Radware DDoS protection solution provider recently discovered a new category of distributed denial-of-service (DDoS) attack, according the experts of the company it is a type of SYN flood dubbed “Tsunami SYN Flood Attack.”
In just 48-hour period the experts of the Radware’s Emergency Response Team (ERT) observed two high-volume attacks targeting in two different continents.
The Tsunami SYN-Flood Attack hit an ISP provider and a data center for a gaming company and as explained by the researchers the attacks experienced peeks 4-5 Gbps in attack traffic.
The name Tsunami SYN Flood Attack is not casual, experts sustain that it uses about 1,000 bytes per packet, it is an amazing number respect a typical SYN flood attack which uses nearly 40 to 60 bytes per packet.
This kind of DDoS attack exploits TCP protocol instead the UDP, making ineffective the classic methods of defense, as explained Radware in a blog post:
“Normally the SYN package is a simple handshake mechanism with a very low data footprint,” Adrian Crawley, Radware regional director for the UK, said. “It appears that hackers have found a way to add content to it – up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data – this could be any random data – to the application which requested the initial SYN handshake.”
It is likely that threat actors behind the Tsunami SYN Flood attack have used a botnet and Crawley explained how the attack reached the pulses of traffic observed with the following statement:
“An attacker does not have 100 [percent] control over each machine that generates traffic, so as more “bots” were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.”
Such kind of attacks could be identified and mitigated using behavioral algorithms:
“Behavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on-premise mitigation.”
Radware experts suspect that in the next months a growing number of DDoS attacks will be Tsunami SYN Flood attack.
(Security Affairs – Tsunami SYN Flood DDoS attack, cybercrime)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.