Imperva Discovers 'Pulse Wave' DDoS Attacks

It seems like distributed-denial of service (DDoS) attacks are destined to remain in the news cycle. They've brought down popular websites like Twitter, caused problems for game developers like Blizzard, and threatened national security. These attacks usually follow a familiar pattern: Bots flood a service's infrastructure until it can't withstand the traffic and disrupt the service for as long as possible, and then they move on to the next target.

Imperva has discovered a new "pulse wave" attack. Instead of gradually increasing the number of bots targeting a service until the infrastructure crumbles, a massive number of bots quickly overwhelms the servers, retreats just as fast, and then returns when things start to get back to normal. The company said this method would allow someone to conduct DDoS attacks on multiple targets simultaneously instead of focusing on just one.

In a blog post, Imperva said the attackers were able to mobilize a 300Gbps botnet in just a few seconds, then scale back that traffic just as quickly. This led the company to believe the botnet was operating at full capacity all the time and merely switching targets as needed. That way the attacker doesn't have to gradually mobilize the botnet for a single target and can instead attack multiple services with little to no downtime.

This type of attack is said to be particularly effective against "appliance first, cloud second" DDoS attack mitigation solutions. Imperva explained:

A pulse wave attack, having no ramp-up time, represents a worst case scenario for any network defended by such hybrids. As soon as the first pulse hits, it immediately congests the traffic pipe—cutting off the network’s ability to communicate with the outside world. This not only results in a denial of service, but also prevents the mitigation appliance from activating the cloud scrubbing platform. [...] For the pulse duration, the entire network shuts down completely. By the time it recovers, another pulse shuts it down again, ad nauseam.

Imperva said these pulse wave attacks have targeted gaming and financial technology ("fintech") companies over the last few months. These are high-value targets, but the company said it expects this type of attack to trickle down to lower priority victims as attackers realize they can accomplish twice as much with the same number of bots. (Many DDoS attacks are conducted by people paid to target a particular service.)

DDoS attacks were already irksome (from the consumer's perspective) and devastating (from the service provider's) enough. If more attackers find ways to improve their botnet's efficiency, chances are good that you'll have an even harder time streaming music or playing Final Fantasy XIV or doing pretty much anything else that requires an internet connection. Check out Imperva's whitepaper on these attacks for more info.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
2 comments
Comment from the forums
    Your comment
  • Rob1C
    Many techniques are employed, a pulse is not new, enabled by more insecure Devices connected to the Internet.

    Check your equipment, you're paying for the usage and may receive a letter saying you're getting disconnected because you keep making Crank Phone Calls (or pinging somewhere).

    There are many Websites that show some of the action as it happens, here's one: https://cybermap.kaspersky.com/ .
  • bit_user
    I'm interested in the mechanics of how this is orchestrated. It sounds like it requires fairly tight synchronization, so I wonder whether there's live command-and-control of the net (which could aid tracing up the chain of command to at least disable the net) or if the bots are given an a priori schedule, along with some adjunct synchronization mechanism (like application-level NTP).

    Regardless, the other negative outcome of this could be greater restriction & control over tech devices by governments. Imagine receiving forced firmware updates, when your device connects to the network. And if your device is no longer supported by the vendor, then it can't get online. It's a worst-case scenario, but if bot nets break then internet, desperate lawmakers could try something along those lines...