Typically, DDoS (Distributed Denial of Service) attacks use massive traffic such as HTTP, DNS, TCP, and other methods to allow attackers to disrupt even the most well-defended networks or servers. But Yo-Yo DDoS is an entirely different animal.

They are a much more innovative way to attack public cloud infrastructure resources. In today's cloud architecture, almost every resource can scale quickly. It could be nodes, Kubernetes Pods, load balancers, etc. You have unlimited resources when it comes to scaling in the public cloud. The cyber attackers use those cloud auto-scaling capabilities against you and hurt you financially. It literally could destroy small organizations that have limited cloud budgets. This article will shed more light on these types of attacks to help you increase your cyber readiness.

This is a simulation of how it looks:

A simulation of how a Yo-Yo attack looks

How do Yo-Yo attacks work?

Yo-Yo DDoS attacks can be tricky to identify because these attacks are brief and don’t necessarily result in denial-of-service (DOS) conditions. When carrying out a yo-yo attack, hackers flood their targets with so much traffic that it automatically scales cloud resources such as load balancers, front-end services, and other cloud resources. Then they suddenly halt traffic so that the application is over-provisioned and automatically scales down again. Once the autoscaler decides that traffic volume has decreased, it scales down its resources. The attacker turns on the DDoS traffic anew, and the cycle repeats, hence the name Yo-Yo attack.

Constantly scaling up and down can be a financial drain on the application’s owners, who must pay a lot of money to the hyperscalers. In some cases, this behaviour can be difficult or impossible to differentiate from legitimate requests. Unlike other forms of DDoS attacks, Yo-Yos have no centralized source—they often originate from many different machines across the Internet.

How to protect against Yo-Yo attacks

You should control your cloud scaling behaviour by setting limitations for every cloud resource you scale to avoid large financial spending. If you don’t set a max scaling limitation, you could waste a lot of cloud computing resources and cloud-native services. Monitor your compute autoscaling groups and use anomaly detection to recognize unusual scaling patterns automatically. Then you will be able to create alerts for unusual scaling patterns and further investigate your infrastructure scaling and spending.

Although they’re difficult to detect, ‘Yo-Yo’ attacks can be mitigated by hiding traffic scaling configuration. Attackers need to know how much scaling has taken place to stop the DDoS attack and eventually turn it on again once the traffic goes to a predetermined average level. If the website or service owner can hide scaling information, this would help mitigate any preparations attackers might have made before launching the attack.

To improve the security of your cloud against such attacks, it’s worth exploring third-party solutions made by specialized security companies such as AWS Shield and Google Armor that can help you mitigate complex attacks. They are Hyperscalers security cloud-native services, but you can pick third-party solutions such as Cloudflare or Incapsula.

Another way to mitigate against Yo-Yo DDoS attacks is to not use the default values for downscaling and upscaling when it comes to the cloud service provider’s load balancing mechanism. Doing so also disrupts any plan attackers might have made of when to stop sending extra junk traffic and when to start again.

The general tips to guard against DDoS attacks include keeping everything on the system updated. Fix all the security issues and bugs and quickly develop a plan to identify such problems. It’s also important to emphasize that ‘Yo-Yo’ DDoS attacks are a relatively recent development, and mitigation is generally available only within the best web security platforms. For example, the native security tools included in the top-tier cloud platforms are usually not adequate for defeating these attacks.

Some of the more common Yo-Yo mitigation techniques include:

  • Using a cloud-based DDoS protection service such as AWS Shield, Google Cloud Armor, Cloudflare, etc...
  • Using a content delivery network (CDN) such as AWS CloudFront, Google CDN, Cloudflare CDN, etc...
  • Deploying a web application firewall (WAF) such as Imperva, F5, and Palo Alto WAAS or using Hyperscalers WAF Cloud Native services is not best. Still, they are good enough if you have a limited budget.
  • Using Hyperscalers Security Best Practices - every Hyperscaler has its security methods and techniques.
  • Using a defence-in-depth approach
  • Review your application/security logs constantly
  • Avoid default configurations in terms of scaling

Quick Takeaways to Defend Against Yo-Yo DDoS Cyber Attacks

  • Use a DDoS protection service.
  • Improve your network infrastructure.
  • Use a cloud-based DDoS mitigation service.
  • Use a DDoS-protected DNS service.
  • Use a DDoS-protected CDN service.
  • Use a DDoS-protected web application firewall.
  • Use a DDoS-protected service.
  • Implement Microservices Security Solutions

DDos and Yo-Yo DDoS attacks happen all the time, and the attacks are getting more innovative and more frequent. In general, Yo-Yo DDoS attacks are meant to hurt companies and countries financially.

From Checkpoint online attack website

In the end, the best way to beat a Yo-Yo DDoS attack is to stay vigilant. You don’t want to be the next victim of such an attack. To ensure that doesn’t happen, use multiple layered defences against attack, keep your systems up-to-date, and stay on top of threats.

Written by Ido Vapner, CTO and Chief Architect at Kyndryl