Table of contents of the article:
The cybersecurity landscape is constantly evolving, and the advent of Cloud Computing has radically transformed not only the opportunities for companies, but also the strategies adopted by attackers. Recently, a case involved us first-hand, showing how sophisticated and complex DDoS (Distributed Denial of Service) attacks have become.
The case of a customer in emergency
An international e-commerce of virtual products, operating in various global markets, contacted us in an emergency situation. The PrestaShop platform, hosted on a Cloud instance managed by SiteGround, was under DDoS attack for over two days. Despite the engineers' attempts to mitigate the attack, the customer reported persistent downtime and significant degradation in site performance. The inability to access root privileges on the managed instance and other infrastructure limitations prevented an effective and rapid response.
In response, we proposed rapid onboarding to our infrastructure, offering a multi-layered mitigation strategy.
The mitigation strategy
Our solution is designed with a holistic approach, combining advanced technologies and custom tuning to address every level of attack:
Network Level Protection
For network attacks (layer 3 of the OSI model), we relied on the automatic protection offered by our data center partner, based on Arbor Networks' NetScout technology. This system was able to mitigate over 500 Gbps of malicious traffic during the first ten hours of the attack, demonstrating extraordinary effectiveness in minimizing the impact on customer service and providing top-notch protection capable of handling even the most intense spikes. Arbor Networks' NetScout technology is one of the most advanced solutions for DDoS attack mitigation. Integrating continuous monitoring and real-time analysis capabilities, it is designed to identify and neutralize threats at the network level with extreme precision. The system uses advanced algorithms to distinguish legitimate traffic from malicious traffic, ensuring a smooth flow of business operations. In addition, its ability to scale with large infrastructures makes it ideal for data centers and cloud service providers.
Application Defense
Application attacks (layer 7) were countered by implementing an enterprise-class WAF (Web Application Firewall) provided by Cloudflare. We chose this solution for several reasons:
- Low costs: An advantageous choice compared to more expensive solutions, with an extremely competitive quality-price ratio.
- Flexibility in the rules: Cloudflare enables granular control of filtering rules and related policies, allowing for advanced customization and optimization of specific parameters, perfectly adapting to your needs.
- Extensive reporting: An advanced monitoring system to identify attack patterns, providing a clear and detailed view of the progress of threats in real time and ensuring unparalleled responsiveness.
Thanks to the initial tuning, in a couple of hours we stabilized the system, bringing the site back online without speed problems. Overall, we managed to mitigate Over 7 billion HTTP requests in 24 hours, with peaks of 800 million requests per hour, demonstrating an unprecedented ability to handle abnormal loads of this magnitude while maintaining an optimal user experience for legitimate users.
Self Hosted Local Tools
We have implemented and configured a series of tools to strengthen security and improve system performance. Here are the details:
Fail2ban:
- Real-time blocking of malicious IPs identified via system logs.
- Dynamically reduce the attack surface through continuous analysis of unauthorized access attempts.
- Automatic and continuous creation of customized blacklists based on detected threats.
- Optimized configurations for different services, such as SSH, NGINX, and Postfix, to ensure 360-degree protection.
NGINX Bad Bot Blocker:
- Integrate an advanced ruleset to identify and block known bots that are consuming resources improperly or posing a threat.
- Improved overall system resilience by preventing scraping or brute force attacks from unauthorized crawlers.
- Regular rule updates to keep up with new emerging threats.
- Reduce server load by preventing malicious requests.
Specific filters with IPTables:
- Level filtering GEOIP, to block traffic coming from countries considered risky or irrelevant to the business.
- Using rules based on ASN (Autonomous System Number), allowing you to exclude entire network blocks managed by providers with a compromised reputation.
- Create granular rules to filter packets based on specific protocols, ports, and IP addresses, reducing the likelihood of DDoS attacks.
- Integration with monitoring tools to analyze and adapt rules in real time, maximizing protection without compromising system performance.
These configurations not only improve security, but help reduce the load on systems, ensuring greater efficiency and operational stability.
Data emerging from the attack
Analyzing the generated reports, a worrying and significant trend emerged that highlights how the DDoS attack landscape has changed dramatically in recent years. In the past, the main DDoS attack vectors were represented by consumer IP addresses, typically linked to ADSL connections or similar networks, which were exploited in a massive way. Many of these connections originated from countries characterized by low cyber regulation, such as China, Brazil, Iran, Malaysia and Russia. These regions represented fertile ground for attackers, thanks to the combination of less secure infrastructure and lax regulations, which made it easier for attackers to exploit these networks to generate malicious traffic.
Today, however, the situation appears to have changed dramatically, with an evolutionary leap that has shifted the focus of attacks towards more advanced infrastructures. Most malicious requests no longer come from consumer connections, but from instances hosted on commercial cloud hyperscalers. Vendors such as Oracle, Microsoft Azure, DigitalOcean, Vultr, OVH, and Alibaba Cloud have become the new platforms of choice for attackers. This shift is significant, as it highlights how threat actors are exploiting the enormous scalability and flexibility of these infrastructures to launch large-scale attacks.
Un hyperscale is a cloud infrastructure provider designed to deliver compute, storage, and networking resources in a highly automated and scalable manner at global scale. These providers operate data centers distributed across multiple geographic regions, allowing users to access virtualized resources with minimal latency and high availability. With advanced technologies such as load balancing, virtualization, and energy optimization, hyperscalers ensure efficient management of workloads, dynamically adapting to the needs of customers, whether they are small startups or large enterprises. Their infrastructure allows to reduce operating costs and accelerate innovation, supporting a wide range of applications, from simple websites to complex artificial intelligence systems and big data analytics.
Two main hypotheses
Data analysis suggests two possible explanations:
- Compromised instances: Hyperscaler Infrastructures, Given the sheer scale of hyperscaler infrastructures and the sheer number of active instances, it is likely that many of them are vulnerable to exploits or insecure configurations. Attackers could use these compromised resources as a beachhead to mount large-scale attacks. This approach not only increases the complexity of mitigation efforts, but also makes it extremely difficult to identify the actual sources of attacks, as malicious traffic is carried through legitimate and distributed platforms.
- Malicious provisioning: The flexible and scalable nature of the cloud, supported by a pay-per-use model, gives attackers the ability to create and destroy virtual instances at breakneck speeds. This dynamic allows organized groups to develop automated scripts to provision dedicated attack instances. With centralized coordination, these attackers can orchestrate operations at scale, minimizing operational costs and maximizing attack effectiveness. This type of strategy introduces a level of operational agility never seen before, challenging traditional detection and blocking techniques. The combination of anonymity, speed, and accessible computing power presents an unprecedented challenge for defenders.
Implications for the future
This evolution in the DDoS attack landscape raises important questions for the cybersecurity and cloud computing industry:
Hyperscalers' Responsibilities
Cloud hyperscalers must take more stringent measures to prevent malicious use of their infrastructure. This includes:
- Proactively monitor instances to identify anomalous behavior, significantly reducing the risk of large-scale abuse and implementing AI-based detection systems.
- Increased emphasis on securing default configurations to reduce vulnerabilities, making it harder for attackers to exploit system flaws and preventing large-scale escalation of attacks.
- Collaboration with security companies to mitigate attacks in real time, creating a more robust and efficient defensive ecosystem that can respond rapidly to emerging threats.
Corporate defensive strategy
For companies, the approach to security must be rethought:
- Multi-level solutions: Combining network, application and local layer protections is essential to address complex and targeted attacks, ensuring comprehensive coverage against a diverse range of threats.
- Collaboration with specialized suppliers: Experienced DDoS security and mitigation partners can make the difference in critical moments, ensuring a rapid and effective response and minimizing downtime.
- Proactive preparation: Conduct attack simulations and test defense systems before real situations occur, improving the overall resilience of the infrastructure and ensuring that measures are always up to date with the latest threats.
Conclusion
The case study highlights a significant shift in the way DDoS attacks are conducted in the era of Cloud Computing. While the cloud offers unprecedented advantages in terms of scalability and flexibility, it also introduces new vulnerabilities that attackers are ready to exploit.
For companies like ours, specialized in Linux hosting and systems, it is essential to stay one step ahead, continuously adapting defense strategies and collaborating with excellent technology partners. Security is never static, and only with a dynamic and proactive approach can we guarantee the protection of our customers in an increasingly complex and challenging landscape, building lasting trust through the ability to effectively respond to the challenges of the future.