Radware Unearths a New type of DDoS Attack

Tsunami SYN Flood is the latest type of denial of service attack (DoS) to rock the tech world, according to Radware – a DDoS protection solution provider .The Tsunami SYN flood have been designed to overcome majority of existing defense mechanism within seconds of attacks.

SYN flood attacks have been around for decades yet they still pose a great danger to users in the modern world. Ideally, a SYN request from a hacker consumes resources from TCP and other stateful devices to the extent of causing a denial of service (DoS) attack.

Unlike a classical SYN flood , the Tsunami SYN flood has huge sized data packets of up to 1000 bits per packet whereas a typical SYN flood attack contains approximately 40-60 bytes per packet. In addition, the Tsunami SYN flood attacks the entire network, saturating the internet pipe as opposed to targeting specific assets on the network.

“Normally the SYN package is a simple handshake mechanism with a very low data footprint,” said Adrian Crawley, Radware regional director for the UK. “It appears that hackers have found a way to add content to it – up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data – this could be any random data – to the application which requested the initial SYN handshake.”

Security experts warned that attacks of this magnitude easily consume bandwidth, with pulses as high as 4-5GPs in attack traffic. Such a volumetric transmission has got the ability to saturate the cyber pipe of the victim within seconds and overwhelm any defense mechanism.

According to Radware’s Emergency Response Team (ERT) a Tsunami SYN flood attacked two targets in two different continents within 48 hours. One of the targets was an ISP provider while the other was a gaming data center. Both companies received huge attack traffic of up to 5Gbps, implying the attackers might be using large botnets.

“It’s possible that this Tsunami SYN Flood was orchestrated by using bot-machines – when a hacker gains unauthorized access to a number of computers,” Crawley said. “An attacker does not have 100 [percent] control over each machine that generates traffic, so as more “bots” were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.”

Unlike many SYN volumetric flood attacks which are UDP- based, the Tsunami SYN flood is carried out over a TCP protocol. Ideally a hacker interested in waging a volumetric attack such as DNS, NTP or CHARGEN reflected floods would opt for an algorithm based on UDP which is more effective due to the packets being small in size.This implies majority of the victims are only prepared to handle volumetric attacks for UDP based algorithm.

This twist of events from UDP-based to TCP based volumetric attacks means a total shift in victim’s defense paradigm. “In this new case, attackers have designed a volumetric attack based on TCP or stateful-protocols which can present a brand new danger. This new danger is that with a TCP volumetric flood on a web server, a victim will not be able to deploy defenses similar to UDP-based attack to mitigate it,” states Radware in a blog.

The fact that the Tsunami SYN flood attack is carried over TCP protocol makes it difficult to mitigate using similar defenses for UDP based volumetric attacks.  Radware’s security team observed that the attack do not target a specific asset on the network. A Tsunami SYN flood will hit the entire network, making it even more difficult to mitigate. Typical SYN cookies based on TCP type protection are also not effective in mitigating the new threat.

“An attack like this cannot be mitigated on premise alone,” says Crawley. “Behavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on premise mitigation.”

While dealing with a Tsunami SYN flood attack, it is important to remember that the internet pipe will be impacted before other devices such as firewalls and serves. That implies the mitigation point should be in the cloud to protect the saturation of the internet pipe.

“A hybrid model of cloud and on-premise mitigation is the most effective and sound solution. Since this is a volumetric attack which can have pulse characteristics to it, a targeted victim will need fast and high quality detection coordinated with cloud scrubbing mitigation capability to prevent internet pipe saturation,” stated Radware

The Tsunami SYN attack and other similar vulnerability such as the recent Poodle bug and Shellshock bug clearly show that cyber attacker are perfecting their art. More importantly, attackers are exploiting old age vulnerabilities to rake havoc in today’s cyber space.

“This is a classic case of cyber-attackers looking at the types of attack tools out there, reinventing it, and deploying it out in the wild to test its effectiveness,” said Crawley “These two attacks could have been “exploratory” to see how it stacks up to their cyber-defenses. I am sure this will not be the last time we see a Tsunami SYN Flood used as a volumetric attack in the near future.”

Lawrence Mwangi

Lawrence is a technology and business reporter. He has freelanced for a number of tech sites and magazines. He is a web-enthusiast, with a special interest in Online security, Entrepreneurship and Innovation. When not writing about tech he can be found in a Tennis court or on a chess board.

Latest posts by Lawrence Mwangi (see all)



Radware Unearths a New type of DDoS Attack

by Lawrence Mwangi time to read: 3 min