Earlier this year, in a country populated with over 50 million people, a series of protests began due to higher taxes, corruption and a healthcare reform proposed by the government. Although the government authorities had anticipated the protests would be widespread, no one suspected that a massive DDoS attack would be launched on multiple assets of the government’s networks with the intent of bringing it down. Shortly after the attack began, a notorious group of hackers came forward and claimed responsibility for the three-wave attack lasting two weeks.
First Wave of Attacks: Hit by Surprise
The first wave of the attack came as a surprise to the government. The wave hit 9Gbps in only 30 seconds using highly sophisticated vectors. (see fig. 1)
The government has been a Radware client for over eight years and had multiple Radware DefensePro devices installed on-premise in all of its data centers. The devices were properly functioning and successfully mitigated several attacks in the past, but the government had no idea when the attack would dissipate and the maximum volume it would reach. In parallel to the ongoing on-premise mitigation, they immediately reached out to Radware’s ERT (Emergency Response Team) to get additional assistance and ensuring their company was safeguarded. The ERT proposed an emergency onboarding of Radware’s Cloud DDoS Protection Service in an Always-On mode to be completely covered. Two hours later all government traffic was diverted to one of Radware’s 14 global scrubbing centers. The traffic was diverted in an always-on mode, meaning all network traffic is constantly inspected and scrubbed before continuing to the destination data center.
Unsuccessful Mitigation by Local ISP
In parallel to contacting Radware’s ERT, the government decided to contact their local ISPs, requesting them to start blocking some of the attack traffic on their end before it would reach the government’s data centers. The two ISPs (leveraged DDoS mitigation solutions fromNetscout and Corero) agreed to assist but unfortunately could not mitigate the attack traffic before it reached the Radware devices in a matter of the seconds the traffic was cleaned and there was no impact on the network.
Government Fully Prepared for Next Waves of Attacks
Less than 10 hours later, the second wave assault began (see Figure. 2). This time, five minutes into the attack, the volume reached 135Gbps. As all of the traffic was already diverted to Radware’s cloud scrubbing center, the government had no impact whatsoever on its network. This repeated itself during the third wave, which started a few days later.
You Can Never Be Over Prepared
After eight years of being a Radware client leveraging on-premise devices, the government now has a hybrid deployment covering all its assets. The solution combines on-premise attack mitigation with a cloud scrubbing service available on-demand to mitigate volumetric attacks that aim to saturate the internet pipe. The two mitigation methods work in perfect harmony, with innovative messaging technology that runs the communication between the appliance and the cloud service. If there is one thing to learn from what happened to this government’s network, it is better to be safe than sorry.