Page 159 - Cyber Defense eMagazine October 2023
P. 159
seconds. Imagine an unprotected website suddenly seeing 500,000 or 1 million RPS in less than
10 seconds. Short, aggressive attacks are often used to demonstrate what the attacker is capable
of—acting as a “ransom threat message.”
• Type of botnet – The botnets that launch Web DDoS Tsunamis can be characterized along
several dimensions. First, consider the botnet’s size—the number of unique IPs from which the
attacking transactions originate, which can range from thousands to hundreds of thousands from
locations around the world. They can be assigned to numerous autonomous system numbers
(ASNs) that are typically owned by service providers. During a Web DDoS Tsunami, each
attacking IP generates RPS levels that are similar to, higher, or lower than RPS levels from
legitimate clients. Unfortunately, your “top talker” IPs (the IPs with the highest RPS) may not be
the attackers, and rate-limiting those source IPs with high RPS levels can yield unacceptable
levels of false positives— which only plays into the attacker’s objective. In some cases, attackers
generate Web DDoS Tsunami attacks from a large number of botnets that generate very low RPS
volumes to evade simple defenses, such as rate limiting.
Botnets also use source IPs that are assigned or owned by various sources and public proxies
(e.g., an open proxy, an anonymous proxy, or an open VPN) to hide their true identities. In
addition, attacker IPs can also belong to legitimate residential subscribers, cloud providers, web-
hosting providers, or sometimes, IoT devices. A mitigation strategy based solely on analysis of IP
addresses will likely lead to unwanted false negatives. Sometimes, hackers conduct coordinated
attacks on a single victim. Multiple types of attacker IP addresses and high volumes of RPS can
appear within a single attack, which are exceedingly difficult to untangle.
• Type of attack transactions – Hackers can structure a web DDoS HTTP request in a wide variety
of ways. In a very simple case, a Web DDoS Tsunami starts with a simple HTTP request that is
transmitted or replicated in high volume, such as a simple HTTP GET to the “/” along with a very
basic set of HTTP headers, such as Host and Accept. These transactions appear legitimate, so
it’s unlikely the attack can be mitigated by a WAF or other traditional means. On the other hand,
you might simply block or filter this specific single transaction before it is delivered, mitigating the
attack. However, in a Web DDoS Tsunami, attackers avoid this by building more complex and
genuine transactions. Also, they rely heavily on randomization. Attackers craft more realistic and
legitimate transactions that contain a set of legitimate-looking query arguments, HTTP headers,
User Agent and referrer headers, web cookies, and more. The attack requests employ various
HTTP methods (such as POST, PUT, and HEAD) and direct to a number of paths within the
protected application. Many attributes of the transactions are continuously randomized, rendering
simple mitigation strategies unfeasible. There is no simple, pre-defined signature or rule-based
mechanism to mitigate attacks because the requests appear legitimate and do not indicate
malicious intent.
What’s more, even when the traffic is decrypted, it still looks legitimate. Web DDoS Tsunami attackers
use sophisticated techniques to bypass traditional application protections, and they change their attack
pattern during the attack or use several attack request structures simultaneously. And when attacks are
launched by several orchestrated botnets with different simultaneous strategies, you’re facing millions of
Cyber Defense eMagazine – October 2023 Edition 159
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.