‘Pulse Wave’ – A New Form of DDoS Attack

Researchers at DDoS mitigation firm Imperva Incapsula have uncovered a new form of DDoS attack named Pulse Wave, which sees attackers take down servers previously thought to be secured by mitigation solutions.

Botnet-led DDoS attacks have normally followed a trend where traffic builds up before a peak is reached, after which a sudden or a gradual drop occurs. In other words, the build up to a substantial DDoS attack takes time, as bots take time to band together gradually.

However, a new “pulse wave” pattern of attack has shown that a massive number of bots instantaneously target and overwhelm a targeted server or website before retreating just as quickly, prior to going from zero to maximum again. This method would allow an attacker to conduct DDoS attacks on multiple attacks at the same time, rather than focusing on just one.

Researchers observed one particular DDoS stream where attackers were able to mobilize a 300Gbps botnet in a matter of seconds before scaling back that traffic in equally quick time. With such an attack, researchers speculated that the botnet doesn’t shut down during the attack’s relatively short downtime period. Instead, the botnet switches back to a different target, before switching back to the first target again to execute a quick pulse wave cycle. This carries on, over and over again with multiple targets.

“This, coupled with the accurate persistence in which the pulses reoccurred, painted a picture of very skilled bad actors exhibiting a high measure of control over their attack resources,” Incapsula researchers added.

Explaining the attack further, researchers wrote:

A pulse wave attack, having no ramp-up time, represents a worst-case scenario for any network defended by such hybrids. As soon as the first pulse hits, it immediately congests the traffic pipe—cutting off the network’s ability to communicate with the outside world. This not only results in a denial of service, but also prevents the mitigation appliance from activating the cloud scrubbing platform. […] For the pulse duration, the entire network shuts down completely. By the time it recovers, another pulse shuts it down again, ad nauseam.

Experts further note that this new form of DDoS attack could prove tricky for “hybrid” mitigation solutions and are bound to gain prominence to botnet herders because of its unpredictable attack patterns. Hybrid solutions are a mixture of hardware defenses and cloud-based solutions.

A typical mitigated attack would see the hardware trigger a cloud-based DDoS defense at the time of an attack. However, a pulse attack would effectively see the local equipment flooded in a matter of seconds, leaving it vulnerable and weak – without the required bandwidth – to call for its cloud-based cousin.

Image credit: Pixabay.