Get a free application, infrastructure and malware scan report - Scan Your Website Now

Managed WAF

Dinner with an Application Distributed Denial of Service (DDoS) Attack

Posted DateJune 12, 2014
Posted Time 3   min Read

Indusface’s Customer – Victim of Application DDoS: Have you ever experienced a live DDoS attack on your website? It’s totally eerie knowing that someone or something out in the under web world has spotted a vulnerability on your website and is happily exploiting it. The feeling of being helpless is very scary.

My team and I are responsible for the overall upkeep of our corporate website. Regular updates take place, and post these updates security checks are undertaken to ensure that the website is free from vulnerabilities. Earlier this month, we just released a new set of updates, did all the necessary website security checks and everything was fine.

Recently, at the end of a busy work week, I was just settling into a nice warm dinner, one Friday evening, when I noticed that my blackberry was incessantly beeping. To my surprise, I saw that I had received over 50 e-mails and counting via a download form from our website. While I was contemplating whether this was an attack or not, the e-mails count jumped to over 100. I concluded that we were under some form of attack and immediately alerted our security team at Indusface. In the middle of the calls, the threshold of e-mails increased to a minimum of 5 e-mails a minute. Whilst taking stock of the situation, there were hundreds of pdf white-paper downloads which was causing an Application Denial-Of-Service (DOS) on the website.

Indusface’s Managed Security Services Team: This was a very interesting scenario, as the website does not allow anyone to download their white-papers directly. Users are enforced to fill up a form with a valid e-mail so that a download link for the white paper of interest would be shared with them for a download. This dynamic link is generated from the web server and sent to the respective requester. In other words, the customer had a basic security policy defined on their website.

We received the details from the customer that someone from IP xx.xx.xx.xx was generating a large number of download requests with the email address “badguy@badguys.com”. Initially, we saw IP xx.xx.xx.xx under the category of spammers and an email harvester, so we decided to write a rule to block this IP from accessing the customer’s website. We did this and the attack was down for 4 minutes. No e-mails from the attacker came through for the next 4 minutes.

We thought, we were done with patching but we were informed again from our customer that they were again receiving download requests from some other IP but with the same email address. In other words, the intruder was doing proxy bouncing. We decided to work about a generic solution so that we could strongly defend against this Bot from performing application-level DDoS. In the whole scenario, we observed that intruder’s (Bot’s) IP was dynamic but the Bot was using a static email address to get download links (meaning, logically the email address was programmatically hardcoded in Bot’s code).

Now to handle this situation, we visited the website’s form and we located that variable which was responsible for taking the email address from the user (input parameter which is responsible for taking email address). Finally, we decided to filter this email address by writing one custom rule because it has been proven that, email address “badguy@badguys.com” was used by some Bot (not by a legitimate user). We created one custom rule again to filter this email address and applied. Within 5 minutes of time-window, the website was totally secured against this Application DoS attack. The total time to fix was less than 20 minutes.

Indusface’s Customer – Victim of Application DDoS: Indusface’s Managed Security Services team were quick to respond to our cry for help. This is highly appreciated, as it was a Friday evening, and most folks are out to enjoy the beginning of the weekend. The team quickly got into action, figured the problem within minutes, designed a solution, implemented it, tested it against the security framework and within 15 to 20 minutes the attack was stopped. There has not been an attack on our website since then.

We continue to continuously monitor the website for vulnerabilities using Indusface WAS. Due to the frequent updates, we have on our website, we also have Indusface WAF in place to block any type of attacks, giving us a good secure time frame to complete application updates and security tests on our website while it is live. We bank our security with Indusface, as a result, enjoy total application security that detects, defends and protects our critical application assets on a continuous basis.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

web application security banner

Venkatesh Sundar

Venky is an Application Security technologist who built the new age Web application Scanner and Cloud WAF - AppTrana at Indusface as a Founding CTO. Currently, he spends his time on driving Product Roadmap, Customer Success, Growth, and technology adoption for US businesses.

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Key Considerations While Selecting DDoS Protection
Key Considerations While Selecting DDoS Protection

Distributed Denial of Service (DDoS) attacks are increasingly devious, complicated and vicious attacks on websites/ web applications that exhaust the computing resources available to make the websites/ web applications unavailable.

Read More
My DDoS Story
My DDoS Story

What is a DDoS? How to stop it? Learn what happened at Fishery of Randomland and how Frank survived a distributed denial of service attack on his website.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!