A 60-minute DDoS attack could be launched with just $5 as per pricing on the Dark Web, and this was reduced from $15 in 2021. Unlike advanced attacks such as bot or zero-day attacks, these could be launched by hiring bandwidth on any of the ‘DDoS as a service’ websites.
No wonder even Gartner calls out DDoS as one of the biggest threat vectors for security teams worldwide.
DDoS attacks are debilitating, and the unavailability of applications can lead to lose revenue and unnecessary costs incurred in restoring operations. Many studies have pegged this number to range from a couple of hundred thousand dollars to upwards of a million dollars.
That said, acting quickly can prevent many of these problems, and analyzing DDoS attack traffic is critical.
While DDoS attacks such as SYN-flood can also affect the network layer, this blog is focused on how the Security Operations Center (SOC) teams could analyze application layer-level DDoS attacks.
The first data point that could point to a DDoS attack is the overall traffic that your top-level domain (TLD) or fully qualified domain (FQDN) is experiencing.
While seasonality can play a big role in this, it is good to have data on seasonality so that these outliers are considered while analyzing DDoS traffic.
The next step is understanding a weekly average. As users and site visits grow over a period of time, understanding what the weekly average is makes sure that your analysis captures the legitimate traffic that your site is getting.
As a thumb rule, a SOC team’s analysis should ideally start once the site traffic is 2X the weekly average.
Once you understand that a DDoS attack might be happening, the next step is to understand which parts of the application are being targeted by the hackers.
In the case of web and API applications, this can be found by analyzing the traffic on URIs. Like the analysis on the domain, SOC teams will need to understand the weekly averages of traffic per URI.
For example, understanding how many times a forgot password is usually accessed per minute will make it easier to mitigate attacks on the forgot password page.
The next step is to understand the user-level information. Having an idea of “how many users(unique IPs) visit my website”, “how many users visit my site from a unique IP,” and “how many times they visit every day” will give insights on mitigating DDoS attacks.
Even within this, further segregation of IP data with cookies and without cookies is important as that gives an understanding of traffic by humans vs APIs.
Geopolitics necessitates understanding site traffic from a given country. As discussed previously, it is always better to understand that as weekly averages.
When sponsored by governments, these attacks can be very tough to mitigate as the attacks will be at a much larger scale. That said, a recommended best practice is to whitelist only specific geographies or countries for any given application, as most applications are local in nature.
Do keep in mind that attacks can be launched from outside the country’s borders, so this is not 100% foolproof, but it is valuable data for SOC teams, nevertheless.
The real power of analysis lies in combining these parameters to get data such as:
Once the SOC team is empowered with this data, it is easy to employ mitigation policies such as tarpitting, CAPTCHA, or blocks by enforcing rate limits as per the standard user behaviour on any website or API.
That said, getting this data will require a lot of log analysis. Therefore, it is always better to use a WAAP like AppTrana, where this data is available in the dashboard, and mitigation is mostly automated. Learn more about DDoS mitigation on AppTrana WAAP on this link.
Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn
This post was last modified on November 21, 2023 10:04
A Managed WAF is a comprehensive cybersecurity service offered by specialized providers to oversee, optimize,… Read More
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
