Dinner with an Application Distributed Denial of Service (DDoS) Attack

Indusface’s Customer – Victim of Application DDoS: Have you ever experienced a live DDoS attack on your website? It’s totally eerie knowing that someone or something out in the under web world has spotted a vulnerability on your website and is happily exploiting it. The feeling of being helpless is very scary.

My team and I are responsible for the overall upkeep of our corporate website. Regular updates take place, and post these updates security checks are undertaken to ensure that the website is free from vulnerabilities. Earlier this month, we just released a new set of updates, did all the necessary website security checks and everything was fine.

Recently, at the end of a busy work week, I was just settling into a nice warm dinner, one Friday evening, when I noticed that my blackberry was incessantly beeping. To my surprise, I saw that I had received over 50 e-mails and counting via a download form from our website. While I was contemplating whether this was an attack or not, the e-mails count jumped to over 100. I concluded that we were under some form of attack and immediately alerted our security team at Indusface. In the middle of the calls, the threshold of e-mails increased to a minimum of 5 e-mails a minute. Whilst taking stock of the situation, there were hundreds of pdf white-paper downloads which was causing an Application Denial-Of-Service (DOS) on the website.

Indusface’s Managed Security Services Team: This was a very interesting scenario, as the website does not allow anyone to download their white-papers directly. Users are enforced to fill up a form with a valid e-mail so that a download link for the white paper of interest would be shared with them for a download. This dynamic link is generated from the web server and sent to the respective requester. In other words, the customer had a basic security policy defined on their website.

We received the details from the customer that someone from IP xx.xx.xx.xx was generating a large number of download requests with the email address “badguy@badguys.com”. Initially, we saw IP xx.xx.xx.xx under the category of spammers and an email harvester, so we decided to write a rule to block this IP from accessing the customer’s website. We did this and the attack was down for 4 minutes. No e-mails from the attacker came through for the next 4 minutes.

We thought, we were done with patching but we were informed again from our customer that they were again receiving download requests from some other IP but with the same email address. In other words, the intruder was doing proxy bouncing. We decided to work about a generic solution so that we could strongly defend against this Bot from performing application-level DDoS. In the whole scenario, we observed that intruder’s (Bot’s) IP was dynamic but the Bot was using a static email address to get download links (meaning, logically the email address was programmatically hardcoded in Bot’s code).

Now to handle this situation, we visited the website’s form and we located that variable which was responsible for taking the email address from the user (input parameter which is responsible for taking email address). Finally, we decided to filter this email address by writing one custom rule because it has been proven that, email address “badguy@badguys.com” was used by some Bot (not by a legitimate user). We created one custom rule again to filter this email address and applied. Within 5 minutes of time-window, the website was totally secured against this Application DoS attack. The total time to fix was less than 20 minutes.

Indusface’s Customer – Victim of Application DDoS: Indusface’s Managed Security Services team were quick to respond to our cry for help. This is highly appreciated, as it was a Friday evening, and most folks are out to enjoy the beginning of the weekend. The team quickly got into action, figured the problem within minutes, designed a solution, implemented it, tested it against the security framework and within 15 to 20 minutes the attack was stopped. There has not been an attack on our website since then.

We continue to continuously monitor the website for vulnerabilities using Indusface WAS. Due to the frequent updates, we have on our website, we also have Indusface WAF in place to block any type of attacks, giving us a good secure time frame to complete application updates and security tests on our website while it is live. We bank our security with Indusface, as a result, enjoy total application security that detects, defends and protects our critical application assets on a continuous basis.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.