding. Take the criminals behind DDoS attacks, for instance. In Q2 2017 a new attack type emerged, eschewing common DDoS attack patterns and flummoxing many security measures in the process.

Old habits

DDoS attacks, when successful, are very effective because denying a website’s services to its users tends to make those users mad, which leads to bad publicity on social media and sometimes even in the traditional media as well as a long-term loss of loyalty that significantly impacts business. So when DDoS attack numbers go up, stress levels amongst business and website owners tend to go up as well.

However, while distributed denial of service (DDoS) attack numbers skyrocketed over the last few years, there still managed to be a bit of relief amongst businesses and website owners who had some measure of DDoS protection. That was because while numbers were up, attack firepower and complexity were down as a result of all the attacks coming from DDoS for hire services, which tend to specialize in the short-burst, low-volume assaults that could be purchased for a few dollars.

Even when huge Internet of Things botnets exploded on to the DDoS for hire scene, immediately smashing DDoS attack size records, for many people it still wasn’t time to press the panic button. If a mitigation solution had a cloud component, chances are it could handle a pretty massive network layer attack by simply having a good amount of scalability.

Now it would appear, however, that there is a growing number of not just DDoS for hire services available, but DDoS attackers for hire available, and things are getting complicated.

Dying hard

In the second quarter of this year, 20% of attacks used more than one attack vector in an effort to outsmart security measures and reach the intended victim server. This increase in sophistication is one indication that the pros are returning to the DDoS game in a big way. Another indication? That a brand new attack type was developed to overcome a specific form of distributed denial of service attack protection.

This new attack type was first noticed by Incapsula, providers of protection against DDoS attacks, and they have christened it the pulse wave attack. Typical DDoS attacks slowly ramp up, reaching a peak and then either slowly descending again or dropping off. It’s possible this pattern can be repeated multiple times in an attack, but it may occur only once. The slow ramp-up occurs because in order to mount an assault, the attacker(s) behind them need to mobilize their botnets, and it takes a while for them to be warmed up.

In pulse wave attacks, there is no such warming up. Instead the target is immediately smashed with enough traffic to clog its network: 10+ Gbps. The attack pulses end nearly as quickly as they began, they come in quick succession at regular intervals. Incapsula believes pulse wave attacks are accomplished by using one botnet to hit multiple targets – taking aim at one target with that quick pulse, then backing off the first target and hitting another, completing a cycle of a number of targets before going back to the first target and starting the process again. Since the botnet is constantly in use during the attack period, there is no need for it to warm up in order to clog a network.

Appliance first, problems later

The amount of heat pulse wave attacks come in with combined with the regular intervals at which the pulses occur combine to cause tremendous problems for one mitigation approach in particular: appliance first on-premise and cloud hybrid. The initial pulse overwhelms the network to keep users from being able to access the site and to keep the mitigation appliance from activating the cloud part of the solution, which would otherwise be tasked with scrubbing that attack traffic. By the time the network has recovered, it’s time for the next pulse to hit.

In addition to seemingly being designed to beat a specific type of mitigation solution, Incapsula has found these attacks are targeting organizations in competitive industries that suffer intensely from the resultant downtime, namely online gaming and fintech.

In with the cloud

There’s no stopping innovation, not for benevolent reasons and not for malicious ones either. If cybercriminals are saying out with the old when it comes to DDoS attack types, it’s time for organizations to say it to their appliance-first mitigation solutions as well. Whether it’s pulse wave attacks, big baddies from Internet of Things botnets, or any other new nightmare attackers dream up in the near future, the scalability of a cloud-based DDoS mitigation solution at the edge of the network is going to be a must heading into 2018. As was recently proven, hardware just can’t handle it.