DDoS
Before we get into the nitty-gritty of how the pulse wave attack behaves, we must first define what a distributed-denial-of-service (DDoS) and denial-of-service (DoS) is, so we are all on the same page. Instead of regurgitating text from resources on the internet I have included a nice quote from Wired.
Simple DoS attacks, performed from a single machine, are uncommon these days. Instead, they’ve been supplanted by DDoS attacks, distributed denial-of-service attacks that come from many computers distributed across the internet, sometimes hundreds or thousands of systems at once. The attacking machines are generally not initiating the assault on their own but are compromised machines that are part of a botnet controlled by hackers who use the machines as an army to target a website or system.
A DDoS attack from the Mirai (name of the malware used to conduct the DDoS) botnet targeted Dyn’s Domain Name Servers taking Twitter, Spotify, and Reddit offline for the better part of a day. These attacks are powerful and destructive for businesses but typically take only a few minutes to ramp up to a peak rate, usually in the gigabits to tens and sometimes hundreds of gigabits a second lasting for minutes to three or four days. The ramp stage exists because of the time it takes to coordinate geographically dispersed devices of different kinds to send data.
A New Technique
A typical DDoS attack looks like an analog sinewave as pictured below less the bottom half of the wave because you can’t have a negative data value. There is a ramp up and ramp down period that can go on for as long as the attacker wants or has purchased. Yes, purchased. DDoS as a service is a real thing sold by seemingly legitimate companies around the world that market the service as a “test.”
A pulse wave DDoS takes the shape of a digital sinewave as pictured below less the bottom half because, once again, you can’t have a negative data value.
Imperva Incapsula provides DDoS mitigation services and is the first company to see this new kind of DDoS.
As you can see in the image the pulse wave DDoS has far higher data rates than the traditional DDoS and faster device response times to commands. The troughs represent the attackers quickly changing targets at semi-regular intervals giving evidence that this is an attacker or attackers with considerable skill. The goal of the pulse wave DDoS seems to be to knock out on-premise DDoS appliances that have cloud mitigation backup. The pulse is long enough (minutes) to bring down on-premise appliances, and the network running behind it then switch to a different target before the cloud mitigation service can kick in.