Security Experts:

DDoS Attackers Increasingly Use Multiple Attack Vectors

Distributed denial-of-service attacks are costly for businesses, and profitable for attackers - a dynamic that explains why both defenders and hackers must keep innovating.

For attackers, that innovation has taken the form of a growth in multi-vector attacks and browser-based DDoS bots capable of bypassing both JavaScript and cookie challenges. According to a new report from Incapsula - which is now part of security firm Imperva - both trends have become more commonplace as attackers have looked for ways to thwart mitigation efforts.

"Multi-vector attacks have been used in the past - but rarely," explained Marc Gaffan, co-founder of Incapsula and vice president of marketing and business development. "It takes more to launch a multi-vector attack than a single-vector attack because the bots or hardware being used need to be equipped with DDoS toolkits that can 'mix-and-match'."

According to the report, the vast majority of network (Layers 3 and 4) DDoS attacks use multi-vector offensive tactics. Between Nov. 30 and Feb. 27, 81 percent of all network attacks examined by the company employed at least two different attack methods, with nearly 39 percent using three or more different attack methods at the same time.

Based on average data from those 90 days, the most common network attack method was a combination of two types of SYN flood attacks – one using regular SYN packets and another using large SYN (above 250 bytes) packets. Both attacks are executed at once, with the regular SYN packets used to exhaust server resources and large SYN packets used to cause network saturation. Today, SYN combo attacks account for more than 75 percent of all large scale network DDoS attacks.

"Multi-vector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources," the report notes. "Combinations of different offensive techniques are also often used to create 'smokescreen' effects, where one attack is used to create noise, diverting attention from another attack vector. Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators."

"Finally, multi-vector attacks can be used for 'trial and error' reconnaissance, gathering the information needed to allow future attacks to weave their way past the defender’s layers of security," according to the report.

One of the ways attackers did that weaving was through the use of browser-based DDoS bots capable of bypassing bot filtering techniques. This trend began to appear in the fourth quarter of 2013, and has continued this year, according to the report. Overall, in almost 30 percent of recorded sessions, the DDoS bots Incapsula encountered were able to accept and store cookies, while 0.8 percent could also execute JavaScript.  

"The ability to store cookies is a common criteria used to test if a device is a real browser or not (real browsers can store and operate cookies)," Gaffan said. "As such, attackers are now developing toolkits that enable the DDoS bots to store cookies, just like a real browser does. Hence, rendering this bot detection method useless."

Spoofed user-agents are often used to bypass low-level filtering solutions, based on the assumption that these solutions will not filter out bots that identify themselves as search engine or browsers, according to the report.

During January and February of 2014, the researchers noted a significant uptick in the number of NTP amplification attacks. In February, NTP amplification became the most commonly used attack vector for large-scale network DDoS attacks. It is too soon to tell if this will be a trend or a temporary spike, the report stated.

"We are surprised by the sizes of the network layer DDoS attacks which are reaching levels that we did not foresee 12 months ago," said Gaffan. "We are less surprised by the sophistication of the Layer 7 attacks, which we expected to get much more sophisticated and are constantly evolving in a “cat and mouse” game between the attacker and defenders."

Subscribe to the SecurityWeek Email Briefing
view counter
view counter