An Introduction to Temporal Lensing

The Panzerhaubitze 2000 is a 155 mm self-propelled howitzer capable of Multiple Rounds Simultaneous Impact (MRSI). Essentially, the artillery shells are fired with different trajectories, but all impact the target concurrently. How is this type of artillery related to denial-of-service attacks?

Well, as released in a new research study titled “Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks,” it is possible to perform a similar distributed denial-of-service (DDoS) attack that uses timing to ensure simultaneous arrival of IP packets. The authors term this temporal lensing and claim it is a potential new class of attack, especially if combined with amplification attacks. Amplification attacks result in the multiplicative creation of new packets in an asymmetric sense. Can you see the lens below?

Note that this attack hasn’t yet been seen in the wild. But if history is a teacher, it’s only a matter of time before it does.

JavaScript Injection DDoS, or the Great Firewall of China

In April 2015, we witnessed a massive denial-of-service attack against the code-sharing site GitHub via China’s Internet backbone — specifically China Unicom, a major service provider in China.

This represented a new class of attack utilizing JavaScript injection and the users of Baidu (the fourth-largest website in the world, as per the Alexa Internet ratings) to attack Github. Essentially, every visitor to Baidu had JavaScript silently injected into their browser sessions. This resulted in two Web pages being requested from Github for every Baidu visit. Unbeknownst to the users, they were participants in a massive attack against GitHub.

This is a powerful new vector. If your infrastructure becomes the target of a large population of Web surfers, you’d better be prepared for the onslaught. Imagine for a moment what would happen if every Google visitor also started hitting your site with traffic. Ouch!

Denial of Service via BitTorrent

You all remember the classic Smurf and Fraggle attacks from the 1990s, right? For those of you not schooled in the basics, this was an attack that relied on amplification of data — in this case, ICMP (for the Smurf attack) and UDP port 7 (for the Fraggle attack). In both instances, the protocol was the underlying weakness. Many computers would respond when only one computer made a small request.

As it turns out, we have a new threat vector in the BitTorrent protocol that is being termed distributed reflective denial-of-service (DRDoS). Again, we have a protocol that allows for the amplification attacks. As described in a recent research paper, BitTorrent and BTSync protocols can enable DRDoS attacks using an amplification mechanism.

Some characteristics of the DRDoS attack vector include the fact that:

  1. It is anonymous. Because it utilizes UDP, it is entirely spoofable.
  2. It can be initiated by a single computer but still generate a tremendous amount of traffic coming from multiple sources on the BitTorrent network.
  3. It amplifies the original packet very well. The researchers state that the amplification factor can be as much as 120 times.


I hate to present threats without also providing solutions, but in the case of DDoS, it really requires an in-depth consultation to ensure you’ve got your bases covered. Recommendations depend on the threat level for your organization, your risk appetite, your desire to be actively involved, the degree to which you can sustain any downtime, etc.

To complete a comprehensive DDoS defense strategy, the following questions need to be answered:

  • Have you already been attacked?
  • If so, how did you resolve that situation?
  • Do you know the motivations and persistence of the attackers?
  • Are you willing to be up at 3 a.m. and solve an outage over the next 72 hours?
  • What are the technical characteristics of the attacks?

Additionally, some of the following technologies need to be considered as part of your architecture decisions:

  • Scrubbers versus content delivery networks;
  • ISP-based defenses versus on-premises;
  • TLS keys and related regulatory and compliance concerns;
  • Web application firewalls (WAF); and
  • Global load balancing.

More from Advanced Threats

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

4 min read

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

4 min read

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

12 min read

How to Report Scam Calls and Phishing Attacks

5 min read - With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They're not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors' shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and…

5 min read