Dry Lighting Cracks against the Cloud: The Rise of the Advanced Persistent DoS (APDoS)

By Carl Herberger, VP Security Solutions, Radware


So, let’s say you are up to no good and motivated to attack somebody or some organization.

After somewhat thoughtful considerations you decide you are going to launch a cyberattack to render your victim unavailable or to extort some sort of action or ransom.

However, you have a big problem to solve how do you get around today’s most popular Cloud Security Scrubbing Businesses?

Well, as the attacks on ProtonMail have demonstrated this week, change the profile of the attacks frequently and leverage a persistent and advanced tactic of revolving attacks geared to dumbfound detection algorithms.  This is called APDoS.

How does this work?  The concept is really quite simple.   It’s akin to the way bomber aircraft would jam radar systems many years ago.   If you premise is that you are going to be detected, then change the premise.    Present the detecting organization with so many targets of so many different types that it’s nearly impossible to detect them all, and more importantly, to mitigate them in a high enough quality not to effect legitimate traffic.

Let’s look closer at what Wikipedia defines APDoS as:

“APDoS is more likely to be perpetrated by actors who are well resourced, exceptionally skilled and have access to substantial commercial grade computer resources and capacity. APDoS attacks represent a clear and emerging threat needing specialised monitoring and incident response services and the defensive capabilities of specialised DDoS mitigation service providers. This type of attack involves massive network layer DDoS attacks through to focused application layer (HTTP) floods, followed by repeated (at varying intervals) SQLI and XSS attacks. Typically, the perpetrators can simultaneously use from 2 to 5 attack vectors involving up to several tens of millions of requests per second, often accompanied by large SYN floods that can not only attack the victim but also any service provider implementing any sort of managed DDoS mitigation capability. These attacks can persist for several weeks.”

Now, if you digest this and take a look at the types of attacks, it’s clear that APDoS would require a lot of varied technology to stop the nature of network floods, HTTP application-level DDoS and encrypted threats.   Moreover, the case of Protonmail, we are now seeing the problem manifest to SMTP attacks (somewhat new vector) and secure-SMTP such as TLS over SMTP.

Many companies who have procured DDoS solutions have no thought about the threat from a broader spectrum such as SMTP or FTP and secure variants such as those.

In fact, Wikipedia gives us more to think about in as the go on, “Attackers in this scenario may (or often will) tactically switch between several targets to create a diversion to evade defensive DDoS countermeasures but all the while eventually concentrating the main thrust of the attack onto a single victim. In this scenario, threat actors with continuous access to several very powerful network resources are capable of sustaining a prolonged campaign generating enormous levels of un-amplified DDoS traffic.”

So what’s a company to do?   Well first understand the threat and then make certain you have protections (e.g. high caliber detection and mitigation) from the variants.

Wikipedia suggest that APDoS attacks are characterised by the following:

  • “Advanced reconnaissance (pre-attack OSINT and extensive decoyed scanning crafted to evade detection over long periods)
  • Tactical execution (attack with a primary and secondary victims but focus is on Primary)
  • Explicit motivation (a calculated end game/goal target)
  • Large computing capacity (access to substantial computer power and network bandwidth resources)
  • Simultaneous multi-threaded ISO layer attacks (sophisticated tools operating at layers 3 through 7)
  • Persistence over extended periods (utilising all the above into a concerted, well managed attack across a range of targets)”

The task is clearly daunting and real. As the next generation of DDoS threatsemerge we must be very diligent and proactive.I believe that companies need to rise above the normal corporate culture of security controls and become obsessive about removing risks and compulsive about action. After all, these organizations may literally be holding life and death decisions in their hands – and this makes their actions rather profound and very unique.