‘Pulse wave’ DDoS – another way of blasting sites offline

After all the excitement over 2016’s Mirai Internet of Things (IoT) DDoS attack, you could be forgiven for thinking that the criminal pastime of overloading servers with lots of unwanted traffic has gone a bit quiet recently.

It’s been this way for years. DDoS attacks tend not to be noticed by anyone other than service providers unless they are particularly huge, hit well-known websites, or manifest nastiness such as the notorious DD4BC extortion gang attacks of 2015.

This happens infrequently even though below the surface of service providers fighting fires and commercial secrecy that obscures many unreported attacks, innovation rumbles on.

Now, mitigation company Incapsula has spotted an example of this behind-the-scenes evolution in the form of “pulse wave”, a new type of attack pattern which, from the off, had its experts intrigued.

DDoS attacks, which spew forth from botnets of one type or another, normally follow a format in which traffic increases before a peak is reached, after which comes either a gradual or sudden drop. The rise has to be gradual because bots take time to muster.

The recent wave of pulse attacks during 2017 looked different, with massive peaks popping out of nowhere rapidly, often within seconds. Demonstrating that this was no one-off, successive waves followed the same pattern.

Says Incapsula:

This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources.

Granted, but to what end?

The clue was in the gaps between the “pulses” of each attack. In fact, the botnet or botnets behind these attacks were not necessarily being switched off at all – the gaps were just the attackers pointing it at different targets, like turning a water cannon.  This explained the rapid surge in traffic on the commencement of each attack.

It’s likely not a coincidence, Incapsula claims, that this pattern causes problems for one DDoS defence, which is to use on-site equipment with fail-over to a cloud traffic “scrubbing” system in the event that an attack gets too big. Because traffic ramps almost instantly, that fail-over can’t happen smoothly, and indeed the network might find rapidly itself cut off.

If that’s true, organisations that have built their datacentres around sensible layered or “hybrid” DDoS defense will be in a pickle. Either they’ll have to beef up their in-house mitigation systems or convince their cloud provider to offer rapid fail-over. Incapsula, we humbly note, sells cloud-based mitigation.

All in all, it sounds like a small but important technical innovation that will be countered with the same. Given the impressive traffic these botnets seem able to summon at will – reportedly 300Gbps for starters – it would be unwise to dismiss it as just another day at the internet office.

Or perhaps the real innovation in DDoS criminality isn’t in the way traffic is pointed at victims so much as the tragic wealth of undefended servers and devices that can be hijacked to generate the load in the first place.

This was one of the surprising lessons of Mirai and perhaps it has yet to be learned: never underestimate the damage a motley collection of ignored and forgotten webcams and home routers can do to some of the internet’s biggest brands if given the chance.