October 22, 2013, 11:51 AM — The number of DDoS (distributed denial-of-service) attacks that target weak spots in Web applications in addition to network services has risen during the past year and attackers are using increasingly sophisticated methods to bypass defenses, according to DDoS mitigation experts.
Researchers from Incapsula, a company that provides website security and DDoS protection services, recently mitigated a highly adaptive DDoS attack against one of its customers that went on for weeks and combined network-layer with application-layer -- Layer 7 -- attack techniques.
The target was a popular trading site that belongs to a prominent player in a highly competitive online industry and it was one of the most complex DDoS attacks Incapsula has ever had to deal with, the company's researchers said in a blog post.
The attack started soon after an ex-partner left the targeted company and the attackers appeared to have intimate knowledge of the weak spots in the target's infrastructure, suggesting that the two events might be connected, the researchers said.
The attack began with volumetric SYN floods designed to consume the target's bandwidth. It then progressed with HTTP floods against resource intensive pages, against special AJAX objects that supported some of the site's functions and against Incapsula's own resources.
The attackers then switched to using DDoS bots capable of storing session cookies in an attempt to bypass a mitigation technique that uses cookie tests to determine if requests come from real browsers. The ability to store cookies is usually a feature found in full-fledged browsers, not DDoS tools.
As Incapsula kept blocking the different attack methods, the attackers kept adapting and eventually they started flooding the website with requests sent by real browsers running on malware-infected computers.
"It looked like an abnormally high spike in human traffic," the Incapsula researchers said. "Still, even if the volumes and behavioral patterns were all wrong, every test we performed showed that these were real human visitors."
This real-browser attack was being launched from 20,000 computers infected with a variant of the PushDo malware, Incapsula later discovered. However, when the attack first started, the company had to temporarily use a last-resort mitigation technique that involved serving CAPTCHA challenges to users who matched a particular configuration.
The company learned that a PushDo variant capable of opening hidden browser instances on infected computers was behind the attack after a bug in the malware caused the rogue browser windows to be displayed on some computers. This led to users noticing Incapsula's block pages in those browsers and reaching out to the company with questions.