A Multi-Vector DDoS Attack: How Proactive Measures Saved the Day

Recently, a Radware customer located in Eastern Europe was targeted in multiple DDoS (Distributed Denial of Service) attacks. The attack targeted multiple assets that hosted several types of services. The attacker’s goal was to disrupt our customer’s availability.

Our customer faced a huge attack that included three different vectors:

• HTTP Flood: This vector resulted in a massive number of HTTP requests sent to a target server. Its goal was to consume resources and cause service disruption that could have resulted in financial and reputational losses.
• UDP Flood: In this vector, the attacker sent large volumes of User Datagram Protocol (UDP) packets to a single (or random ports) on the targeted system. This would have resulted in an unresponsive server.
• TCP SYN Flood: This vector resulted in a high volume of TCP connection requests sent to the target server, which would exhaust resources while the server attempted to handle all incoming connections.

The attack was executed in multiple waves, with the strongest wave peaking at over 770 gigabits per second (Gbps). Thankfully, the customer relied on Radware’s Multi-Layered DDoS Protection. The attack was successfully mitigated.

Post Attack Analysis Tells the Story

The post-attack analysis revealed the following:

1. The attackers targeted both used ports and protocols hosting actual services and non-used protocols to attempt to overwhelm firewalls protecting the customer’s assets picture)
   
2. Even though the attackers were no match for Radware Bot Manager, they employed several Layer 7 patterns in an attempt to evade detection, including:

   1. Randomizing Referer values to different websites to make it difficult to block malicious requests based on Referer rules.

      The Referer request header is an HTTP header field that indicates the address (URL) of the previous web page or resource from which a user navigated to the current page. It provides servers with information about where traffic is coming from. Attackers can easily manipulate the Referer header to disguise the source of their requests or to attempt to bypass certain security checks. As such, while it can provide insight into web traffic origins, it shouldn’t be solely relied upon for security decisions.
      

   2. Randomizing User-Agent values and using up-to-date, legitimate-looking values to bypass User-Agent-based rules. The User-Agent request header is an HTTP header used to let the server identify the application’s name and version, the operating system (OS) and more client details with which it’s trying to communicate.
      
   3. Randomizing non-existing URL query parameter key names, and without specifying a value. While in some cases, empty parameters can be considered as legit, in this case, the tactic’s goals were to: Overwhelm the web server and cause resource exhaustion.
      1. Make blocking malicious requests based on certain query parameter names difficult (e.g., “?malicious_param”)
      2. Trigger unhandled exceptions, unexpected application behavior, or expose potential security flaws in the target system.
         

What This Incident Reflects

The attack our customer incurred, including how Radware Bot Manager successfully mitigated it, highlights the importance for organizations of all sizes to have proactive security measures. The key word is proactive. A reactive measure does little more than remind you what you already know — the attack was devastating.

By employing advanced protection mechanisms, including behavioral and heuristic analysis and custom security hardening, organizations can effectively defend against even the most sophisticated DDoS attacks.

For more information about how Radware DDoS Protection can keep your organization proactively protected from attacks, contact our cybersecurity experts HERE. They would love to hear from you.

And to learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, you can read the complete analyst report HERE.