DDoS Attack Mitigation Playbook for SOC and DevOps Teams
One in two sites on AppTrana WAAP have faced a DDoS attack in the last 90 days.
Most of those attacks were thwarted using a combination of machine learning on user behaviour and granular rate limits at URI, IP, and Geo levels.
For SOC teams who don’t have an advanced behavioural DDoS mitigation tool like AppTrana at their disposal, this blog covers basic mitigation measures that can thwart the most simple and medium-severity DDoS attacks.
The first step before starting to mitigate a DDoS attack is to first understand if the current spike in traffic is actually a DDoS attack. This blog details how you can perform traffic analysis for DDoS attacks.
Unlock DDoS insights with the video clip unveiling a live simulation.
Below is a basic playbook that SOC or DevOps teams can adopt, especially when they don’t have an automated DDoS response mechanism through WAAP.
Geo-Fencing
Most applications are designed to be used in a specific geography. The first step to thwart an attack is to tighten the geo-fencing policy by either whitelisting only specific countries or by blacklisting a list of suspicious countries from where you are seeing abnormal traffic.
That said, this is a basic technique, as advanced attackers can launch attacks from even those countries that have been whitelisted.
Suspicious User Agents
The next step would be to look at user agents from where traffic hits your origin server. Since most DDoS attacks are launched by well-known bad actors and their corresponding user agents, blocking off all suspicious user agents is the next step.
Do note that this might not be enough, as attacks could be launched from good user agents.
IP Blacklisting
The next step is to look at all the IPs and their reputations from which traffic hits your origin servers. Subscribing to something like Spamhaus is a good investment, especially during such incidents.
The next layer of defense is to block all suspicious IPs sending high-traffic volumes.
That said, it is always possible that the database you use might not have the IP reputation from where the attack originated; this measure is not fool-proof but gives you basic protection.
Cookie Headers
This method is applicable only to websites.
You may already have a cookie in your application or can inject a cookie tracking any new request without a cookie in the WAF equivalent layer before the application. This way, any request without a cookie will be redirected after injecting the cookie, and if they are basic bots, then this step will help eliminate such traffic not reaching the backend. Make sure you whitelist the requests from all the known IPs to minimize false positive blocks.
Launching an attack while sending cookie requests is still possible, so this might also not be enough.
Rate Limiting Thresholds
After analyzing the normal site behaviour, find the thresholds for rate limits on:
- Requests per URI per IP
- Requests per IP with cookie
- Requests per IP without cookie (API requests and bots)
- Requests per IP per geo (country)
As per our analysis, just URI-based rate-limiting was able to block more than 50% of the DDoS attack traffic.
Block Actions
Once the rate-limits have been identified, apply the rule actions, and increase the severity every 5 minutes.
As the first action, apply a tarpitting rule across the rate limits.
Then, choose a CAPTCHA or a block rule for all these rate limits.
Site-Wide CAPTCHA
The last step would have blocked most DDoS attacks. That said, sometimes, it is the case that a large-scale DDoS attack would target every URI on the website with millions of unique IPs.
Unless you have an advanced machine learning-based system that blocks all the anomalies, your only option is to enable a site-wide CAPTCHA. While this will inconvenience the genuine users, you’ll not have application availability issues.
As you can see, a lot of monitoring and preventive action is required even when you automate alerts using machine learning. If your business is getting hit by DDoS attacks regularly, consider the option for a DDoS monitoring service from your WAAP provider.
If you use WAAPs provided by the public cloud providers, the managed DDoS will cost you around $3000 monthly. Try the fully managed AppTrana WAAP, which starts at a couple of hundred dollars every month. Try free for 14 days here.
Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn