Radware suspects the two attacks it observed may have been exploratory, to see how it stacks up to defenses.
Radware suspects the two attacks it observed may have been exploratory, to see how it stacks up to defenses.

Radware announced a new finding in the world of distributed denial-of-service (DDoS) attacks on Wednesday after researchers observed a type of SYN flood that the security company is calling a “Tsunami SYN Flood Attack.”

The Tsunami SYN Flood Attack stands out because it contains about 1,000 bytes per packet, whereas a typical SYN flood contains approximately 40 to 60 bytes per packet, Adrian Crawley, Radware regional director for the UK, told SCMagazine.com in a Thursday email correspondence. According to the Wednesday post, the attack is not UDP-based and is instead carried out over TCP protocol.

"Normally the SYN package is a simple handshake mechanism with a very low data footprint,” Crawley said. “It appears that hackers have found a way to add content to it – up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data – this could be any random data – to the application which requested the initial SYN handshake.”

Radware observed the Tsunami SYN-Flood Attack against an ISP provider and a data center for a gaming company and mitigated the DDoS using its technologies, Crawley said. According to the post, the attacks experienced pulses of about 4 to 5 Gbps in attack traffic.

“It's possible that this Tsunami SYN Flood was orchestrated by using bot-machines – when a hacker gains unauthorized access to a number of computers,” Crawley said. “An attacker does not have 100 [percent] control over each machine that generates traffic, so as more “bots” were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.”

Being a TCP volumetric flood, the Tsunami SYN Flood will not be mitigated by defenses similar to a UDP-based attack, the post indicates, adding that most typical TCP-based SYN cookie-type protections are not effective.

“An attack like this cannot be mitigated on premise alone,” Crawley said. “Behavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on-premise mitigation.”

Radware suspects this type of threat will be a new trend in DDoS attacks.

“This is a classic case of cyber-attackers looking at the types of attack tools out there, reinventing it, and deploying it out in the wild to test its effectiveness,” Crawley said. “These two attacks could have been “exploratory” to see how it stacks up to their cyber-defenses. I am sure this will not be the last time we see a Tsunami SYN Flood used as a volumetric attack in the near future.”