How to Stop a Layer 7 DDoS Attack in Under an Hour (Case Study)

Layer 7 DDoS attacks against companies in the entertainment business seem to be a sign of the times. We recently shared a detailed breakdown of one such major attack, where prudent website owners had decided to install the DataDome bot protection solution right before the attack occurred.

The victim of today’s case study wasn’t quite so lucky—but as we shall see, getting from “under heavy attack” to “fully protected and safe” can be surprisingly fast and easy.

Bot attack victim profile

The attack we are analyzing today was perpetrated against a website in the gaming and gambling industry. It’s a well established online business, active for several years, and can arguably be considered the global leader in its niche.

The website and mobile app serve a worldwide audience, attracting large numbers of visitors from locations as diverse as India and Brazil. On an average day, the website serves in the range of 170,000 unique human visitors.

Discovery: we’re under attack!

The website owners had started to suspect bot-assisted play and results manipulation by certain users, but the tools at their disposal didn’t enable them to prove it. They had therefore started searching for a solution that would be able to tell the difference between real human users and bots. They found DataDome, reached out on our chat, and quickly decided to give us a try.

Installing the DataDome server-side module is easy no matter what site infrastructure you have, but for Cloudflare users it’s especially simple: all it takes is a few clicks in the Cloudflare console. In a matter of minutes, the CISO had installed the DataDome Cloudflare module and activated the free trial.

In free trial mode, DataDome analyzes all incoming traffic to the website and displays real-time traffic data in the user dashboard, but it doesn’t block or otherwise respond to bots.

When the CISO logged in to look at the DataDome dashboard for the first time, he was in for a surprise.
The dashboard revealed that automated cheating wasn’t the only—or even the biggest—bot-related problem he had. In fact, the site was under a heavy DDoS attack: more than half of their traffic was being generated by bots!

Time to protection: < 1 hour

While the attackers hadn’t yet succeeded in taking down the site, it was clear that something had to be done. And it had to be done fast.

But how fast is it possible to get effective Layer 7 DDoS protection up and running when you’re already under attack? Don’t you need to commit to a budget, set up a proof of concept, and wait for assistance from the bot protection vendor’s tech support team?

Not with DataDome. Ultra-easy implementation has always been a signature feature of our SaaS solution, and not only for the free trial. To sign up for just a month with no further commitment, and to activate the protection so that bad bots are immediately blocked, takes no more than a few minutes either. This ease of deployment is what sets DataDome apart among DDoS protection services, ensuring rapid response even in the midst of an ongoing attack.

And that’s precisely what our attack victims did. Less than an hour after starting the free trial, they had activated their subscription and enabled the protection, and the ongoing attack was instantly stopped from reaching the target’s servers.

Layer 7 DDoS attack breakdown

Figure 1 below shows the traffic we recorded from the start of the free trial, a little before noon, and until noon the next day.

The peak of the attack lasted for approximately 5 hours (of course, we don’t know for how long the site had been hit by bad bot requests before they installed the DataDome module).

During this five-hour period, we detected more than 2.1 million bad bot requests. At its most intense, the website received more than 375,000 bot requests in the span of 30 minutes.

Eventually, the attackers either ran out of resources or more likely realized that their bots were being blocked, and the attack petered out.

Attackers employ human-like user agents

If we dig a bit further into the data, we find another common characteristic of current bot attacks: the attackers were trying to disguise their bots as human visitors by forging their user agents.

On the top 10 list of the most popular user agents, only the first two are exclusively used by bots. All the others are legitimate user agents that are typical of human visitors:

1. Go-http-client/2.0 239821
2. axios/0.17.1 157625
3. Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 107911
4. Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1 87324
5. Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 75215
6. Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 74922
7. Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0) 71583
8. Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 71171
9. GuzzleHttp/6.3.3 curl/7.64.0 PHP/7.2.16 70222
10. Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0) 67890

Again, with the exception of the number one, two and nine, none of these user agents identify the visitor as a bot. A security solution based on block-listing malicious user agents would have managed to deflect some bots and reduce the scale of the attack, but the vast majority could not have been detected based on their user agent only.

Geographical layer 7 DDoS attack distribution

Large-scale distribution over hundreds of thousands of different IP addresses is also becoming the norm for layer 7 DDoS attack, and this one was no exception.

As illustrated by the map below, the malicious requests were coming from IP addresses all over the world, with the United States, Australia, India and Brazil topping the list.

The implication here is that security solutions that rely heavily on IP reputation are powerless against the most recent generation of bots. Not only do attackers spread their bots over IP addresses from all over the world; they also increasingly use residential IP addresses to blend in even more effectively with human traffic and avoid detection.

Read more: Nearly 1/3 of bad bots are now using residential IPs

Two weeks later: Here we go again

Just a couple of weeks later, the same website was targeted by an even heavier bot attack. This time, the site was bombarded with nearly a million requests in the span of just one minute!

Just like the previous attack, this one was also perpetrated by bots with consistent user agents:

1. “Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1”, 107911
2. “Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Version/10.0 Mobile/14G60 Safari/602.1”, 87324
3. “Mozilla/5.0 (iPhone; CPU iPhone OS 11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1”,75215
4. “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36”,74922
5. “Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; Trident/5.0)”,71583
6. “Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36”,71171
7. “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)”,67890
8. “Mozilla/5.0 (iPhone; CPU iPhone OS 13_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.4 Mobile/15E148 Safari/604.1”,67798
9. “Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506)”,65853
10. “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36”,65796
11. “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36”,63960
12. “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/17.17134”,60011

This time, however, the DataDome protection was already running. The attackers quickly realized that their bots were getting nowhere, and gave up.

Key takeaways

Stopping an ongoing bot attack without any impact on real, human users may seem like an arduous or even impossible task. Do-it-yourself methods are extremely labor-intensive, and usually woefully inadequate.

Cloudflare does a decent job of stopping unsophisticated bot traffic, but attackers are becoming very good at bypassing all but the most advanced detection solutions. Using instrumentation frameworks such as Puppeteer (and soon Playwright) to conceal the nature of bad bots, they are able to use almost the exact same technologies as humans and blend in seamlessly with human traffic.

Truly effective bot protection requires expert know-how and behavioral detection with artificial intelligence and machine learning. However, most solutions that satisfy these criteria will require a certain implementation effort and budgetary commitment, which isn’t helpful when you’re in the middle of an ongoing attack.

With DataDome, there are no such obstacles. As the only full SaaS bot detection solution on the market, we enable near-instant protection with transparent pricing and no commitment beyond the first month.

Ready to test? Start your free trial today.