Putting an End to the Flood-Radware Successfully Stops Record-Breaking 15 Billion Request Web DDoS Tsunami Campaign

In the ever-changing world of cybersecurity threats, Layer 7 distributed denial of service (DDoS) attacks continue to be a major challenge for online businesses. These advanced attacks cause significant disruptions, make services unavailable, create a poor user experience and lead to financial losses.

Now here’s the good news — Radware Web DDoS Protection has what it takes to stop these large and persistent Web DDoS Tsunamis. In fact, here’s an example of a recent one we successfully mitigated for a customer.

Hacktivist Threats Include Ransom Requests

Our customer had become the focus of an online hacktivist group. But as time passed, their motives shifted from political to financial, at which point they delivered DDoS ransom requests to the customer. The ransoms totaled millions of dollars, so having reliable, tested and proven defense was critically necessary.

We quickly activated Radware’s new Web DDoS Protection service to eliminate the threat and handle multiple attacks, which had reached peak rates of 2.8 million requests per second (RPS). This protection ensured that the customer’s online services remained available and without any interruptions.

In the following, we will explore details of the attack campaign, describe our approach to mitigating the attacks and share the outstanding results we achieved.

The key takeaway is quite evident — despite facing large-scale attacks, the customer’s online services remained fully operational, even in the midst of multiple ongoing attacks. They expressed sincere appreciation and gratitude for our consistent and unwavering support.

Attack Analysis

Throughout the attack campaign, Radware mitigated a staggering volume of requests — 15 billion! This highlights the immense scale of the threat directed at our customer. The campaign, which took place from June 2^nd through June 5^th, targeted multiple customer applications and consisted of three significant waves.

The three waves lasted for 2.5 hours, 1.5 hours and 0.5 hours, respectively. When considering the cumulative attack duration across all applications, the total spanned almost 20 hours. The attack demonstrated a remarkable level of intensity with a rate of 2.8 million RPS across all targeted applications. The highest peak per application reached a staggering 2.6 million RPS during the attack campaign’s second wave.

Figure 1: The figure shows the three campaign waves across five applications peaking to 2.8 million RPS. Over time, the total amount of blocked requests reached 15 billion.

Figure 2: The figure shows the highest peak on a single application (out of five attacked applications) for each wave. The highest peak on a single application stood at 2.6 million RPS.

Radware’s Mitigation Strategy

Radware’s immediate and decisive response played a crucial role in swiftly and comprehensively escorting our customer’s organization from emergency onboarding to Radware’s Cloud Web DDoS Protection Service. Remarkably, this was accomplished without the luxury of any learning period. Leveraging Radware’s automatic, real-time signature-creation capabilities, customized signatures were seamlessly activated and precisely tailored to counteract the unique characteristics of the attack.

Throughout the entire attack campaign, Radware’s automatic mitigation actions were powered by advanced algorithms that analyzed the behavior of the attacks. We successfully mitigated all attacks without any   prior knowledge or assumptions about it. The attack pattern was learned and handled automatically without any human intervention.

Through close collaboration with the customer and continuous monitoring, Radware’s dedicated Emergency Response Team (ERT) actively worked to ensure their seamless operation and optimal protection.

Our automatic signatures effectively blocked the waves of attack, which allowed legitimate users to continue accessing the service.

The ability to defend against evolving threats immediately, and without the need for a learning period, demonstrates Radware’s expertise in providing reliable protection.

Attack Analysis

The attack originated from a large-scale botnet spanning multiple countries, including, among others, Sweden, the United States, Denmark, Morocco, Poland and Italy. Approximately 30,000 source IPs participated in the attack, with some hosted on public clouds and cloud security service providers; this indicates widespread misuse.

The attackers employed various methods to increase the impact of their attacks and evade regular security measures, including:

• Encrypted requests (HTTPS), which required more computing resources.
• HTTP GET requests designed to appear legitimate.
• Techniques that included HTTP/2 multiplexing, which enhanced effectiveness.
• Alteration of request patterns at different stages of the attack.

It’s important to note that, despite these changing tactics, Radware’s algorithm swiftly detected and updated security measures in real-time. And — as always — we applied the updated real-time signatures automatically and shared the related information and statistics with the customer.
This adaptive approach ensured our readiness to handle the evolving attack. We continuously adapted to changing tactics and provided our customer clear visibility into the attack waves and patterns.

Figure 5: Examples of crafted HTTP GET requests disguised as legitimate web requests.

In Summary

It’s a story that has been told time and again since we were founded almost 25 years ago — Radware successfully mitigates a malicious attack against one of its customers. With Radware’s proprietary behavioral algorithm, and its unique ability to learn application behavior and adapt to changing rates, it ensures optimal mitigation and protection. Moreover, Radware excels in providing the best level of protection, even during emergency situations. With immediate and adaptive responses, it detects and mitigates threats in real-time, ensuring uninterrupted availability of the protected applications. The bottom line is that Radware’s Web DDoS Protection offers comprehensive defense against Web DDoS Tsunami attacks, minimizing false positives and providing the widest attack coverage, including zero-day protection. It combines advanced learning capabilities and emergency readiness to deliver unmatched defense for organizations.

As the cyber threat landscape continues to evolve, Radware remains at the forefront of the fight to keep companies secure. This helps us empower businesses with the confidence and resilience needed to navigate the complex realm of DDoS attacks. For more information, reach out to the Radware cybersecurity professionals HERE. They would love to hear from you.

To learn why Radware was named a leader in DDoS mitigation by SPARK Matrix, you can read the complete analyst report HERE.