Typically, DDoS (Distributed Denial of Service) attacks use massive traffic such as HTTP, DNS, TCP, and other methods to allow attackers to disrupt even the best-protected networks or servers. But Yo-Yo DDoS is a totally different animal.
They are a much more innovative way to attack public cloud infrastructure resources. In today’s cloud architecture, almost any resource can scale quickly. These can be nodes, Kubernetes pods, load balancers, etc. You have unlimited resources when it comes to scaling in the public cloud. Cyber attackers use these cloud autoscaling capabilities against you and harm you financially. It could literally destroy small organizations that have limited cloud budgets. This article will shed more light on these types of attacks to help you increase your cyber preparedness.
This is a simulation of its appearance:
How Do Yo-Yo Attacks Work?
Yo-Yo DDoS attacks can be difficult to identify because these attacks are brief and do not necessarily result in denial of service (DOS) conditions. In a yo-yo attack, attackers flood their targets with so much traffic that it automatically scales cloud resources such as load balancers, front-end services, and other cloud resources. Then they suddenly stop the traffic so the app is over-provisioned and automatically throttles down again. Once the autoscaler decides that the traffic volume has decreased, it reduces its resources. The attacker re-enables the DDoS traffic and the cycle repeats, hence the name Yo-Yo attack.
Constant scaling can be a financial drain on app owners, who have to pay hyperscalers a lot of money. In some cases, this behavior may be difficult or impossible to differentiate from legitimate requests. Unlike other forms of DDoS attacks, Yo-Yos do not have a centralized source – they often come from many different machines on the Internet.
How to Protect Yourself From Yo-Yo Attacks
You should control your cloud scaling behavior by setting limits for each cloud resource you scale to avoid large financial outlays. If you don’t set a maximum scaling limit, you risk wasting a lot of cloud computing resources and cloud-native services. Monitor your compute autoscaling groups and use anomaly detection to automatically recognize unusual scaling patterns. You can then create alerts for unusual scaling patterns and further investigate your infrastructure scaling and spending.
Although difficult to detect, ‘yo-yo’ attacks can be mitigated by hiding the traffic scaling configuration. Attackers need to know how much scaling has taken place to stop the DDoS attack and possibly reactivate it once traffic reaches a pre-determined average level. If the website or service owner can hide scaling information, it would help mitigate any preparations attackers could have made before launching the attack.
To improve the security of your cloud against such attacks, it’s worth exploring third-party solutions from specialist security companies such as AWS Shield and Google Armor that can help you mitigate complex attacks. These are cloud-native Hyperscalers security services, but you can choose third-party solutions such as Cloudflare or Incapsula.
Another way to mitigate Yo-Yo DDoS attacks is to not use the default values for scaling and scaling with respect to the service provider’s load balancing mechanism cloud. It also disrupts any plan the attackers might have made for when to stop sending additional unwanted traffic and when to start again.
General tips to guard against DDoS attacks include updating the entire system. Fix all security issues and bugs and quickly develop a plan to identify these issues. It’s also important to point out that “Yo-Yo” DDoS attacks are a relatively recent development and mitigation is generally only available on the best web security platforms. For example, the native security tools included in leading cloud platforms are usually not sufficient to defeat these attacks.
Some of the more common Yo-Yo fading techniques include:
- Use a cloud-based DDoS protection service such as AWS Shield, Google Cloud Armor, Cloudflare, etc…
- Using a Content Delivery Network (CDN) such as AWS CloudFront, Google CDN, Cloudflare CDN, etc…
- Deploying a Web Application Firewall (WAF) such as Imperva, F5, and Palo Alto WAAS or using Hyperscalers Cloud Native WAF services is not the best solution. Still, they’re pretty good if you’re on a budget.
- Use of hyperscaler security best practices – each hyperscaler has its security methods and techniques.
- Use a defense-in-depth approach
- Review your application/security logs constantly
- Avoid default configurations in terms of scaling
Points to remember to defend against Yo-Yo DDoS cyberattacks
- Use a DDoS protection service.
- Improve your network infrastructure.
- Use a cloud-based DDoS mitigation service.
- Use a DDoS-protected DNS service.
- Use a CDN service protected by DDoS.
- Use a DDoS-protected web application firewall.
- Use a DDoS-protected service.
- Implement microservices security solutions
DDos and Yo-Yo DDoS attacks happen all the time, and the attacks are becoming more innovative and frequent. In general, Yo-Yo DDoS attacks are intended to harm companies and countries financially.
Ultimately, the best way to beat a Yo-Yo DDoS attack is to stay alert. You don’t want to be the next victim of such an attack. To make sure this doesn’t happen, use multiple layers of defense against attacks, keep your systems up to date, and stay aware of threats.
Written by Ido Vapner, CTO and Chief Architect at Kyndryl