Case Study: Blocking Botnet-Driven Low-Rate HTTP DDoS Attacks

Indusface research on 1400+ websites recorded a significant surge in DDoS attacks and bot attacks during Q2, 2023, compared to Q1, 2023. We observed a 75% surge in DDoS attacks and a 48% increase in bot attacks.

Moreover, recent trends in DDoS attacks indicate a significant evolution beyond the Mirai bot, leading to the emergence of next-generation botnets that pose a far greater threat. One of them is a low-rate-per-bot HTTP DDoS attack. 

Low-rate-per-bot HTTP DDoS Attack

A low-rate-per-bot HTTP DDoS attack is a type of cyberattack where many compromised or controlled devices, often called bots, send a relatively small number of HTTP requests to a target web server or application over an extended period.

Unlike traditional botnet attacks that flood the target with massive requests, low-rate-per-bot attacks focus on stealth and persistence.

In this attack, each bot sends requests at a rate that is intentionally kept low to avoid triggering rate-limiting or detection mechanisms. However, the cumulative effect of these requests from numerous bots can still overwhelm the target server or application, causing service disruption.

Download Report

The State of Application Security

Businesses are facing a growing number of cyber threats, particularly in the form of complex application attacks. This report, titled “The State of Application Security Q2 2023,” draws on data collected from over 1400 applications.

Download Now

The primary objective of a low-rate-per-bot HTTP DDoS attack is to fly under the radar of security measures by mimicking legitimate user traffic. This makes it challenging for security solutions to differentiate between malicious and legitimate requests, as the attack traffic appears less notable due to the reduced request rate per bot.

Low-rate HTTP DDoS Attack against a Fortune 500 Company

How can organizations protect against these advancing DDoS attacks? An alternative approach to static rate limiting – is behavior-based DDoS protection, and that is what AppTrana does.

A few weeks back, our team, using the AppTrana platform, uncovered an HTTP DDoS attack aimed at an application within a Fortune 500 company. This attack was executed by a botnet consisting of thousands of individual bots.

The HTTP Flooding attack’s magnitude was 3000X to 14000X greater than the typical request rate per minute experienced by the website. Further, this attack used roughly 8 million unique IP addresses during its two-week control.

While effective against specific DDoS attacks, rate-limiting proved inadequate in this scenario since some IPs were sending just one request per minute, and adjusting the rate limit to such a low level was not a feasible solution.

What set this attack apart was its distinctive targeting of base URLs, many of which were either non-existent or not publicly accessible, such as /404, /admin, and /config.

The large surge in traffic on the application led to a decrease in speed, elevated bandwidth utilization, and disrupted the ability of legitimate users to access the services.

AppTrana detected all these anomalies, and our managed service team strategically deployed a customized solution to reduce these attacks to zero.

Examine the comprehensive approach and solutions provided by Indusface and the outcomes achieved here.

Recommendation To Protect Your Business From Bot Attacks

Based on our observations in the customer case study, here are some recommendations for enhancing DDoS attack mitigation strategies, focusing on more advanced threats.

• Avoid applying rate limits at the domain level, as adding numerous URLs to a domain can reduce the per-page requests required to trigger rate limits. This may result in unnecessary blocking of legitimate requests or, if you compensate by increasing overall rate limits, allow too many malicious requests to pass through.

• Instead, establish rate limits at the URL level to manage access to specific URLs or sets of URLs. You can set distinct rate limits for each URL, and servers may block requests exceeding these limits.

• Customize request rates based on session duration (time spent logged in) to detect abnormal behavior that could signal malicious activity and proactively prevent server overload. For instance, we implemented a rule to block the IP accessing the customer URL more than 20 times a minute, as it is considered abnormal behavior.

• Monitor rate limits at the IP address level to restrict the number of requests or connections from individual IP addresses. Implementing IP blacklisting, where known malicious sources are added to a blacklist, simplifies blocking traffic from IP addresses associated with DDoS attacks.

• Consider implementing geographical-based rate limiting, which involves instantly assessing IP address reputations and geolocation data to verify traffic sources. As a best practice, we recommend incorporating geofencing as a standard measure for all local applications.

• Adjust the tolerance level for bot modules to align with your business requirements and risk tolerance. We’ve shifted the tolerance level from high to low in this scenario.

• Conduct a thorough analysis of the attack request trends over a specific time. Following the analysis, implement bot mitigation rules accordingly.