When Competition Gets Dirty: Surviving a Layer 7 DDoS Attack
A DataDome customer was recently targeted by a major layer 7 DDoS attack. And while the attack was in many ways unsophisticated, compared to some of the threats we observe on our customers’ websites every day, stopping it was not as simple as you might think.
Case in point: our customer’s CDN (which shall not be named) failed to detect the attack and let the malicious traffic through—despite having an active anti-DDoS option.
Without further ado, let us share what happened and how our customer avoided a potential disaster.
Victim Profile & Attack Motivation
The attack victim is a small website in the entertainment business. The site was launched quite recently, and its legitimate human traffic still amounts to just a few thousand unique visitors per day.
Why did it become a target? We can’t be certain, but in all likelihood, the attack was competition-based and sought to disrupt our customers’ business by causing a poor experience for its real users.
Why do we think so? A few weeks before the attack, the website owners had received thinly veiled threats from an already established competitor.
Moreover, the attackers never asked for a ransom. Hackers motivated by financial gains will typically start with a smaller “warning” attack, menacing their victim that a larger attack will follow unless they pay a ransom in Bitcoin. Nothing of the sort happened here.
We therefore believe that the perpetrators were hoping to discourage their new competitor from entering the market, or simply to keep it offline for long enough to cause the fledgling business to fail.
The Attack, as it Happened
The attack started on November 12, 2019, which was the launch day of a large marketing operation for our customer. In the span of a couple of hours, their servers were hit with close to 18 million requests.
Our logs reveal that at its peak, the attack reached 25,000 requests per second (Figure 1).
Figure 1: Traffic peak at 25,000 requests per second.
Compared to this website’s usual peaks of maximum a few thousand requests per second, this represents a potential server infrastructure load which was multiple times larger than normal.
Luckily, the website owners had taken their competitor’s menaces seriously, and decided to implement the DataDome bot protection solution. Detecting the attack as soon as it started, we were able to block the malicious requests before they reached our customer’s servers. Had the owners not been so foreseeing, the attackers would undoubtedly have succeeded in taking down the site and driving its real, human visitors elsewhere.
A hyper-distributed attack
The perceptive reader may remember that in addition to the DataDome bot protection solution, the attack victim also had a CDN with an anti-DDoS option. Which begs the question: why did the CDN fail to flag this spectacular increase in traffic volume as an attack?
The probable answer lies in its massive distribution. The malicious traffic originated from 4,300 unique IP addresses, spread across 1,592 autonomous systems.
The bulk of the traffic came from Asia, with Thailand, India and Indonesia as the top three countries. In total, the malicious requests originated from 127 different countries and 1,400 different cities.
Since the target website and the bulk of its customers are based in Europe, such a massive spike in traffic from a different region might seem easy enough to identify as an attack. But one challenge remains: how do you avoid blocking the real users, which this young online business couldn’t afford to lose?
The uniqueness of the requests, combined with the seemingly legitimate activity (standard HTTP GET requests to the website’s homepage), made it very difficult to distinguish the malicious traffic from normal user traffic. And this is probably why the CDN, despite its anti-DDoS functionality, didn’t block the attack.
As such, this use case demonstrates why websites behind CDNs and load balancers are still vulnerable to layer 7 DDoS attacks: these technologies are simply not designed for sophisticated real-time bot detection.
The only way to ensure layer 7 DDoS security is to implement a specialized bot protection solution with truly expert detection capabilities.
How DataDome Stops Layer 7 DDoS Attacks
The DataDome bot protection solution makes extensive use of artificial intelligence (AI) and machine learning technologies to distinguish humans from bots with a level of precision that rules-based security systems simply can’t match.
Known threats are detected in real time (less than 2 milliseconds), thanks to known AI/custom rule pattern matching and HTTP fingerprinting. Around 99 percent of all bad bot requests to our customers’ websites, mobile apps, and APIs are identified in this way.
New threats are identified by analyzing an extensive set of signals, such as fake browser detection, browser automation detection, browser tracking, user event tracking, and device detection. This layer identifies advanced new bots in less than 100 milliseconds. And when we detect a new threat on one of our customers’ websites, the algorithm is automatically updated so that all our customers are instantly protected against the bot.
Thanks to these sophisticated detection capabilities, we were able to identify and block the layer 7 DDoS attack against our customer’s website in real time. Meanwhile, legitimate user traffic was being processed without delays or interruption.
Most importantly, our customer’s IT team didn’t have to do a thing: there were no rules to create, no IP addresses to manually block, no support tickets to create, no on-call incidents, and no post mortem analysis. DataDome handled the malicious traffic autonomously, while our customer could go about their business as usual.
Do you need help protecting your business against layer 7 DDoS attacks and other OWASP automated threats? Start your free trial or contact us to request a demo to begin detecting and blocking malicious bots today.
About Layer 7 DDoS Attacks
In layer 7 DDoS attacks, cybercriminals target the “top layer” (L7) in the OSI model. Compared to network or transport layer (layer 3 and 4) attacks, they are typically low and slow, but they are often just as disruptive.
For any DDoS attack to be successful, the attacker must send more requests than the target’s servers can handle. Application layer attacks therefore usually target resource-hungry elements of the web application. The HTTP requests are cheap and easy for the perpetrator to execute, but can be very resource-consuming to respond to.
In HTTP GET-type attacks, the hackers simply send too many requests for files, images or other assets from the target server, or call an API over and over until it crashes.
HTTP POST-type attacks typically target form submissions or similar, forcing the server to handle form data and run database commands until it is overloaded.
Because these requests are seemingly legitimate, layer 7 DDoS attacks are often difficult to stop without sophisticated bot detection capabilities that effectively distinguishes bot activity from legitimate human requests.
Related posts
How DataDome Stopped a 2.45B-Request DDoS Attack Against a High-Traffic Content Platform
Tell me more
How Plarium Uses Intent-Based Detection to Block 20M+ Malicious Requests a Month
Tell me more
How Ubaldi.com Reduced Cloud Costs & Saved 20 Engineering Hours Monthly
Tell me more
How to Prevent Layer 7 DDoS & Application Layer Attacks
Tell me more
