Radware announced a new finding in the world ofÂ distributed denial-of-serviceÂ (DDoS) attacks on Wednesday after researchers observed a type of SYN flood that the security company is calling a â€œTsunami SYN Flood Attack.â€
The Tsunami SYN Flood Attack stands out because it contains about 1,000 bytes per packet, whereas a typical SYN flood contains approximately 40 to 60 bytes per packet, Adrian Crawley, Radware regional director for the UK, told SCMagazine.com in a Thursday email correspondence. According to theÂ Wednesday post, the attack is not UDP-based and is instead carried out over TCP protocol.
“Normally the SYN package is a simple handshake mechanism with a very low data footprint,â€ Crawley said. â€œIt appears that hackers have found a way to add content to it â€“ up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data â€“ this could be any random data â€“ to the application which requested the initial SYN handshake.â€
Radware observed the Tsunami SYN-Flood Attack against an ISP provider and a data center for a gaming company and mitigated the DDoS using its technologies, Crawley said. According to the post, the attacks experienced pulses of about 4 to 5 Gbps in attack traffic.
â€œIt’s possible that this Tsunami SYN Flood was orchestrated by using bot-machines â€“ when a hacker gains unauthorized access to a number of computers,â€ Crawley said. â€œAn attacker does not have 100 [percent] control over each machine that generates traffic, so as more â€œbotsâ€ were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.â€
Being a TCP volumetric flood, the Tsunami SYN Flood will not be mitigated by defenses similar to a UDP-based attack, the post indicates, adding that most typical TCP-based SYN cookie-type protections are not effective.
â€œAn attack like this cannot be mitigated on premise alone,â€ Crawley said. â€œBehavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on-premise mitigation.â€
Radware suspects this type of threat will be a new trend in DDoS attacks.
â€œThis is a classic case of cyber-attackers looking at the types of attack tools out there, reinventing it, and deploying it out in the wild to test its effectiveness,â€ Crawley said. â€œThese two attacks could have been â€œexploratoryâ€ to see how it stacks up to their cyber-defenses. I am sure this will not be the last time we see a Tsunami SYN Flood used as a volumetric attack in the near future.â€