Wednesday, November 13, 2024
HomeCyber Security NewsCase Study: Blocking Botnet-Driven Low-Rate HTTP DDoS Attacks

Case Study: Blocking Botnet-Driven Low-Rate HTTP DDoS Attacks

Published on

Malware protection

Indusface research on 1400+ websites recorded a significant surge in DDoS attacks and bot attacks during Q2, 2023, compared to Q1, 2023. We observed a 75% surge in DDoS attacks and a 48% increase in bot attacks.

Moreover, recent trends in DDoS attacks indicate a significant evolution beyond the Mirai bot, leading to the emergence of next-generation botnets that pose a far greater threat. One of them is a low-rate-per-bot HTTP DDoS attack. 

Low-rate-per-bot HTTP DDoS Attack

A low-rate-per-bot HTTP DDoS attack is a type of cyberattack where many compromised or controlled devices, often called bots, send a relatively small number of HTTP requests to a target web server or application over an extended period.

- Advertisement - SIEM as a Service

Unlike traditional botnet attacks that flood the target with massive requests, low-rate-per-bot attacks focus on stealth and persistence.

In this attack, each bot sends requests at a rate that is intentionally kept low to avoid triggering rate-limiting or detection mechanisms. However, the cumulative effect of these requests from numerous bots can still overwhelm the target server or application, causing service disruption.

Document
Download Report

The State of Application Security

Businesses are facing a growing number of cyber threats, particularly in the form of complex application attacks. This report, titled “The State of Application Security Q2 2023,” draws on data collected from over 1400 applications.

The primary objective of a low-rate-per-bot HTTP DDoS attack is to fly under the radar of security measures by mimicking legitimate user traffic. This makes it challenging for security solutions to differentiate between malicious and legitimate requests, as the attack traffic appears less notable due to the reduced request rate per bot.

Low-rate HTTP DDoS Attack against a Fortune 500 Company

How can organizations protect against these advancing DDoS attacks? An alternative approach to static rate limiting – is behavior-based DDoS protection, and that is what AppTrana does.

A few weeks back, our team, using the AppTrana platform, uncovered an HTTP DDoS attack aimed at an application within a Fortune 500 company. This attack was executed by a botnet consisting of thousands of individual bots.

The HTTP Flooding attack’s magnitude was 3000X to 14000X greater than the typical request rate per minute experienced by the website. Further, this attack used roughly 8 million unique IP addresses during its two-week control.

While effective against specific DDoS attacks, rate-limiting proved inadequate in this scenario since some IPs were sending just one request per minute, and adjusting the rate limit to such a low level was not a feasible solution.

What set this attack apart was its distinctive targeting of base URLs, many of which were either non-existent or not publicly accessible, such as /404, /admin, and /config.

The large surge in traffic on the application led to a decrease in speed, elevated bandwidth utilization, and disrupted the ability of legitimate users to access the services.

AppTrana detected all these anomalies, and our managed service team strategically deployed a customized solution to reduce these attacks to zero.

Examine the comprehensive approach and solutions provided by Indusface and the outcomes achieved here.

Recommendation To Protect Your Business From Bot Attacks 

Based on our observations in the customer case study, here are some recommendations for enhancing DDoS attack mitigation strategies, focusing on more advanced threats.

  • Avoid applying rate limits at the domain level, as adding numerous URLs to a domain can reduce the per-page requests required to trigger rate limits. This may result in unnecessary blocking of legitimate requests or, if you compensate by increasing overall rate limits, allow too many malicious requests to pass through.
  • Instead, establish rate limits at the URL level to manage access to specific URLs or sets of URLs. You can set distinct rate limits for each URL, and servers may block requests exceeding these limits.
  • Customize request rates based on session duration (time spent logged in) to detect abnormal behavior that could signal malicious activity and proactively prevent server overload. For instance, we implemented a rule to block the IP accessing the customer URL more than 20 times a minute, as it is considered abnormal behavior.
  • Monitor rate limits at the IP address level to restrict the number of requests or connections from individual IP addresses. Implementing IP blacklisting, where known malicious sources are added to a blacklist, simplifies blocking traffic from IP addresses associated with DDoS attacks.
  • Consider implementing geographical-based rate limiting, which involves instantly assessing IP address reputations and geolocation data to verify traffic sources. As a best practice, we recommend incorporating geofencing as a standard measure for all local applications.
  • Adjust the tolerance level for bot modules to align with your business requirements and risk tolerance. We’ve shifted the tolerance level from high to low in this scenario.
  • Conduct a thorough analysis of the attack request trends over a specific time. Following the analysis, implement bot mitigation rules accordingly.

Latest articles

Automating Identity and Access Management for Modern Enterprises

Keeping track of who has access and managing their permissions has gotten a lot...

Finding The Right E-Commerce Platform – Comparing Reselling Solutions

If you’re looking to make some extra cash or to start a business, you...

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Fortinet Patches Critical Flaws That Affected Multiple Products

Fortinet, a leading cybersecurity provider, has issued patches for several critical vulnerabilities impacting multiple...

China-Nexus Actors Hijack Websites to Deliver Cobalt Strike malware

A Chinese state-sponsored threat group, identified as TAG-112, has been discovered hijacking Tibetan community...

Chrome 131 Released with the Fix for Multiple Vulnerabilities

The Chrome team has officially announced the release of Chrome 131 for Windows, Mac,...