An unusually large distributed denial-of-service (DDoS) attack that targeted a China-based lottery website and consumed a bandwidth of 8.7 gigabits per second, used a rare and “ginormous” HTTP POST flood that peaked at 163,000 RPS (requests-per-second), Senior Inbound Marketing Manager for Incapsula Igal Zeifman said in an April 5 blog post.
The attack vector of POSTing or uploading large files is “quite novel”, Imperva Senior Security Researcher Ofer Gayer told SCMagazine.com via email comments.
“The attackers obviously did their homework and found that the website generally accepted large POSTs to the server,” Gayer said.
He added that flooding a server with a “new form” of traffic itself along may be sufficient to bypass certain security measures.
Gayer said the attack targeted the “soft spot” of many platforms that use hybrid DDoS protections solutions.
“They rely on the on-premise hardware to filter out HTTP traffic, and by targeting the on-prem's bandwidth bottleneck, attackers succeed in DDoSing the website,” he said.
To safeguard against these kinds of attacks, Gayer said, firms will either need to lease unnecessary upstream capacity or use a cloud-based solution for application security.
It's unclear who is behind the attack or what their motivation was.
“It doesn't fit the normal attack pattern of that botnet, so I would speculate it's either someone who is trying to build a unique DDoS-for-hire service, or a ‘hired gun' who created this new special method that he found bypasses a lot of standard security measures,” Gayer said.