Distributed denial-of-service attacks are costly for businesses, and profitable for attackers – a dynamic that explains why both defenders and hackers must keep innovating.
“Multi-vector attacks have been used in the past – but rarely,” explained Marc Gaffan, co-founder of Incapsula and vice president of marketing and business development. “It takes more to launch a multi-vector attack than a single-vector attack because the bots or hardware being used need to be equipped with DDoS toolkits that can ‘mix-and-match’.”
According to the report, the vast majority of network (Layers 3 and 4) DDoS attacks use multi-vector offensive tactics. Between Nov. 30 and Feb. 27, 81 percent of all network attacks examined by the company employed at least two different attack methods, with nearly 39 percent using three or more different attack methods at the same time.
Based on average data from those 90 days, the most common network attack method was a combination of two types of SYN flood attacks – one using regular SYN packets and another using large SYN (above 250 bytes) packets. Both attacks are executed at once, with the regular SYN packets used to exhaust server resources and large SYN packets used to cause network saturation. Today, SYN combo attacks account for more than 75 percent of all large scale network DDoS attacks.
“Multi-vector tactics increase the attacker’s chance of success by targeting several different networking or infrastructure resources,” the report notes. “Combinations of different offensive techniques are also often used to create ‘smokescreen’ effects, where one attack is used to create noise, diverting attention from another attack vector. Moreover, multi-vector methods enable attackers to exploit holes in a target’s security perimeter, causing conflicts in automated security rules and spreading confusion among human operators.”
“Finally, multi-vector attacks can be used for ‘trial and error’ reconnaissance, gathering the information needed to allow future attacks to weave their way past the defender’s layers of security,” according to the report.
“The ability to store cookies is a common criteria used to test if a device is a real browser or not (real browsers can store and operate cookies),” Gaffan said. “As such, attackers are now developing toolkits that enable the DDoS bots to store cookies, just like a real browser does. Hence, rendering this bot detection method useless.”
Spoofed user-agents are often used to bypass low-level filtering solutions, based on the assumption that these solutions will not filter out bots that identify themselves as search engine or browsers, according to the report.
During January and February of 2014, the researchers noted a significant uptick in the number of NTP amplification attacks. In February, NTP amplification became the most commonly used attack vector for large-scale network DDoS attacks. It is too soon to tell if this will be a trend or a temporary spike, the report stated.
“We are surprised by the sizes of the network layer DDoS attacks which are reaching levels that we did not foresee 12 months ago,” said Gaffan. “We are less surprised by the sophistication of the Layer 7 attacks, which we expected to get much more sophisticated and are constantly evolving in a “cat and mouse” game between the attacker and defenders.”