DDoS (Distributed Denial of Service) attacks have been rising in frequency and severity. Recently, a major institution (which remains unnamed for security reasons) fell victim to prolonged DDoS attacks lasting several hours.
In this article, we’ll discuss the countermeasures implemented by a critical infrastructure institution to mitigate the attack: auto-scaling, diverse geo-filtering methods, rate limiting, bot detection, and other capabilities that defeated the attack.
What Happened
The first attack lasted a total of 5 hours and 15 minutes. During this time, the institution was bombarded with approximately 3.8 billion requests, with the peak rate reaching 886,000 requests per second (RPS). The traffic was not distributed evenly across the duration of the attack; it came in four distinct waves.
Insight 1: Often, DDoS incidents are reported in terms of their overall request volume, but this isn’t the most important metric. Hackers sometimes structure their attacks as a series of intense bursts, and web security solutions must have the capacity to handle DDoS attacks.
Response and Countermeasures
The targeted institution uses Reblaze as its web security solution. In response to the attack, Reblaze immediately auto-scaled and deployed additional resources to absorb and process the increased traffic volume, while preserving the availability of the targeted system. The maximum number of servers was increased to 1,000, and two new regions were added to the existing regions.
Insight 2: Modern attacks frequently leverage resources at a global scale. Many web security solutions still rely on local infrastructure, or have limited PoPs; they will be able to handle some attacks, but not all. In the modern threat environment, a cloud native solution is required.
In addition to the auto-scaling, Reblaze personnel also implemented geo-restriction. Using this technique, security teams can automatically block traffic according to its origin (by nation, ASN, IP range, VPN usage, anonymizer usage, etc.), or its intended destination. Several other filtering methods were used as well (discussed below).
Insight 3: To fully handle modern attacks, a web security solution must enable admins to control their traffic with a high level of precision. Geo-blocking eliminates large amounts of hostile requests with little human effort, and minimizes the amount of compute resources necessary for processing. It’s important for solutions to provide admins not only with granularity, but also ease-of-use.
A few days later, a second attack was launched on the institution, lasting a total of 1 hour and 4 minutes. This attack saw approximately 1.2 billion requests, with the peak rate reaching 1.38 million RPS. As in the first incident, Reblaze thwarted the attack with autoscaling and geo-blocking, as well as autoban, bot detection, and rate limiting.
Insight 4: Most attacks require multiple, simultaneous methods of traffic filtering:
- As discussed above, geo-blocking quickly reduces the amount of traffic that needs to be processed.
- Autobanning (the automatic blocking of traffic sources that have exhibited hostile behavior) also eliminates large amounts of hostile requests with minimal resources.
- Bot detection recognizes and blocks undesirable non-human traffic. Hackers often attempt to evade filtering (from geolocation, threat intelligence feeds, etc.) by using bots which masquerade as legitimate human users; dedicated bot detection technologies are necessary to detect them.
- Rate limiting (restricting traffic sources who send excessive amounts of requests) catches threat actors who use tactics such as IP rotation to avoid detection by other methods.
In the past, WAFs could successfully focus on individual tactics (such as signature recognition) to defeat web threats. Today, a multivariate approach is needed.
Lastly, during the attack, other tactics were used to enable processing and maintain availability of the targeted system. For example, Reblaze temporarily stopped log ingestion by its console to reduce resource requirements, while still maintaining traffic visibility (because the data was still available directly from the logs).
Insight 5: Most discussions about web security focus on tactics for defeating specific types of attacks. In today’s threat environment, it’s also important to consider broader issues such as the usability and flexibility of a solution during the stress of a large-scale incident.
Conclusion
This DDoS incident is a good example of a typical attack. While it didn’t break any records in size or severity, and the availability and performance of the targeted system were not compromised, it still required a variety of countermeasures. In this event, global cloud resources, autoscaling, geoblocking, autobanning, advanced bot detection, rate limiting, and other capabilities were all needed.
Today’s threat environment requires robust security capabilities. When evaluating a web security solution, it is critical to consider its abilities to provide a multi-faceted and effective response, and its ease-of-use and flexibility during the stress of security incidents.
For more information about Reblaze, or to get a demo, contact us here.
