Wednesday, July 24, 2024

Case Study: Blocking Botnet-Driven Low-Rate HTTP DDoS Attacks

Indusface research on 1400+ websites recorded a significant surge in DDoS attacks and bot attacks during Q2, 2023, compared to Q1, 2023. We observed a 75% surge in DDoS attacks and a 48% increase in bot attacks.

Moreover, recent trends in DDoS attacks indicate a significant evolution beyond the Mirai bot, leading to the emergence of next-generation botnets that pose a far greater threat. One of them is a low-rate-per-bot HTTP DDoS attack. 

Low-rate-per-bot HTTP DDoS Attack

A low-rate-per-bot HTTP DDoS attack is a type of cyberattack where many compromised or controlled devices, often called bots, send a relatively small number of HTTP requests to a target web server or application over an extended period.

Unlike traditional botnet attacks that flood the target with massive requests, low-rate-per-bot attacks focus on stealth and persistence.

In this attack, each bot sends requests at a rate that is intentionally kept low to avoid triggering rate-limiting or detection mechanisms. However, the cumulative effect of these requests from numerous bots can still overwhelm the target server or application, causing service disruption.

Download Report

The State of Application Security

Businesses are facing a growing number of cyber threats, particularly in the form of complex application attacks. This report, titled “The State of Application Security Q2 2023,” draws on data collected from over 1400 applications.

The primary objective of a low-rate-per-bot HTTP DDoS attack is to fly under the radar of security measures by mimicking legitimate user traffic. This makes it challenging for security solutions to differentiate between malicious and legitimate requests, as the attack traffic appears less notable due to the reduced request rate per bot.

Low-rate HTTP DDoS Attack against a Fortune 500 Company

How can organizations protect against these advancing DDoS attacks? An alternative approach to static rate limiting – is behavior-based DDoS protection, and that is what AppTrana does.

A few weeks back, our team, using the AppTrana platform, uncovered an HTTP DDoS attack aimed at an application within a Fortune 500 company. This attack was executed by a botnet consisting of thousands of individual bots.

The HTTP Flooding attack’s magnitude was 3000X to 14000X greater than the typical request rate per minute experienced by the website. Further, this attack used roughly 8 million unique IP addresses during its two-week control.

While effective against specific DDoS attacks, rate-limiting proved inadequate in this scenario since some IPs were sending just one request per minute, and adjusting the rate limit to such a low level was not a feasible solution.

What set this attack apart was its distinctive targeting of base URLs, many of which were either non-existent or not publicly accessible, such as /404, /admin, and /config.

The large surge in traffic on the application led to a decrease in speed, elevated bandwidth utilization, and disrupted the ability of legitimate users to access the services.

AppTrana detected all these anomalies, and our managed service team strategically deployed a customized solution to reduce these attacks to zero.

Examine the comprehensive approach and solutions provided by Indusface and the outcomes achieved here.

Recommendation To Protect Your Business From Bot Attacks 

Based on our observations in the customer case study, here are some recommendations for enhancing DDoS attack mitigation strategies, focusing on more advanced threats.

  • Avoid applying rate limits at the domain level, as adding numerous URLs to a domain can reduce the per-page requests required to trigger rate limits. This may result in unnecessary blocking of legitimate requests or, if you compensate by increasing overall rate limits, allow too many malicious requests to pass through.
  • Instead, establish rate limits at the URL level to manage access to specific URLs or sets of URLs. You can set distinct rate limits for each URL, and servers may block requests exceeding these limits.
  • Customize request rates based on session duration (time spent logged in) to detect abnormal behavior that could signal malicious activity and proactively prevent server overload. For instance, we implemented a rule to block the IP accessing the customer URL more than 20 times a minute, as it is considered abnormal behavior.
  • Monitor rate limits at the IP address level to restrict the number of requests or connections from individual IP addresses. Implementing IP blacklisting, where known malicious sources are added to a blacklist, simplifies blocking traffic from IP addresses associated with DDoS attacks.
  • Consider implementing geographical-based rate limiting, which involves instantly assessing IP address reputations and geolocation data to verify traffic sources. As a best practice, we recommend incorporating geofencing as a standard measure for all local applications.
  • Adjust the tolerance level for bot modules to align with your business requirements and risk tolerance. We’ve shifted the tolerance level from high to low in this scenario.
  • Conduct a thorough analysis of the attack request trends over a specific time. Following the analysis, implement bot mitigation rules accordingly.

Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
Vinugayathri is a Senior content writer of Indusface. She has been an avid reader & writer in the tech domain since 2015. She has been a strategist and analyst of upcoming tech trends and their impact on the Cybersecurity, IoT, and AI landscape. She is a content marketer simplifying technical anomalies for aspiring Entrepreneurs.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles