By Elmalla A. on February 18 2018
Originally written for i-Awcs.
Pulse wave DDoS is a new attack tactic, designed to double the botnet’s output and exploit soft spots in “appliance first cloud second” hybrid mitigation solutions.
Comprised of a series of short-lived bursts occurring in clockwork-like succession, pulse wave assaults accounted for some of the most ferocious DDoS attacks we ever mitigated.
Reading this white paper will help you:
- Understand the nature of pulse wave DDoS attacks
- See how they are used to pin down multiple targets
- Discover the soft spots these assaults can exploit
- Learn about other attacks that occur in short bursts
How pulse wave DDoS attacks work and who's vulnerable ?
Incapusla says “pulse wave DDoS events most likely result from skilled bad actors portioning their attack resources to launch multiple assaults at the same time.” The time between each pulse is likely “being used to mount a secondary assault on a different target. With effective DDoSing it’s likely even more simultaneous attacks can be launched—further boosting resource utilization and the offenders’ bottom line.”
Appliance-first hybrid mitigation solutions are vulnerable to pulse wave attacks. In fact, Incapsula said the attacks are a “worst case scenario” for networks defended by hybrid solutions.
Most DDoS attacks ramp up slowly, giving “appliance first hybrid mitigation” solutions the required several minutes to complete the cloud activation and the traffic failover. However, the first burst from a pulse wave DDoS attack immediately cuts off all syncing and congests the network pipe. After traffic spikes, the appliance and cloud cannot communicate; the appliance cannot signal the cloud to start diverting traffic. “For the pulse duration, the entire network shuts down completely. By the time it recovers, another pulse shuts it down again, ad nauseam.”
The lack of communication also means the appliance cannot provide the information needed to create an attack signature.
Incapsula believes “sophisticated bad actors” are behind the pulse wave attacks for a number of reasons. They are “technologically savvy” enough to understand mitigation solutions and come up with “specially crafted attacks to exploit appliance weaknesses.” Their firepower is telling, too; a “non-amplified, multi-100 Gbps attack requires a well-developed and power botnet.” Lastly, “the clockwork-like repetitiveness of pulse wave attacks—and their ability to reach peak traffic within seconds—highlights the level of control offenders have over their assault resources.”
Over the last several months, Incapsula saw pulse wave DDoS attacks used against high-value targets such as gaming and fintech companies. Unfortunately, other bad actors will grasp the benefit of splitting up attack traffic and pinning down multiple targets and then be inspired to imitate the attack; expect the range of targets to expand.
It is worth noting that Incapsula, which sells a cloud-based application delivery service and DDoS protection, advises moving away from the appliance-first mitigation solutions.