Tsunami SYN Flood Attack – A New Trend in DDoS Attacks?

Over the past week Radware’s Emergency Response Team (ERT) detected a new type of SYN flood which is believed to be specially designed to overcome most of today’s security defenses with a TCP-based volume attack. Within a 48-hour period two different targets in two different continents were targeted with this new technique and have experienced very high attack volumes.

As a background, a normal SYN packet is characterized with about 40-60 bytes per packet.  The new attack type departs from the typical make up of a SYN packet by transmitting very large packet sizes which complicate and defeat many defense algorithms.  This new SYN-Flood is extremely different in that it is characterized as being approximately 1000 bytes per packet in size and its attack can hit an entire network range.  

Attacks with these dimensions to them quickly consume bandwidth and thus far even these modest timed attacks were witnessed experienced pulses of about 4-5Gbps in attack traffic. This new type of attack has the ability to saturate the internet pipe of its victim faster than most attack types we’ve witness beforehand.  We have aptly named this new volumetric flood “Tsunami SYN-Flood Attack.”

What have we learned?

What makes this new attack interesting is we’ve found a new method in the wild that carries a tsunami-like volumetric attack over the TCP protocol. Normally, when a perpetrator was to pick a weapon for massive volume, they would need to settle on a UDP-based algorithm as the stateless nature of this technology and small sized packets are perfect for volumetric attacks such as DNS, NTP and CHARGEN reflected floods. In this new case, attackers have designed a volumetric attack based on TCP or stateful-protocols which can present a brand new danger. This new danger is that  with a TCP volumetric flood on a web server, a victim will not be able to deploy defenses similar to UDP-based attack to mitigate it.