DDoS

The Background:

AcmeCorp was gearing up for a major promotional campaign to launch their new line of products. The campaign was highly anticipated by customers, and AcmeCorp had invested heavily in marketing and infrastructure to support the surge in website traffic expected during the event.

The Scenario:

As the promotional campaign began, AcmeCorp's website experienced an unprecedented surge in traffic, far exceeding expectations. However, amidst the excitement, their IT security team noticed unusual patterns in the network traffic. Within minutes, the website became unreachable, displaying error messages to users attempting to access it.

DDoS Attack Unleashed:

AcmeCorp quickly realized that they were under a massive Distributed Denial of Service (DDoS) attack. Malicious actors flooded their servers with a barrage of fake requests, overwhelming the infrastructure and causing a complete outage of their online services. The attack persisted for several hours, disrupting the promotional campaign and causing significant damage to AcmeCorp's reputation and revenue.

Impact caused by the DDOS attack:

Business Disruption: The DDoS attack paralyzed AcmeCorp's operations during a critical promotional campaign, leading to a halt in sales and customer engagement.

Financial Losses: AcmeCorp suffered substantial financial losses due to missed sales opportunities and damage to their brand reputation.

Customer Frustration: Customers were unable to access AcmeCorp's website to participate in the promotional campaign, resulting in frustration and disappointment.

Reputation Damage: The prolonged outage tarnished AcmeCorp's reputation as a reliable and trustworthy retailer, leading to negative publicity and loss of customer trust.

Strategic Decision: Implementing DDoS Mitigation System:

In response to the devastating DDoS attack, AcmeCorp's leadership recognized the urgent need to bolster their cybersecurity defenses against future threats. After conducting a thorough post-mortem analysis of the attack, they made a strategic decision to invest in a robust DDoS mitigation system.

Lab Environment

Cloudflare’s DDoS protection systems automatically detect and mitigate DDoS attacks. Additionally, the systems may flag suspiciously-looking incoming traffic from legacy applications, Internet services, or faulty client applications as malicious and apply mitigation actions.

Cloudflare provides unmetered and unlimited distributed denial-of-service (DDoS) protection at layers 3, 4, and 7 to all customers on all plans and services.

The protection is enabled by Cloudflare’s Autonomous DDoS Protection Edge, which automatically detects and mitigates DDoS attacks.

The Autonomous Edge includes multiple dynamic mitigation rules exposed as managed rulesets, which provide comprehensive protection against a variety of DDoS attacks across layers 3/4 and layer 7 of the OSI model

The DDoS Attack Protection managed rulesets provide comprehensive protection against a variety of DDoS attacks across L3/4 (network layer) and L7 (application layer) of the OSI model.

The available managed rulesets are:

• HTTP DDoS Attack Protection
  • This ruleset includes rules to detect and mitigate DDoS attacks over HTTP and HTTPS.
• Network-layer DDoS Attack Protection
  • This ruleset includes rules to detect and mitigate DDoS attacks on L3/4 of the OSI model such as UDP floods, SYN-ACK reflection attacks, SYN Floods, and DNS floods.

Layer 7 DDOS Simulation Attack

Steps

1. Review the Managed Ruleset L7 DDoS in Security > DDOS

As you can observed on the red highlighted above, the HTTP DDoS attack protection is always enabled

2. L7 DDOS attack simulation executed from the attacker VM

In this method we are using a GSB-MHDDOS attack to simulate HTTP Flood. GSB-MHDDOS is an HTTP flood designed to overwhelm web servers’ resources by continuously requesting single or multiple URLs from many source attacking machines via HEAD HTTP method, based on the MHDDOS attack tool. While the MHDDOS contains multiple attack vectors designed to bypass various DDoS mitigations.

GSB-MHDDOS uses a large pool of user agents and referrers when trying to flood a targeted server. When the servers’ limits of concurrent connections are reached, the server can no longer respond to legitimate requests from other users. GSB-MHDDOS requests are specifically designed to bypass google shield protection.

3. Review and observed the attack traffic in Security  > Events 

We can see that the attack lasted for around ~50 second and our L7 DDOS Managed Ruleset captured the attack as stated below : 

The triggered RuleID is 6356d9e368204a0ebf21813335675e08 / HTTP requests with unusual HTTP headers or URI path (signature #24). 

4. Review and observed traffic pattern in Security > Analytics

As what observed here, couple of things can be seen here : 

• There is a portion of traffic that is ‘Mitigated by WAF’ due to HTTP DDoS Security Events that returns 403 HTTP response code
• Another statistic is that the traffic belongs to ‘Served by Cloudflare’ as the client abruptly close the connection, hence generating a 499 Client Close Request
• While there is also another portion of traffic that belongs to ‘Served by origin’ as it needs to reach the threshold in the L7 HTTP DDOS Managed Ruleset 

*disclaimer : the statistic might be different with your zone during the DDOS simulation attack

Layer 3/4 DDOS Simulation Attack

Steps

1. Review the prefix was advertised in Account > Magic Transit > Configuration

In this simulation test, we are focusing on the 8.31.160.0/24 prefix as depicted in the snapshot below

2. Review L3/4 DDoS Protection status

Roll over into Account > L3/4 DDOS to see the two subsection below

2.1 Network-Layer DDOS Protection

The Cloudflare Network-layer DDoS Attack Protection managed ruleset is a set of pre-configured rules used to match known DDoS attack vectors at levels 3 and 4 of the OSI model.

Cloudflare updates the list of rules in the managed ruleset on a regular basis. Refer to the changelog for more information on recent and upcoming changes.

The Network-layer DDoS Attack Protection managed ruleset is always enabled — you can only customize its behavior.

You may need to adjust the behavior of specific rules in case of false positives or due to specific traffic patterns.

Adjust the behavior of the rules in the managed ruleset by modifying the following parameters:

• The performed action when an attack is detected
• The sensitivity level of attack detection mechanisms

2.2  Advanced TCP Protection

Cloudflare Advanced TCP Protection is a stateful TCP inspection engine used to detect and mitigate sophisticated out-of-state TCP attacks such as randomized and spoofed ACK floods or SYN and SYN-ACK floods.

Advanced TCP Protection can simultaneously protect against different kinds of attacks:

• Pinpointed attacks targeting a specific destination IP/port combination.
• Broad attacks targeting multiple IP addresses of an IP prefix at the same time.

Advanced TCP Protection can track TCP connections even when they move between Cloudflare data centers.

Advanced TCP Protection offers two types of protection:

• SYN Flood Protection: Protects against attacks such as fully randomized SYN and SYN-ACK floods.
• Out-of-state TCP Protection: Protects against out-of-state TCP DDoS attacks such as fully randomized ACK floods and RST floods.

Each protection type is configured independently using rules and (optionally) filters. You should configure at least one rule for each type of protection before enabling Advanced TCP Protection.

3. L3/4 DDOS attack simulation executed from the attacker VM

In this method we are using a UDP attack to simulate UDP Flood. The simulated attack are targeting 8.31.160.1 port 1234.

4. Review the traffic ia Account > Analytics & Logs > Network Analytics

If we drill down into the logs, we can see that it triggered RuleID `eefaf09734aa4b2ea8992ef158e4914a` / ‘Adaptive DDoS Protection for UDP (Available only to Enterprise accounts)’  in DDOS Managed  Ruleset

Summary

We have successfully explore the DDoS lab on this section.