An HTTP flood attack is a type of Layer 7 application attack that utilizes the standard valid GET/POST requests used to fetch information, as in typical URL data retrievals during SSL sessions. An HTTP GET/POST flood is a volumetric attack that does not use malformed packets, spoofing or reflection techniques. Many types of Distributed Denial of Service (DDOS) attacks that can affect and bring down a website, and they vary in complexity and size.
The most well known attacks are the good old syn-flood, followed by the Layer 3/4 UDP and DNS amplification attacks.
Recently sucuri described large DDOS attack that leveraged this HTTP request flood attack to cause havoc on a clients website, and the steps we took to mitigate the issue.
The layer 7 attacks is require more understanding about the website and how it operates. The attacker has to do some homework and create a specially crafted attack to achieve their goal.
What is important to note here is how this worked against the client’s platform. The client’s website was built on WordPress, because of the uniqueness of the requests they were bypassing the caching system, forcing the system to render and respond to every request.
Below image is the geographic distribution of the IP’s hitting the site. This is for one second in the attack
Once identified the type of attack, blocking was easy enough. By default, they are not passing our anomaly check, causing the requests to get blocked at the firewall.
After the original requests and banned the IP addresses involved, everything went quiet, at least for a day. In less than 24 hours though the attacks resumed with a higher intensity.
If you are not familiar with web logs, the first entry is the IP address, the page requested, the result, the referrer, and then the browser.
What the logs show us is that the attack was doing random searches for dictionary keywords. This time they are using a valid browser, user agents, and a valid referrer.
How do you block valid search requests without blocking valid users? I have not about to force JavaScript checks or anything like that, but at the same time we needed to avoid passing all the requests back to the clients server.
Sucuri had built the with multiple layers that moves us away from traditional event based attacks, theya are introduced new concepts around application profiling and correlation analysis, allowing intelligence to be built into protecting your website.
No comments:
Post a Comment