Cloud technologies make it easier to mitigate most forms of DDoS attacks. But threat actors are adapting, and there are a growing number of threats that are designed to be effective specifically against cloud architectures. One of them—the so-called “yo-yo attack”— is gaining in popularity, and it’s importand to understand it. Fortunately, once you understand how it works, it can be mitigated.
Conventional DDoS versus Cloud Architectures
Most DDoS (Distributed Denial of Service) attacks are volumetric. The attacker sends a large volume of traffic to the targeted site, attempting to overwhelm it and make it unavailable to its intended users.
These attacks can be very effective against traditionally hosted web applications, but are less so against cloud architectures. The cloud is inherently resistant to volumetric DDoS, for several reasons.
First, cloud applications are (almost always) load balanced. Incoming traffic is distributed evenly across multiple endpoints, so individual backend servers cannot be overwhelmed until the volume of traffic approaches the capacity of the entire network.
Also, cloud load balancers have (almost always) the ability to reactively autoscale. They monitor the current usage of backend resources, and as more are needed, they are brought online automatically. Unlike an on-premise environment, cloud resources are virtually unlimited. It is very difficult for an attacker to marshal sufficient bandwidth to take down a site under these circumstances.
Lastly, cloud architectures make it straightforward to deploy a web security platform such as Reblaze between the load balancers and the backend network. Incoming traffic can be scrubbed before it reaches the destination endpoints. And because Reblaze runs in cloud instances, it too is load-balanced and autoscaled, so that there is always sufficient processing power to block hostile traffic with near-zero latency.
Threat Actors Adapt
Hostile actors are adjusting their tactics to the realities posed by the cloud. One approach is to use amplification and reflection techniques to launch attacks at massive scales never seen before. For example, in the first quarter of 2020 AWS mitigated a DDoS attack that hit a record-shattering 2.3 Tbps.
Others are trying different tactics. An interesting approach that is becoming more popular has become known as the “yo-yo attack.”
The Yo-Yo Attack
This attack attempts to leverage the strength of the cloud against an organization that uses it. Specifically, the attacker tries to use reactive autoscaling to ensure that the victim deploys, and pays for, excessive resources.
The attack begins when the perpetrator sends the victim a massive wave of DDoS traffic. The victim’s system reacts by autoscaling and deploying more resources to handle the anticipated workload.
At that point, the attacker turns off the DDoS. But—and this is a key point—the reactive autoscaler does not immediately scale down again. Instead, it waits for a short while to confirm that the lower traffic volume is real and not just a brief drop. It does this to avoid a situation where it misinterprets a drop as a real decrease, scales down in response, and then has to scale back up again—a process which takes time, and will briefly leave the system with inadequate resources to correctly handle the current workload.
Therefore, during this confirmation period, the victim’s system has deployed resources that far exceed the amount required.
Once the autoscaler decides that traffic volume has actually decreased, it will scale down its resources again. At this point, the attacker turns on the DDoS traffic anew, and the cycle repeats, over and over again.
Here’s an illustration of this attack:
The blue line shows the combined traffic (DDoS and legitimate) that the victim receives, while the dotted red line represents the amount of resources provisioned by the autoscaler. This has been called a “yo-yo attack” because the amount of DDoS traffic is not continuous; instead, it goes up and down, like a yo-yo.
The goal of this attack is not (necessarily) to take the victim’s site offline (although this might happen intermittently). Instead, the attacker wishes to inflict financial damage on the victim.
Cloud providers charge their customers for the resources that are provisioned, even if the resources aren’t fully used. Therefore, as the victim’s system scales up resources during each cycle, significant charges accrue to the victim’s account. In effect, the attacker forces the victim to pay for large amounts of resources that aren’t actually necessary to handle the current (legitimate) workload.
Yo-yo attacks are very appealing to attackers, because they have a high amount of leverage. For a large portion of each attack cycle, the attacker isn’t actually sending any traffic. This lowers the attacker’s expenses, especially when compared to a traditional DDoS.
Defeating the Yo-Yo
Cybersecurity is a continual arms race; as attackers develop new techniques, security providers counter them. Yo-yo attacks are no different, and there are several ways to defeat a yo-yo DDoS.
For example, yo-yo attacks require the attacker to know the current amount of scaling that has occurred. If the victim can prevent the attacker from knowing this accurately, then the attack pattern will be disrupted.
Simple yo-yo attacks rely on the victim using the default scale-up and scale-down times from the cloud provider’s load balancers. Countering these attacks can be accomplished by changing these to non-default values.
Some attackers are more sophisticated in their approach. Rather than assuming that the victim’s system is behaving according to the defaults, they monitor the responsiveness of the targeted system to gauge its current status. If the system responds quickly to requests during the DDoS phase, it apparently has scaled up. If it is sluggish or returns errors, it apparently does not have resources scaled up at that time. These attacks can be disrupted by spoofing the system’s responsiveness. For traffic sources that are suspected to be part of a yo-yo attack, the system can respond slowly, while to legitimate users, it can respond quickly.
These techniques are straightforward, and are described here for illustration. More sophisticated techniques are available as well, which work even better than the ones described here.
One important point to remember: yo-yo attacks are a fairly recent development, and mitigation is generally available only within the best web security platforms. For example, the native security tools included in the top-tier cloud platforms are not adequate for defeating these attacks.
Reblaze includes comprehensive DDoS protection (including against yo-yo attacks) in its all-in-one web security suite, along with a next-generation WAF, advanced bot management, API security, DevSecOps support, and more. For a demo, feel free to contact us.
A. Bremler-Barr and E. Brosh and M.Sides, “DDoS attack on cloud auto-scaling mechanisms,” in IEEE INFOCOM 2017 – IEEE Conference on Computer Communications, 2017.