Understanding Hit and Run DDoS attacks

Hit and Run DDoS attacks are composed by a series of short bursts of high volume attacks, having a limited duration, and are arranged periodically, and …

Incapsula firm has recently published a blog post to explain the efficiency of hit and run DDoS attacks, as remarked by the experts attackers don’t need to arrange large scale “server busters” to cause serious problems. Hit and run attacks are of the most profitable services in the cyber criminal ecosystem, typically attackers coming and going over a prolonged period of time with the intent to cause problems to the target, typically through the interruption of the service.

The Hit and Run attacks last for days or weeks, they are usually enough to saturate target’s resources. Hit and Run DDoS attacks are very insidious, it is usually not easy to identify their attack patterns, these kind of offensives are composed by a series of short bursts of high volume attacks, having a prefixed duration (e.g. 20-60 minutes), and are arranged periodically to interfere with target operation.

Hit and Run DDoS attacks are in nature “on demand attack“, the attackers limit the duration of the offensives to avoid the intervention of defense mechanisms, the typical DDoS defense solution works well for long DDoS attack, but their response time is too long to face with short DDoS.

“These attacks do not just target server resources. With Hit and Run, the attackers are working to exhaust the people who maintain these servers, their organizational popularity, and even their health and sanity.” reports the blog post form Incapsula.

 

DDoS services are very cheap to rent as explained in the last excellent report “Russian underground Revisited” issued by TrendMicro, following an example of their price.

As explained in the post, always-on solutions are not usable to mitigate this threat, despite they are effective to stop the Hit and Run DDoS attacks, they could have a serious impact on user experience, in the simplest scenario to clean the malicious traffic are used intermediary nodes to clean malicious traffic, and this creates an inevitable latency.

“For one, just by adding another hop between the website and its visitors, you create latency. Typically this is offset by caching, and optimized distribution over widespread PoPs. However, most DDoS protection services are built for protection, not content delivery, and don’t offer such features. Moreover, by keeping DDoS protection in “active mode,” visitors are generally subject to constant scrubbing, which causes service disruptions as result of both scrubbing challenges and false positives.”

Hit and Run DDoS attack could be mitigated with a rapid detection system that is able to activate in a short time the DDoS mitigation solution, but early identification is the principal problem for defense mechanisms.

Another element of great concern for Hit and Run attacks is the capability of attackers to craft high consumption requests, as explained a request rate of 30-50 call per second aimed at a specific CPU or I/O intensive resource can cause the paralysis of the target.

The defense against DDoS attacks must be carefully organized, all the factors explained must be carefully evaluated, classifying and identifying anomalies in traffic patterns.

Pierluigi Paganini

(Security Affairs –  Hit and Run, Cybercrime)