Understanding the Escalating Threat of Web DDoS Tsunami Attacks
By Uri Dorot, Senior Security Solutions Lead at Radware
Whether it’s hacktivists conducting cyberwarfare or ransom-seeking criminals targeting vulnerable firms in financial services, retail, energy, or transportation, a new breed of destructive distributed denial of service (DDoS) attack – the Web DDoS Tsunami – is wreaking havoc around the world. These attacks aren’t settling for intense (but transient) bursts of simple pings or flooding ports at layer 3 or layer 4. Instead, they’re scaling up in volume and intensity. Think: millions of encrypted requests per second (RPS) at layer 7 (L7). To understand Web DDoS Tsunami attacks, let’s consider four basic dimensions:
- Attack volume – The past few months have seen several attacks with RPS rates reaching 10 million – a dramatic escalation. This rise in Web DDoS Tsunamis can quickly overwhelm traditional web application firewalls (WAF) and DDoS protection solutions. What’s more, sophisticated and expensive L7 infrastructures present greater challenges when it comes to mitigating these attacks. Only high-capacity L7 entities (web proxies and others) and highly architected and ruggedized protection infrastructures can successfully withstand and defend against these attack volumes.
- Attack duration – While some infamous ultra-high RPS (millions) attacks have lasted less than a minute, other recent Web DDoS Tsunami attacks have continued many hours or even days under multiple attack waves. In many instances, the attack erupts into “full power” in less than 10 seconds. Imagine an unprotected website suddenly seeing 500,000 or 1 million RPS in less than 10 seconds. Short, aggressive attacks are often used to demonstrate what the attacker is capable of—acting as a “ransom threat message.”
- Type of botnet – The botnets that launch Web DDoS Tsunamis can be characterized along several dimensions. First, consider the botnet’s size—the number of unique IPs from which the attacking transactions originate, which can range from thousands to hundreds of thousands from locations around the world. They can be assigned to numerous autonomous system numbers (ASNs) that are typically owned by service providers. During a Web DDoS Tsunami, each attacking IP generates RPS levels that are similar to, higher, or lower than RPS levels from legitimate clients. Unfortunately, your “top talker” IPs (the IPs with the highest RPS) may not be the attackers, and rate-limiting those source IPs with high RPS levels can yield unacceptable levels of false positives— which only plays into the attacker’s objective. In some cases, attackers generate Web DDoS Tsunami attacks from a large number of botnets that generate very low RPS volumes to evade simple defenses, such as rate limiting.
Botnets also use source IPs that are assigned or owned by various sources and public proxies (e.g., an open proxy, an anonymous proxy, or an open VPN) to hide their true identities. In addition, attacker IPs can also belong to legitimate residential subscribers, cloud providers, web-hosting providers, or sometimes, IoT devices. A mitigation strategy based solely on analysis of IP addresses will likely lead to unwanted false negatives. Sometimes, hackers conduct coordinated attacks on a single victim. Multiple types of attacker IP addresses and high volumes of RPS can appear within a single attack, which are exceedingly difficult to untangle.
- Type of attack transactions – Hackers can structure a web DDoS HTTP request in a wide variety of ways. In a very simple case, a Web DDoS Tsunami starts with a simple HTTP request that is transmitted or replicated in high volume, such as a simple HTTP GET to the “/” along with a very basic set of HTTP headers, such as Host and Accept. These transactions appear legitimate, so it’s unlikely the attack can be mitigated by a WAF or other traditional means. On the other hand, you might simply block or filter this specific single transaction before it is delivered, mitigating the attack. However, in a Web DDoS Tsunami, attackers avoid this by building more complex and genuine transactions. Also, they rely heavily on randomization. Attackers craft more realistic and legitimate transactions that contain a set of legitimate-looking query arguments, HTTP headers, User Agent and referrer headers, web cookies, and more. The attack requests employ various HTTP methods (such as POST, PUT, and HEAD) and direct to a number of paths within the protected application. Many attributes of the transactions are continuously randomized, rendering simple mitigation strategies unfeasible. There is no simple, pre-defined signature or rule-based mechanism to mitigate attacks because the requests appear legitimate and do not indicate malicious intent.
What’s more, even when the traffic is decrypted, it still looks legitimate. Web DDoS Tsunami attackers use sophisticated techniques to bypass traditional application protections, and they change their attack pattern during the attack or use several attack request structures simultaneously. And when attacks are launched by several orchestrated botnets with different simultaneous strategies, you’re facing millions of distinct transactions, all of which appear legitimate. Imagine a 3 million RPS attack with 1% false negatives. Many online assets will be unable to survive.
Protect Against Disruptive Web DDoS Tsunami Attacks
Traditional network-based DDoS protection and WAF solutions are no longer able to protect against the new Web DDoS Tsunamis. A proper defense requires a L7, behavioral-based solution that can adapt in real time, scale to a magnitude higher than an on-premises solution, and identify attacking requests without blocking legitimate traffic. That detection requires decryption and deep inspection into L7 traffic headers, which network-based DDoS protection solutions are unable to provide. At the same time, WAFs that rely on signature-based protections are ill-equipped to deal with the randomized, dynamic sophistication of Tsunamis.
What’s the right response? Instead of a volumetric approach that doesn’t distinguish between good and bad traffic, the proper solution must accurately distinguish between legitimate traffic surges and malicious attack traffic by combining behavioral-based, automated algorithms with high-scale infrastructure to accurately respond to high-RPS Tsunami attacks. More specifically, the solution should automatically:
- Minimize false positives – Dedicated behavioral-based algorithms quickly and accurately detect and block L7 DDoS attacks without interrupting legitimate traffic.
- Prevent advanced threats and zero-day attacks – The solution should protect against a wide range of L7 DDoS threats, including smaller-scale, sophisticated attacks; new L7 attack tools and vectors; and large-scale, sophisticated Web DDoS Tsunami attacks.
- Adapt protection immediately – You want to leverage behavioral analysis and real-time signature generation to immediately detect HTTPS floods and continuously adapt the mitigation in real-time to prevent downtime.
- Provide consistent protection – An automated, fully managed solution helps you block sophisticated attacks consistently across all applications and environments.
Protecting against Tsunami attacks isn’t an easy or straightforward task. Web DDoS Tsunami protection solutions must cope with and absorb an ultra-steep increase in the incoming load, be ready to hold this volume for diverse periods of time, and do it in an efficient and cost-effective way—all while keeping online assets safe and available.
About the Author
Uri Dorot is a Senior Security Solutions Lead at Radware, specializing in application protection solutions, service and trends. With a deep understanding of the cyber threat landscape, Uri helps companies bridge the gap between complex cybersecurity concepts and real-world outcomes. Uri joined Radware in 2021, bringing with him years of experience working with leading companies in the cyber domain.
Uri can be reached online at
X: @radware
LinkedIn: https://www.linkedin.com/company/radware/
Company website http://www.radware.com