DDoS attacks are often characterised as overwhelming network servers with large volumes of traffic. However, the latest go-to technique used by a growing number of bad actors is to target the application layer with an aggressive new type of HTTP Flood attack—also known as the Web DDoS Tsunami attack.

Unlike their predecessors, Web DDoS Tsunamis aren’t settling for intense (but transient) bursts of simple pings, or flooding ports at layer 3 or layer 4. Instead, they’re bombarding layer 7 (L7) and scaling up in volume and intensity. The real-world attacks involve multiple waves, escalate quickly - sometimes reaching several million requests per second (RPS) - last for hours, and span days. To make matters even more challenging for security teams, Tsunamis cleverly avoid detection by disguising themselves as legitimate traffic and employing tactics like randomising headers and IP spoofing.

Recently, Radware observed firsthand the volumetric and persistent nature of Web DDoS Attacks during an incident at a major insurance company. The insurance company experienced several large-scale attack waves, reaching hundreds of thousands of RPS, with multiple waves peaking at more than one million RPS. The largest assault reached 2.5 million RPS. The attacks far surpassed the company’s typical traffic rate of several hundred RPS, overwhelming its application infrastructure and disrupting operations.

To make the situation even more complicated, some of the attack waves combined network-layer volumetric attacks, exceeding 100 Gbps in data volume. The attack vectors included Web DDoS Tsunami attacks, DNS floods, DNS amplification attacks, UDP floods, UDP fragmentation attacks, NTP floods, ICMP floods, and more.

One of the attacks, represented in the following chart, consisted of multiple waves during a three-hour period, with several peaks reaching one million RPS and multiple spikes topping 2.5 million RPS.

Companies using traditional defence tools are falling victim to Web DDoS attacks, leaving them wondering why their existing solutions are faltering. Detecting Web DDoS attacks requires decryption and deep inspection into the L7 traffic headers, which network-based DDoS protection solutions weren’t built to do. Standard on-prem or cloud-based web application firewalls (WAFs) fail to keep up with their scale and randomisation. And rate-limiting techniques have a major negative effect on legitimate traffic.

So, what’s the right response to high RPS Tsunami attacks? Instead of a volumetric approach that doesn’t distinguish between good and bad traffic, Radware recommends a solution that automatically:

• Minimises false positives – Dedicated AI-driven, behavioral based algorithms are needed to quickly and accurately detect and block L7 DDoS attacks without interrupting legitimate traffic.

• Prevents advanced threats and zero-day attacks – The solution should protect against a wide range of L7 DDoS threats, including smaller-scale, sophisticated attacks; new L7 attack tools and vectors; and large-scale, sophisticated Web DDoS Tsunami attacks.

• Adapts protection immediately – The solution should leverage behavioural analysis and real-time signature generation to immediately detect HTTP floods and continuously adapt the mitigation to prevent downtime.

• Provides consistent protection – An automated, fully managed solution helps block sophisticated attacks consistently across all applications and environments.

Organisations can no longer take for granted that standard WAFs or network-based DDoS mitigation will provide adequate cyber protection. Today’s Web DDoS Tsunamis are demanding a more proactive and adaptive approach to cybersecurity. Without it, organisations are simply being overwhelmed and outmaneuvered by more emboldened threat actors with more aggressive attack plans.

https://radware.com/solutions/web-ddos-protection/