January 12, 2015
'Twas the season for a not-so-jolly DDoS attack from a group claiming to be Lizard Squad - flinging Christmas tree packets as they are commonly known. Details of the DDoS attack indicate the ongoing development of DDoS attack tools. And while not the largest DDoS attack to date, this TCP flag DDoS attack would hinder or completely clog most corporate infrastructures. One packet exhibited the most flags set of all the packets - only an ACK flag was missing.
Selected as the Spotlight Attack for the quarter in the Q4 2014 State of the Internet - Security Report , which will be available later this month, the multiple TCP flag DDoS attack was part of a DDoS attack campaign launched against an Akamai customer in August and again in December. The attack achieved its goal in that it generated high traffic volumes and high packet rates. Of course, Akamai scrubbed the malicious traffic, sending only clean traffic to the customer.
Christmas tree packets are almost always suspicious. They are designed to take more processing power than usual packets and thus are commonly used in a denial of service attacks. They may also be used for reconnaissance to see how a target responds.
Although this multiple TCP flag DDoS attack seemed to be executed like a SYN flood, there were some differences that suggest the use of a new attack tool. This particular attack appears to be a calling card of sorts for a group claiming to be Lizard Squad. Each attack against this particular Akamai customer revealed the same use of multiple TCP flags in each packet. The initial campaign in August, although mixed with a UDP flood, contained similar characteristics while also containing some differences.
Readers who want to get the details about this TCP flag attack can pre-register for first-day delivery of the Q4 2014 State of the Internet - Security Report.