2014-12-May-Attack-of-the-DDos-Protection-ServicesForget about engaging content and brilliant marketing. Neither of those things matter if your website falls victim to a distributed denial-of-service (DDoS) attack.

DDoS attacks sabotage corporate websites to make them unavailable to legitimate visitors. Researchers at Incapsula, a cloud-based website security and performance service, said DDoS attacks are getting stronger, faster, bigger and smarter. 

And here's the really scary part: The very DDoS protection service you contracted to guard your website just might be responsible for destroying your site — or someone else's site.

Like a zombie apocalypse that transforms cherubic kindergarten teachers into rapid killers — or an angry 50-foot tall woman — nothing is more frightening than the unexpected. The team at Incapsula discovered that first hand recently when they traced yet another DNS DDoS attack on a B2B business ... and found it originated with two DDoS protection services.

Sneak Attack

Marc Gaffan, Incapsula’s co-founder and Chief Business Officer, told CMSWire today that the DNS DDoS attack was enormous, peaking at 25 million packets per second (Mpps). "It stood out to Incapsula’s researchers because many of the DNS queries held non-spoofed IP data, which is typically uncommon," he explained.

"Interestingly enough, in this specific case, the DNS queries held non-spoofed IP data that allowed us to uncover the attacker’s true points of origin. When we did, we were surprised to learn that the malicious requests were originating from servers of two other anti-DDoS service providers – one based in Canada, the other in China. All told, these were hitting our network with 1.5 billion DNS queries a minute, amounting to over 630 billion requests during the course of the seven hour DDoS attack."

If data isn't your first language, just remember this: the attack generated a huge amount of traffic.


We've told you about several potentially serious DDoS attacks recently, including one in which hackers used a novel technique to get thousands of online video viewers to unwittingly bombard a B2B website with junk traffic. Although early bets were on YouTube.com and Xvideos.com, the attack was ultimately traced to Sohu.com, China’s eighth largest website and the 27th most visited website in the world.

Then we explained how hackers can apparently exploit vulnerabilities in Facebook and Google to perform DDoS attacks on target websites.

Now this.

With multiple reports coming from different directions, and with several large scale attacks on our own infrastructure, we are now convinced that what we are seeing here is an evolving new trend — one that can endanger even the most hardened of network infrastructures," Gaffan said.

The Threat Landscape 

There are basically two types of DDoS attacks: The first takes place at the application layer (Layer 7) and the second at the network layer (Layer 3 and 4).

At the network layer, attacks bring down a website or SaaS application by overwhelming network and server resources, causing downtime and blocking responses to legitimate traffic. Application-layer attacks target applications, making them especially worrisome for SaaS application providers. These attacks mimic legitimate user traffic to bypass barebone anti-DDoS solutions and crash the web server.

In the past 15 months or so, Incapsula researchers report a rapid increase in network DDoS attack volumes. Almost one in every three attacks today exceed 20 Gigabits per second (Gbps), which was the peak attack volume just a year ago. Some exceed 100 and 200 Gbps.

Blame it on new attack methods (NTP Amplification and Large SYN floods) and also by the development of Internet and specifically cloud infrastructures.

In its annual threat landscape report, issued earlier this year, Incapsula noted "the perpetrators are looking to raise the stakes even higher by introducing new capabilities, many of which are specifically designed to abuse the weaknesses of traditional anti-DDoS solutions."