A new tactic for DDoS is gaining steam: the pulse wave attack. It’s called such due to the traffic pattern it generates—a rapid succession of attack bursts that split a botnet’s attack output.
According to Imperva’s latest Global DDoS Threat Landscape Report, a statistical analysis of more than 15,000 network and application layer DDoS attacks mitigated by Imperva Incapsula’s services during Q2 2017, the largest network layer assault it mitigated peaked at 350Gbps. The tactic enables an offender to pin down multiple targets with alternating high-volume bursts. As such, it serves as the DDoS equivalent of hitting two birds with one stone, the company said.
“A DDoS attack typically takes on a wave form, with a gradual ramp-up leading to a peak, followed by either an abrupt drop or a slow descent,” the company explained. “When repeated, the pattern resembles a triangle, or sawtooth waveform. The incline of such DDoS waves marks the time it takes the offenders to mobilize their botnets. For pulse wave attacks, a lack of a gradual incline was the first thing that caught our attention. It wasn’t the first time we’ve seen attacks ramp up quickly. However, never before have we seen attacks of this magnitude peak with such immediacy, then be repeated with such precision.”
Whoever was on the other end of these assaults, they were able to mobilize a 300Gbps botnet within a matter of seconds, Imperva noted. This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.
“We realized it makes no sense to assume that the botnet shuts down during those brief ‘quiet times’,” the firm said. “Instead, the gaps are simply a sign of offenders switching targets on-the-fly, leveraging a high degree of control over their resources. This also explained how the attack could instantly reach its peak. It was a result of the botnet switching targets on-the-fly, while working at full capacity. Clearly, the people operating these botnets have figured out the rule of thumb for DDoS attacks: moments to go down, hours to recover. Knowing that—and having access to an instantly responsive botnet—they did the smart thing by hitting two birds with one stone.”
Pulse-wave attacks were carried out encountered on multiple occasions throughout the quarter, according to Imperva’s data.
In the plus column, this quarter, there was a small dip in application layer attacks, which fell to 973 per week from an all-time high of 1,099 in Q1. However, don’t rejoice just quite yet.
“There is no reason to assume that the minor decline in the number of application layer assaults is the beginning of a new trend,” said Igal Zeifman, Incapsula security evangelist at Imperva—noting the change was minor at best.
Conversely, the quarter for the fifth time in a row saw a decrease in the number of network layer assaults, which dropped to 196 per week from 296 in the prior quarter.
“The persistent year-long downtrend in the amount of network layer attacks is a strong sign of a shift in the DDoS threat landscape,” Zeifman said. “There are several possible reasons for this shift, one of which is the ever-increasing number of network layer mitigation solutions on the market. The commoditization of such services makes them more commonplace, likely driving attackers to explore alternative attack methods.”
For instance one of the most prevalent trends Incapsula observed in the quarter was the increase in the amount of persistent application layer assaults, which have been scaling up for five quarters in a row.
In the second quarter of the year, 75.9% of targets were subjected to multiple attacks—the highest percentage Imperva has ever seen. Notably, US-hosted websites bore the brunt of these repeat assaults—38% were hit six or more times, out of which 23% were targeted more than 10 times. Conversely, 33.6% of sites hosted outside of the US saw six or more attacks, while “only” 19.5% saw more than 10 assaults in the span of the quarter.
“This increase in the number of repeat assaults is another clear trend and a testament to the ease with which application layer assaults are carried out,” Zeifman said. “What these numbers show is that, even after multiple failed attempts, the minimal resource requirement motivates the offenders to keep going after their target.
Another point of interest was the unexpected spike in botnet activity out of Turkey, Ukraine and India.
In Turkey, Imperva recorded more than 3,000 attacking devices that generated over 800 million attack requests, more than double the rate of last quarter.
In Ukraine and India, it recorded 4,300 attacking devices, representing a roughly 75% increase from Q1 2017. The combined attack output of Ukraine and India was 1.45 billion DDoS requests for the quarter.
Meanwhile, as the origin of 63% of DDoS requests in Q2 2017 and home to over 306,000 attacking devices, China retained its first spot on the list of attacking countries.