By Eyal Arazi, senior security solutions lead for Radware
The cybersecurity landscape evolved rapidly in 2023. In particular, there was a significant shift in Distributed Denial of Service (DDoS) attack patterns.
Malicious actors are turning to a new form of DDoS attack, moving up the network stack from layers 3 and 4 to layer 7 with their sights set on compromising online applications and APIs as well as essential infrastructure such as the Domain Name System (DNS).
Unlike traditional DDoS attacks, which often involve overwhelming network traffic, this new wave of HTTP Floods—also known as Web DDoS Tsunami Attacks—focus on the application layer, where they can go undetected by traditional defense systems, famously taking down websites or networks.
These attacks know no boundaries, and strike without regard for company size, industry or geography. Some of the best intelligence for how to deal with Tsunamis comes from studying real-world attacks.
What is a Web DDoS Tsunami?
While HTTP Floods have been common for many years, they have been re-imagined by hackers combining network and application layer attacks to create new, more aggressive Web DDoS Tsunamis. The malicious actors claiming responsibility for many of these attacks are state-sponsored groups or cyber hacktivists.
The real-world Tsunamis we’ve seen are characterized by multiple attack waves that often top several million requests per second (RPS) and last for hours and span days. In contrast to years past, today’s HTTP Floods ramp faster than their predecessors.
To further confound security teams, they cleverly defy detection by appearing as legitimate traffic and using evasion techniques, such as randomized headers and IP spoofing, and more.
Radware’s recent Global Threat Analysis Report underscores the alarming rise in malicious web applications and API transactions in 2023. The total number of these transactions surged by 171% in 2023 compared to 2022, representing a substantial escalation over the 128% increase observed in 2022 compared to 2021.
A significant portion of the surge can be attributed to the rise in layer 7 encrypted web application attacks like the Web DDoS Tsunami.
Real World Case Studies
Large National Bank
According to Radware’s Global Threat Analysis Report, finance institutions saw the highest share of cyber attacks in 2023, shouldering nearly 30% of attacks globally.
One prominent banking institution found itself the center of a relentless barrage of Web DDoS Tsunami Attacks. During a span of several days, it experienced 12 separate attack waves, typically 2-3 per day. Multiple waves exceeded 1 million RPS, with one wave peaking at nearly 3 million RPS, significantly more than the bank’s typical traffic level of less than 1000 RPS.
Simultaneously, attackers launched multiple network-layer volumetric attacks exceeding 100 gigabits per second (Gbps). The attacks used a variety of attack vectors, including HTTP/S Floods, UDP Fragmentation Attacks, TCP Handshake Violations, SYN Floods, and more.
Figure 1 below shows one of the attacks, with a peak wave of nearly 3 million RPS.
Major Insurance Company
The volumetric and persistent nature of Web DDoS Attacks was also on display during a recent attack at a major insurance company. The company experienced several large-scale attack waves, reaching hundreds of thousands of RPS, with multiple waves peaking at more than 1 million RPS. The largest assault reached 2.5 million RPS.
The attacks far surpassed the company’s typical traffic rate of several hundred RPS, overwhelming its application infrastructure and disrupting operations.
To make the situation even more complicated, attackers combined some of the attack waves with network-layer volumetric attacks, exceeding 100 Gbps in data volume. The attack vectors included Web DDoS Tsunamis (HTTP/S Floods), DNS Floods, DNS Amplification Attacks, UDP Floods, UDP Fragmentation Attacks, NTP Floods, ICMP Floods, and more.
One of the attacks, represented in Figure 2, consisted of multiple waves during a three-hour period with several peaks reaching one million RPS and multiple spikes topping 2.5 million RPS.
Figure 2:
Telecommunications Company
Like financial institutions, telecommunication organizations continue to be a high-value target among malicious actors because of the lucrative data they store and the widespread disruption and publicity they generate when breached.
Case in point: A European telecommunications company was the repeated target of state-backed attack groups. It battled a persistent Web DDoS Tsunami Attack of approximately 1 million RPS almost continuously for nearly two hours. Traffic peaked at 1.6 million RPS. See Figure 3.
Figure 3:
These are just a few examples of the profile of the modern Web DDoS Tsunami Attack. What we know is that they are relentless. Rates and volumes exceed the capacity of on-prem solutions. They are deceptive and sophisticated, appearing as legitimate traffic and morphing over time. And they can cause considerable disruption and damage to an organization.
How to Defend Against Web DDoS Tsunamis
To combat Web DDoS Tsunamis, there needs to be a fundamental shift in how organizations think about their defense strategies. Detecting these attacks requires decryption and deep inspection into the L7 traffic headers, which network-based DDoS protection solutions weren’t built to do.
Standard on-prem or cloud-based WAFs fail to keep up with the scale and randomization. And rate-limiting techniques have a major negative effect on legitimate traffic.
Instead, what organizations need are solutions that leverage adaptive, AI-driven algorithms designed to distinguish between legitimate traffic surges and malicious attack traffic. These algorithms can quickly detect and generate new signatures for unknown malicious requests on the fly, ensuring robust protection without impeding legitimate traffic flow.
A new era of Web DDoS Tsunamis has arrived, and it requires companies to take a new proactive and adaptive approach to cybersecurity if they don’t want to be the next to be caught off guard.
Disclaimer: The views and opinions expressed in this guest post are solely those of the author(s) and do not necessarily reflect the official policy or position of The Cyber Express. Any content provided by the author is of their opinion and is not intended to malign any religion, ethnic group, club, organization, company, individual, or anyone or anything.
