Radware DDoS protection solution provider recently discovered a new category of distributed denial-of-service (DDoS) attack, according the experts of the company it is a type of SYN flood dubbed “Tsunami SYN Flood Attack.”
In just 48-hour period the experts of the Radware’s Emergency Response Team (ERT) observed two high-volume attacks targeting in two different continents.
The Tsunami SYN-Flood Attack hit an ISP provider and a data center for a gaming company and as explained by the researchers the attacks experienced peeks 4-5 Gbps in attack traffic.
The name Tsunami SYN Flood Attack is not casual, experts sustain that it uses about 1,000 bytes per packet, it is an amazing number respect a typical SYN flood attack which uses nearly 40 to 60 bytes per packet.
This kind of DDoS attack exploits TCP protocol instead the UDP, making ineffective the classic methods of defense, as explained Radware in a blog post:
“Normally the SYN package is a simple handshake mechanism with a very low data footprint,” Adrian Crawley, Radware regional director for the UK, said. “It appears that hackers have found a way to add content to it – up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data – this could be any random data – to the application which requested the initial SYN handshake.”
It is likely that threat actors behind the Tsunami SYN Flood attack have used a botnet and Crawley explained how the attack reached the pulses of traffic observed with the following statement:
“An attacker does not have 100 [percent] control over each machine that generates traffic, so as more “bots” were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.”
Such kind of attacks could be identified and mitigated using behavioral algorithms:
“Behavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on-premise mitigation.”
Radware experts suspect that in the next months a growing number of DDoS attacks will be Tsunami SYN Flood attack.
(Security Affairs – Tsunami SYN Flood DDoS attack, cybercrime)