While ransomware attacks have received a lot more media coverage this year, organizations continue to grapple with the problem of DDoS attacks. Just this week, the U.K. National Lottery was hit by a DDoS attack, which brought down the website for 90 minutes during peak demand. And recent leaked documents also showed that the U.S. Cyber Command launched DDoS attacks against North Korea’s spy agencies in a bid to disrupt their internet access.
According to Imperva’s Q2 2017 Global DDoS Threat Landscape Report, the number of network layer assaults continue to decline for the fifth consecutive quarter. Organizations should not rejoice however, as the same report highlights a disturbing new DDoS attack trend of repeat assaults and increased intensity on the same target network.
Igal Zeifman, Incapsula Security Evangelist at Imperva, observed that, “Attack frequency is rising even as the total number of assaults is trending down. With these repeat assaults, offenders are waging a war of attrition against protected targets – a DDoS equivalent to laying siege on an impenetrable castle.”
A distributed denial of service (DDoS) attack makes use of botnets to flood a targeted website with fake traffic, preventing the victim’s systems from responding to legitimate users. Botnets consist of sometimes hundreds of thousands of compromised devices connected to the internet, which an attacker then controls to strike targeted organizations.
DDoS attacks are highly visible and impacts all users. Cyber criminals frequently use such denial attacks for extortion. Hacktivists and nations states have also used such tactics to make themselves heard or to “disconnect” an organization or country from the internet.
We should not see the dip as a sign that DDoS attacks are losing favor among attackers but rather as a signal of shifting tactics.
Shift in DDoS attack landscape
Zeifman suggests that, “The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape. There are several possible reasons for this shift, one of which is the ever increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.”
Instead of trying to overwhelm the target at the network layer, attackers are shifting to application layer attacks. According to Zeifman, “Where the goal of network layer assaults is to congest a target’s network pipes, application layer attacks aim to exhaust a server’s computing resources, often by issuing a slew of resource-heavy requests. As a result, we have seen businesses taken down by well placed bursts of just a few dozen requests per second, despite having ample network-side scalability.”
Imperva also saw an increase in the frequency of repeat application layer attacks, making up 75.8% of targeted websites and is the highest on record. This is an indication that attackers are repeatedly targeting the same victims even after multiple failed attempts as the resource requirements are minimal.
New form of DDoS attacks
Imperva’s report, which is based on a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services, highlights a new “Pulse Wave” assault which was responsible for the largest attack of the quarter. This tactic was first identified by Imperva researchers earlier this year.
“The largest network layer assault we mitigated in Q2 2017 peaked at 350 Gbps and was carried out using a new ‘pulse wave’ tactic that we encountered on multiple occasions throughout the quarter, which enables an offender to pin down multiple targets with alternating high-volume bursts”, says Zeifman.
A typical DDoS attack gradually ramps up its traffic to a peak, which is then followed by either an abrupt drop or a slow descent. This pattern reflects the time attackers take to mobilize their botnets, which may be geographically dispersed and comprise of various device types.
In the new “Pulse Wave” attack, the ramp up happens quickly, reaching the peak in a matter of seconds. More significantly, this pattern of rapid incline and decline happens with a precision never before seen in typical DDoS attacks. Imperva’s researchers concluded that sophisticated attackers with a strong control over their botnets are behind these “Pulse Wave” attacks and the gaps between each pulse is a sign of switching targets on-the-fly with the botnets working at full capacity.
This new form of attack raises the intensity and leave organizations scrambling to respond if the right migations are not put in place.
New DDoS attack tactics require defensive shift
The shift in the DDoS threat landscape raises the urgency for organizations to deploy automated DDoS mitigation solutions. This can help organizations defend against the onslaught as attackers lay siege on their systems.
With the increase of application layer attacks, organizations relying solely on network layer protection should take heed and review their current DDoS attack mitigation strategy. An application layer attack is a very different type of threat and is a lot harder to tackle, which as Zeifman puts it, “requires mitigation solutions with security ‘brains’ in addition to network ‘brawn’.”
Attackers are constantly adjust their tactics to bypass mitigation measures. Similarly, organizations cannot afford to stay still and must shift their defensive mechanisms to thwart these new DDoS attacks.