In October of 2016 the Mirai botnet came thundering onto the internet landscape. A digital Godzilla, a DDoS King Kong, this Internet of Things-powered behemoth began smashing DDoS attack records, online powerhouses like Reddit, Etsy, Spotify, CNN and the New York Times crumbling under its fists.

When the dust had settled, and services had been restored, one thing seemed certain: a new era of DDoS attacks was upon us. Mirai was terrifying as a botnet but even worse as a harbinger. IoT botnets would get bigger, we were told, attacks would reach unimaginable sizes, experts were even predicting a DDoS-caused 24-hour internet outage in 2017. The internet braced for impact…an impact that did not come.

Until now.

The calm and then the storm

Through most of 2017, the distributed denial of service or DDoS trends were dominated by the short-burst and low-volume attacks that are the hallmarks of cheap DDoS for hire services. These attacks could spell trouble for unprotected sites and mom and pop shops with DIY mitigation, but for anyone with actual DDoS protection, these weak attempts warranted a shrug, if that.

The rumblings continued, however. Whispers about the Persirai botnet being smarter than Mirai, the Reaper botnet bigger, armies of routers and CCTV camera systems preparing to unleash mayhem like we’d never seen. The longer the lull, the more nerve-wracking it became. When at last the next frontier of distributed denial of service assaults arrived it was the stuff cybersecurity nightmares are made of. However, it was completely different from what was expected.

A wave of panic

The next chapter in the ongoing DDoS saga struck in the third quarter of 2017. Instead of an attack big enough to send shockwaves across the internet, it was a different kind of wave first detected by DDoS protection provider Incapsula—an entirely new DDoS attack strategy.

Incapsula has dubbed this new attack type the pulse wave attack, and in it, attackers use a single botnet to launch a number of concurrent assaults. They hit one target with a blast of traffic big enough to clog the network, then switch to the next target, doing the same thing until they’ve hit everyone on the list. They then circle back to blast each target again with the waves hitting at regular intervals.

In a word, this is ingenious. By using one botnet for multiple attacks, it eliminates the botnet warm-up period that allowed for many successful mitigation strategies to take hold before the attack could reach its peak. With the botnet hitting targets on the fly, attacks are always at their peak. Furthermore, this attack type appears to have been specifically created to stymy appliance-first cloud hybrid mitigation solutions, as the immediate clogging of the network prevents the appliance from activating the cloud scrubbing server. From what Incapsula has observed, these attacks have been cunningly aimed at high-value targets in fintech and online gaming.

Like the massive Mirai attacks before them, the pulse wave attacks are worse as a predictor of what’s to come than they are as standalone assaults. The ingenuity and intentionality of the pulse wave attacks signify that while they may have been content to let the amateurs have their DDoS fun for a while, the professional attackers are back, and they mean business. This is further evidenced by Incapsula’s finding that in the third quarter of 2017, 70.2% of targets were slapped with a multi-vector attack—an increase of over 48% from the second quarter.

The braced-for impact

The attackers who are back in charge of the DDoS scene weren’t willing to wait another year to introduce their next checkmate. Just as many website owners and cybersec professionals began to worry about craftier, purpose-driven attacks, the unfathomably massive attacks that had been anticipated in the wake of Mirai smashed their way onto the internet. In late February a 1.35 Tbps attack hit software development platform Github, besting the record 1.2 Tbps Mirai attack. This record stood for a matter of days until a 1.7 Tbps attack was hurled at an unnamed target.

These bigger attacks, surprisingly, did not come courtesy of the biggest-ever IoT botnets. The professional attackers are back, remember, and even their burly network-layer attacks are brilliant. The two most recent record-breakers instead used a new amplification technique: sending UDP packets to public-facing Memcached servers, which are servers that store huge amounts of data in order to speed up page load time. The UDP packets spoofed the IP of the targets and requested a huge amount of data, all of which was sent to the targets. Using Memcached servers, attackers can amplify their attacks by a factor of at least 9000. In the case of the 1.7 Tbps assault, the attack was amplified by 51,000.

The good news is that in 2018, leading DDoS mitigation services are capable of handling attacks of this size. That good news isn’t so good for anyone who doesn’t have leading DDoS mitigation, however.

The road ahead

With the distributed denial of service events of the last six months it’s almost quaint to think we were once simply worried about really big botnets. Now we know we need to be worried about really big botnets, crafty new attack types, novel amplification techniques and whatever else all those professional attackers have planned in order to rake in the big bucks on the dark web.

A patch disabling the UDP protocol on Memcached servers was issued, and this is helping to chip away at this amplification technique. If we’ve learned anything from the past half-year, however, it’s that the next DDoS development is probably already on its way and all we can truly expect is the unexpected.