Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

DDoS Attackers Increasingly Use Multiple Attack Vectors

Distributed denial-of-service attacks are costly for businesses, and profitable for attackers – a dynamic that explains why both defenders and hackers must keep innovating.

Distributed denial-of-service attacks are costly for businesses, and profitable for attackers – a dynamic that explains why both defenders and hackers must keep innovating.

For attackers, that innovation has taken the form of a growth in multi-vector attacks and browser-based DDoS bots capable of bypassing both JavaScript and cookie challenges. According to a new report from Incapsula – which is now part of security firm Imperva – both trends have become more commonplace as attackers have looked for ways to thwart mitigation efforts.

“Multi-vector attacks have been used in the past – but rarely,” explained Marc Gaffan, co-founder of Incapsula and vice president of marketing and business development. “It takes more to launch a multi-vector attack than a single-vector attack because the bots or hardware being used need to be equipped with DDoS toolkits that can ‘mix-and-match’.”

According to the report, the vast majority of network (Layers 3 and 4) DDoS attacks use multi-vector offensive tactics. Between Nov. 30 and Feb. 27, 81 percent of all network attacks examined by the company employed at least two different attack methods, with nearly 39 percent using three or more different attack methods at the same time.

Based on average data from those 90 days, the most common network attack method was a combination of two types of SYN flood attacks – one using regular SYN packets and another using large SYN (above 250 bytes) packets. Both attacks are executed at once, with the regular SYN packets used to exhaust server resources and large SYN packets used to cause network saturation. Today, SYN combo attacks account for more than 75 percent of all large scale network DDoS attacks.

“Multi-vector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources,” the report notes. “Combinations of different offensive techniques are also often used to create ‘smokescreen’ effects, where one attack is used to create noise, diverting attention from another attack vector. Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators.”

“Finally, multi-vector attacks can be used for ‘trial and error’ reconnaissance, gathering the information needed to allow future attacks to weave their way past the defender’s layers of security,” according to the report.

One of the ways attackers did that weaving was through the use of browser-based DDoS bots capable of bypassing bot filtering techniques. This trend began to appear in the fourth quarter of 2013, and has continued this year, according to the report. Overall, in almost 30 percent of recorded sessions, the DDoS bots Incapsula encountered were able to accept and store cookies, while 0.8 percent could also execute JavaScript.  

Advertisement. Scroll to continue reading.

“The ability to store cookies is a common criteria used to test if a device is a real browser or not (real browsers can store and operate cookies),” Gaffan said. “As such, attackers are now developing toolkits that enable the DDoS bots to store cookies, just like a real browser does. Hence, rendering this bot detection method useless.”

Spoofed user-agents are often used to bypass low-level filtering solutions, based on the assumption that these solutions will not filter out bots that identify themselves as search engine or browsers, according to the report.

During January and February of 2014, the researchers noted a significant uptick in the number of NTP amplification attacks. In February, NTP amplification became the most commonly used attack vector for large-scale network DDoS attacks. It is too soon to tell if this will be a trend or a temporary spike, the report stated.

“We are surprised by the sizes of the network layer DDoS attacks which are reaching levels that we did not foresee 12 months ago,” said Gaffan. “We are less surprised by the sophistication of the Layer 7 attacks, which we expected to get much more sophisticated and are constantly evolving in a “cat and mouse” game between the attacker and defenders.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.