Bursts, Waves and DDoS: What You Need to Know

A recent Cisco report found that 42 percent of organizations experienced “burst” distributed denial of service (DDoS) attacks in 2017. Burst attacks, otherwise known as Pulse-Wave attacks, are gaining favor among hackers because they enable perpetrators to attack multiple targets, one after each other, with short, high-volume traffic bursts, in a rapidly repeating cycle. Corero’s DDoS research suggests that a likely reason for the use of “bursting” observed in pulsed DDoS attacks, is the timesharing or multiplexing of attack botnets, probably between two or more simultaneous targets of a DDoS-for-hire booter/stresser service. The hackers make more money by harnessing the power of one large botnet to service more than one customer simultaneously. Once a botnet is up and running, they can hit one target with a burst, then switch quickly to hit another target with a burst, then alternate between the targets.

This points to the increasing sophistication of hackers, in terms of their ability to better leverage large botnets and develop mechanisms which have the ability to evade detection. With short burst attacks, hackers can ramp the attack traffic faster and increase the chances of evading legacy protection on a network. These short duration burst attacks can also deliver more calculated, non-saturating traffic volumes, rather than using traditional massive brute-force attacks. Such surgical attacks are often crafted specifically to fly under the radar of conventional DDoS protection, as they can blend in with regular traffic volumes. Similar to a sleight of hand, while the target organization focuses on the ramifications of the DDoS attack, other attacks are launched to infiltrate the network and carry out activities, such as ex-filtrating valuable data.

Burst/pulse-wave attacks are of little concern for Corero customers because the SmartWall® Threat Defense System effectively mitigates such attacks – automatically, near-instantaneously and surgically – just like it would any other multi-vector attack. Whether the bursts are saturating the links, or not, the SmartWall TDS will handle it, blocking the attack traffic during the bursts and letting through any good traffic and then immediately recovering between bursts, to allow all the good traffic as it recovers to normal levels.

The comprehensive attack visibility provided by SmartWall TDS enables these Burst/Pulse attacks to be easily identified and additional mitigation techniques employed, if they are of a size that good traffic is unduly impacted. By looking at the attack trends over longer time periods, SmartWall can be configured to automatically switch to an upstream cloud mitigation service, regardless of the short-term oscillations, while continuing to block the attack traffic in the interim. At the cloud-service level, if the traffic is routed directly back to the on-premises solution too soon, this is not an issue as SmartWall TDS will automatically re-engage local mitigation and the upstream redirect process would start over again. 

With legacy solutions there is typically a significant delay before volumetric DDoS mitigation engages.  If attacks "start" and "end" in a periodic way, there is increased risk that enough of the attack gets through to still cause the intended impact on the target.

In the end, organizations should not underestimate burst/pulse attacks, because the capability of these well-managed botnet-sourced DDoS attacks can be many times more damaging. Any business that relies on service continuity and integrity to serve its customers should take steps to prevent such attacks.

For more information, contact us.

You May Also Be Interested In: