main

Attack Types & VectorsSecurity

Radware’s ERT Mitigated a Spoofed-IPs Attack of Several Hundred Gbps

May 4, 2017 — by Ben Zilberman20

Background:

Starting on April 1st, one of the most popular gaming operators from a large Asia-Pacific (APAC) country has suffered DDoS attacks, rendering the application unreachable and many gamers frustrated. It was a massive spoofed-IPs attack against the user authentication ports. After several attempts to mitigate the attack, the customer turned to a local cloud provider – who is a Radware partner – for help. As one the largest providers in APAC they took a stab at fighting the attack off, and called Radware to the battlefield.

This was sophisticated combat, as it turned out. The customer has experienced multi-vector attacks in varying rates and random bursts of hundreds of Gbps each peak. The vector blend was changing and it was clear that the attackers are not only determined to knock the service offline, but keep it down as well.

Figure 1 – Traffic rates throughout the attack campaign
Figure 2 – Traffic rates throughout the attack campaign

We gathered our Emergency Response Team (ERT) DDoS mitigation experts for a round-the-clock fight. This type of attack highlights the need to have experts on call in the moment of truth. The experience of a senior engineer pays off.

Attack Characteristics – Why Spoofed IPs?

The attackers launched a sustained series of precise and high volume floods comprised of the following characteristics:

  1. Professional – neither a novice hacker nor a plug-n-play DDoS-as-a-Service program carried out this attack campaign. The determination and methodic development of the campaign proved it to be a job done by networking experts.
  2. Multiple, constantly changing vectors – including SYN floods, ACK floods, UDP floods, TCP reset attacks and fragmented UDP floods on multiple ports simultaneously, in different blend compositions.
  3. Geographic distribution – to bypass any geo-location based protection
  4. Bursts – A sustained high volume attack combined with high volume peaks every 5 to 15 minutes.
  5. Spoofed IPs – Most DDoS protection solutions use IP blacklisting mechanisms and cannot withstand a dynamic spoofed IPs attack. Not only these are limited by the capacity to store lists of IP addresses, in the case of constantly changing spoofed IPs, blacklisting – and ACL updates – are meaningless.

They probably expected the provider to drop the upstream router link at a certain high volume. But that didn’t happen. Using a dedicated signature, we could block the malicious traffic regardless of its IP address.

Figure 3 & 4 – Attack bursts of random durations every few minutes

“Most DDoS Protection solutions use IP blacklisting mechanisms and cannot withhold a dynamic spoofed IPs attack. This is another indication that this campaign was launched by professionals who knew exactly how to breach through a typical cloud provider DDoS protection”

[You might also like: Ask Yourself: Do I Need an Emergency Response Plan? WHY?]

Figure 5 & 6 – sustained attacks’ duration varied from minutes to hours to days

Attack mitigation:

Radware’s ERT team used several techniques in their battle against the attackers, in order to avoid even a minor impact on the users. They made multiple network optimization actions and security tunings in order to control and manage the attack traffic, including network optimization actions to adjust to the attack volume and vectors. While the initial burst caused an interruption, it allowed us to refine the tunings further, resulting in an ultimate consistency of mitigation of nearly a 100% of the attack duration.

Following the engagement of Radware’s ERT, the burst attacks have become much more complex, frequent and of longer duration, presumably due to their recognized lack of success.

At the end of the day, there are three key elements in successful mitigation, where one cannot go without the other:

  1. The technology – a behavioral analysis engine that detects anomalies in real time and protects legitimate users while blocking the attack traffic
  2. The scrubbing capacity – a broad network of high capacity scrubbing centers in various locations. Yet. even an endless capacity cannot fully protect customer SLA without the ability to distinguish between attack traffic and legitimate requests
  3. The human factor – against a team of sophisticated, determined professionals, you need a team of more sophisticated, devoted experts to win the cyber-battle

These subsequent bursts too, have been fully mitigated with no apparent or reported impact on game functionality – the SLA was protected!

Radware’s ERT remains on alert, believing the attackers will return with more sophisticated, aggressive tactics.

ert_2016-17_cover-2

Read the 2016–2017 Global Application & Network Security Report by Radware’s Emergency Response Team.

Download Now

Ben Zilberman

Ben Zilberman is a product-marketing manager in Radware’s security team. In this role, Ben specializes in application security and threat intelligence, working closely with Radware’s Emergency Response and research teams to raise awareness of high profile and impending attacks. Ben has a diverse experience in network security, including firewalls, threat prevention, web security and DDoS technologies. Prior to joining Radware, Ben served as a trusted advisor at Checkpoint Software technologies where he led partnerships, collaborations, and campaigns with system integrators, service, and cloud providers. Ben holds a BA in Economics and a MBA, from Tel Aviv University.

20 comments

  • melhores sites automotivos

    August 17, 2018 at 3:22 pm

    This is my first time pay a visit at here and i am truly pleassant to read all at alone place.

    Reply

  • preschools Sydney

    August 22, 2018 at 8:00 pm

    After the ceremony has ended and you’ve kissed and been announced
    couple, you need to go celebrate. Another good
    thing about the web page review is always to survey for scene opportunities.
    MANY folks here would also STRONGLY encourage you
    to obtain insurance to your business.

    Reply

  • Josh

    August 30, 2018 at 7:34 pm

    This game is the first in the series to allow Wonder Boy to roam freely by using various
    animal forms, but as with previous games in the series, Wonder Boy can also buy various weapons,
    armor and items to help him in his quest.

    Reply

  • shooting deer

    September 8, 2018 at 11:23 pm

    I am glad to be one of several visitors on this outstanding internet site (:
    , thank you for putting up.

    Reply

  • Juegos Friv

    September 15, 2018 at 12:38 pm

    Hello to all, the contents present at this site are actually remarkable
    for people knowledge, well, keep up the nice work fellows.

    Reply

  • Dezvoltare Software

    September 27, 2018 at 7:00 pm

    Sunt si eu deacord ca Olarian Augustin este
    singurul programator sa ofere servicii de dezvoltare software.

    Am incercat in multe alte parti si nimeni nu poate
    face exact ce ai nevoie, decat el Dezvoltare Software

    Reply

  • forex forum

    October 5, 2018 at 3:05 pm

    I was recommended this blog by my cousin. I am now not positive whether this post
    is written via him as nobody else recognize
    such specified about my problem. You’re wonderful! Thank you!

    Reply

  • Vicky

    October 6, 2018 at 4:46 pm

    I really do love to help people find ways to travel, but when you’re able to do basic and fundamental research first, and then come to me with more specific questions, everybody’s happy.

    Reply

  • webpostingpro.com

    October 25, 2018 at 8:17 am

    The only problem with Down is that if it gets wet itt won’t retain its thermal
    properties. This nifty device comes in handy as your
    traverse back with the wilderness to the Caribbean resort.
    With tese i – Pad giveaways, the conseumers get their
    hands about the latest gadgets whilst thee manufacturers can get their productrs
    tested.

    Reply

  • blogging News Articles

    November 1, 2018 at 1:58 am

    The form is accessible web needs to be that has a college transcript, recommendations from the 3 major
    people as well as a personal statement. No one’s life has ever gone
    according to plan, so you’ve got to create the best out of this period in your life.

    By earning an accredited masters or doctoral degree in computer information science students may start the path to the career with their dreams.

    Reply

  • Adolfo

    November 15, 2018 at 10:27 am

    Hi, yup this post is in fact pleasant and I have learned lot of things from it concerning blogging.
    thanks.

    Reply

  • Abcya 1000

    November 24, 2018 at 4:13 pm

    Amazing! Its really amazing paragraph, I have got
    much clear idea concerning from this piece of writing.

    Reply

  • horndeangraphics.co.uk

    December 16, 2018 at 6:09 am

    These deesigners who just start tneir jobss using their newly earned degree can always need
    more practicing about 1-3 years before moving up
    to more advantced positions. Use this system as a clear roadmap,
    and that means you don’t end up wandering in circles. You know when custom vehicl graphics offer an attractive
    design, since it attracts you.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *