New Research on "Pulse Wave" DDoS Attacks

New findings from Imperva Incapsula researchers published today Attackers Use DDoS Pulses to Pin Down Multiple Targets details the emergence of a new assault pattern, which they’ve named Pulse Wave.   

According to lead researcher Igal Zeifman, “Pulse Wave DDoS represents a new attack methodology, made up of a series of short-lived pulses occurring in clockwork-like succession, which accounts for some of the most ferocious DDoS attacks we mitigated in the second quarter of 2017. In the most extreme cases, they lasted for days at a time and scaled as high as 350 Gbps.”

The size of these attacks, and the amount of skill they exhibit, are likely the handiwork of skilled bad actors who have become practiced in portioning their attack resources to launch simultaneous assaults — meaning the intervals between each pulse are being used to attack a secondary target.

This new approach shows that some offenders have grown to understand that it is not necessary to hit a target continuously to take it offline; rather, repeated short bursts are enough to disrupt routers and servers, producing the same effect. By the time the systems have recovered from the first burst, or pulse, the hackers hit them again. In this way, they can double their resource utilization and pin down several targets.  

With effective sniping, even more simultaneous attacks can be launched to pin down multiple targets and boost the offenders’ bottom line. 

The existence of such capabilities spells bad news for everyone, as they enable bad actors to greatly increase their attack output. The pulse-like nature of these attacks, however, is especially harmful for appliance-first mitigation solutions, since it can cut down the communication between their two components, preventing effective failover from the appliance to the cloud. Specifically, the attacks have the capacity to delay the time it takes for the cloud component of the mitigation solution to kick in. This increases the likelihood of the target going down and being forced to initiate a prolonged recovery process.  Moreover, the pulse wave assaults can prevent transition of data collected in the early attack stages from the appliance and into the cloud to further harm its responsiveness.

As the research points out, while Pulse Wave attacks constitute a new attack method and have a distinct purpose, they haven’t emerged in a vacuum. Instead, they’re a product of the times and should be viewed in the context of a broader shift toward shorter-duration DDoS attacks. Multiple industry reports—including the Imperva Incapsula quarterly DDoS Threat Landscape report— point to an increased number of short-lived DDoS events over the past year. As a result, the majority of all DDoS attacks today —both at the network and application layers— consistently last less than one hour. Moreover, the percentage of such short-burst attacks is growing each quarter. 

“For a commercial organization, every such instance translates into tens of thousands of dollars in direct and indirect damages. For professional offenders—already inclined to split up their attack resources for optimized utilization—this serves as another reason for them to launch Pulse Wave DDoS assaults. Consequently, we expect to continue encountering such assaults. We also forecast them to grow larger and become more persistent, fuelled by botnet resource evolution and the previously described macro trends we’ve observed in the DDoS landscape,” Zeifman added.

The full Research Paper ”Attackers Use DDoS Pulses to Pin Down Multiple Targets, Send Shock Waves” presents a detailed dive into the nature of pulse wave attacks and the threat that they pose and their place in the DDoS threat ecosystem.