November 30, 2015 By Andrew Lemke 3 min read

An Introduction to Temporal Lensing

The Panzerhaubitze 2000 is a 155 mm self-propelled howitzer capable of Multiple Rounds Simultaneous Impact (MRSI). Essentially, the artillery shells are fired with different trajectories, but all impact the target concurrently. How is this type of artillery related to denial-of-service attacks?

Well, as released in a new research study titled “Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks,” it is possible to perform a similar distributed denial-of-service (DDoS) attack that uses timing to ensure simultaneous arrival of IP packets. The authors term this temporal lensing and claim it is a potential new class of attack, especially if combined with amplification attacks. Amplification attacks result in the multiplicative creation of new packets in an asymmetric sense. Can you see the lens below?

Note that this attack hasn’t yet been seen in the wild. But if history is a teacher, it’s only a matter of time before it does.

JavaScript Injection DDoS, or the Great Firewall of China

In April 2015, we witnessed a massive denial-of-service attack against the code-sharing site GitHub via China’s Internet backbone — specifically China Unicom, a major service provider in China.

This represented a new class of attack utilizing JavaScript injection and the users of Baidu (the fourth-largest website in the world, as per the Alexa Internet ratings) to attack Github. Essentially, every visitor to Baidu had JavaScript silently injected into their browser sessions. This resulted in two Web pages being requested from Github for every Baidu visit. Unbeknownst to the users, they were participants in a massive attack against GitHub.

This is a powerful new vector. If your infrastructure becomes the target of a large population of Web surfers, you’d better be prepared for the onslaught. Imagine for a moment what would happen if every Google visitor also started hitting your site with traffic. Ouch!

Denial of Service via BitTorrent

You all remember the classic Smurf and Fraggle attacks from the 1990s, right? For those of you not schooled in the basics, this was an attack that relied on amplification of data — in this case, ICMP (for the Smurf attack) and UDP port 7 (for the Fraggle attack). In both instances, the protocol was the underlying weakness. Many computers would respond when only one computer made a small request.

As it turns out, we have a new threat vector in the BitTorrent protocol that is being termed distributed reflective denial-of-service (DRDoS). Again, we have a protocol that allows for the amplification attacks. As described in a recent research paper, BitTorrent and BTSync protocols can enable DRDoS attacks using an amplification mechanism.

Some characteristics of the DRDoS attack vector include the fact that:

  1. It is anonymous. Because it utilizes UDP, it is entirely spoofable.
  2. It can be initiated by a single computer but still generate a tremendous amount of traffic coming from multiple sources on the BitTorrent network.
  3. It amplifies the original packet very well. The researchers state that the amplification factor can be as much as 120 times.


I hate to present threats without also providing solutions, but in the case of DDoS, it really requires an in-depth consultation to ensure you’ve got your bases covered. Recommendations depend on the threat level for your organization, your risk appetite, your desire to be actively involved, the degree to which you can sustain any downtime, etc.

To complete a comprehensive DDoS defense strategy, the following questions need to be answered:

  • Have you already been attacked?
  • If so, how did you resolve that situation?
  • Do you know the motivations and persistence of the attackers?
  • Are you willing to be up at 3 a.m. and solve an outage over the next 72 hours?
  • What are the technical characteristics of the attacks?

Additionally, some of the following technologies need to be considered as part of your architecture decisions:

  • Scrubbers versus content delivery networks;
  • ISP-based defenses versus on-premises;
  • TLS keys and related regulatory and compliance concerns;
  • Web application firewalls (WAF); and
  • Global load balancing.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today