Get a free application, infrastructure and malware scan report - Scan Your Website Now

DDoS Attack Mitigation Playbook for SOC and DevOps Teams

Posted DateNovember 21, 2023
Posted Time 3   min Read

One in two sites on AppTrana WAAP have faced a DDoS attack in the last 90 days.

Most of those attacks were thwarted using a combination of machine learning on user behaviour and granular rate limits at URI, IP, and Geo levels.

For SOC teams who don’t have an advanced behavioural DDoS mitigation tool like AppTrana at their disposal, this blog covers basic mitigation measures that can thwart the most simple and medium-severity DDoS attacks.

The first step before starting to mitigate a DDoS attack is to first understand if the current spike in traffic is actually a DDoS attack. This blog details how you can perform traffic analysis for DDoS attacks. 

Unlock DDoS insights with the video clip unveiling a live simulation.

Below is a basic playbook that SOC or DevOps teams can adopt, especially when they don’t have an automated DDoS response mechanism through WAAP.

Geo-Fencing 

Most applications are designed to be used in a specific geography. The first step to thwart an attack is to tighten the geo-fencing policy by either whitelisting only specific countries or by blacklisting a list of suspicious countries from where you are seeing abnormal traffic.

That said, this is a basic technique, as advanced attackers can launch attacks from even those countries that have been whitelisted.

Suspicious User Agents

The next step would be to look at user agents from where traffic hits your origin server. Since most DDoS attacks are launched by well-known bad actors and their corresponding user agents, blocking off all suspicious user agents is the next step.

Do note that this might not be enough, as attacks could be launched from good user agents.

IP Blacklisting

The next step is to look at all the IPs and their reputations from which traffic hits your origin servers. Subscribing to something like Spamhaus is a good investment, especially during such incidents.

The next layer of defense is to block all suspicious IPs sending high-traffic volumes.

That said, it is always possible that the database you use might not have the IP reputation from where the attack originated; this measure is not fool-proof but gives you basic protection.

Cookie Headers

This method is applicable only to websites.

You may already have a cookie in your application or can inject a cookie tracking any new request without a cookie in the WAF equivalent layer before the application. This way, any request without a cookie will be redirected after injecting the cookie, and if they are basic bots, then this step will help eliminate such traffic not reaching the backend. Make sure you whitelist the requests from all the known IPs to minimize false positive blocks.

Launching an attack while sending cookie requests is still possible, so this might also not be enough.

Rate Limiting Thresholds

After analyzing the normal site behaviour, find the thresholds for rate limits on:

  1. Requests per URI per IP
  2. Requests per IP with cookie
  3. Requests per IP without cookie (API requests and bots)
  4. Requests per IP per geo (country)

As per our analysis, just URI-based rate-limiting was able to block more than 50% of the DDoS attack traffic.

Block Actions

Once the rate-limits have been identified, apply the rule actions, and increase the severity every 5 minutes.

As the first action, apply a tarpitting rule across the rate limits.

Then, choose a CAPTCHA or a block rule for all these rate limits.

Site-Wide CAPTCHA

The last step would have blocked most DDoS attacks. That said, sometimes, it is the case that a large-scale DDoS attack would target every URI on the website with millions of unique IPs.

Unless you have an advanced machine learning-based system that blocks all the anomalies, your only option is to enable a site-wide CAPTCHA. While this will inconvenience the genuine users, you’ll not have application availability issues.

As you can see, a lot of monitoring and preventive action is required even when you automate alerts using machine learning. If your business is getting hit by DDoS attacks regularly, consider the option for a DDoS monitoring service from your WAAP provider.  

If you use WAAPs provided by the public cloud providers, the managed DDoS will cost you around $3000 monthly. Try the fully managed AppTrana WAAP, which starts at a couple of hundred dollars every month. Try free for 14 days here. 

Stay tuned for more relevant and interesting security updates. Follow Indusface on FacebookTwitter, and LinkedIn

DDoS Protection

Phani - Head of Marketing
Phani Deepak Akella

Phani heads the marketing function at Indusface. He handles product marketing and demand generation. He has worked in the product marketing function for close to a decade and specializes in product launches, sales enablement and partner marketing. In the application security space, Phani has written about web application firewalls, API security solutions, pricing models in application security software and many more topics.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

DDoS Mitigation – Why Your Traditional Security Fails?

DDoS attacks are among the most rapidly advancing type of cybercrime. Traditional DDoS mitigation is not enough to counter these attacks. Why is it so, and what is the way forward?

Read More
ddos attack mitigation
DDoS Attack Mitigation – Don’t Compromise on Security for Speed

When a targeted network or a server is successfully protected from DDoS attack, it is referred to as DDoS mitigation or DDoS attack mitigation.

Read More
DDoS Attack
What You Should Know Before the Next DDoS Attack?

Here are some things you should know before the next DDoS attack so that you can be well-equipped to prevent it or at least minimize its impact.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!