U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Understanding Hit and Run DDoS attacks

Hit and Run DDoS attacks are composed by a series of short bursts of high volume attacks, having a limited duration, and are arranged periodically, and … Incapsula firm has recently published a blog post to explain the efficiency of hit and run DDoS attacks, as remarked by the experts attackers don’t need to arrange large scale […]

Understanding Hit and Run DDoS attacks

Hit and Run DDoS attacks are composed by a series of short bursts of high volume attacks, having a limited duration, and are arranged periodically, and …

Incapsula firm has recently published a blog post to explain the efficiency of hit and run DDoS attacks, as remarked by the experts attackers don’t need to arrange large scale “server busters” to cause serious problems. Hit and run attacks are of the most profitable services in the cyber criminal ecosystem, typically attackers coming and going over a prolonged period of time with the intent to cause problems to the target, typically through the interruption of the service.

The Hit and Run attacks last for days or weeks, they are usually enough to saturate target’s resources. Hit and Run DDoS attacks are very insidious, it is usually not easy to identify their attack patterns, these kind of offensives are composed by a series of short bursts of high volume attacks, having a prefixed duration (e.g. 20-60 minutes), and are arranged periodically to interfere with target operation.

Hit and Run DDoS attacks are in nature “on demand attack“, the attackers limit the duration of the offensives to avoid the intervention of defense mechanisms, the typical DDoS defense solution works well for long DDoS attack, but their response time is too long to face with short DDoS.

“These attacks do not just target server resources. With Hit and Run, the attackers are working to exhaust the people who maintain these servers, their organizational popularity, and even their health and sanity.” reports the blog post form Incapsula.

Hit and Run DDoS attacks

 

DDoS services are very cheap to rent as explained in the last excellent report “Russian underground Revisited” issued by TrendMicro, following an example of their price.

Hit and Run DDoS Russian underground attack

As explained in the post, always-on solutions are not usable to mitigate this threat, despite they are effective to stop the Hit and Run DDoS attacks, they could have a serious impact on user experience, in the simplest scenario to clean the malicious traffic are used intermediary nodes to clean malicious traffic, and this creates an inevitable latency.

“For one, just by adding another hop between the website and its visitors, you create latency. Typically this is offset by caching, and optimized distribution over widespread PoPs. However, most DDoS protection services are built for protection, not content delivery, and don’t offer such features. Moreover, by keeping DDoS protection in “active mode,” visitors are generally subject to constant scrubbing, which causes service disruptions as result of both scrubbing challenges and false positives.”

Hit and Run DDoS attack could be mitigated with a rapid detection system that is able to activate in a short time the DDoS mitigation solution, but early identification is the principal problem for defense mechanisms.

Another element of great concern for Hit and Run attacks is the capability of attackers to craft high consumption requests, as explained a request rate of 30-50 call per second aimed at a specific CPU or I/O intensive resource can cause the paralysis of the target.

The defense against DDoS attacks must be carefully organized, all the factors explained must be carefully evaluated, classifying and identifying anomalies in traffic patterns.

Pierluigi Paganini

(Security Affairs –  Hit and Run, Cybercrime)