Out of the blue: Surviving an 18-hour, 39M-request DDoS attack
No online business can afford to neglect malicious bot threats. Attackers and fraudsters increasingly leverage bots to automate and coordinate attacks, driving IT teams and ill-equipped security tools to their limits.
Only a full-endpoint, 360° bot protection solution that leverages aggregate global detection signals can save you from unexpected threats.
Case in point: A large e-commerce website protected by DataDome’s bot and online fraud management solution recently remained blissfully unaffected throughout a high volume, highly-distributed DDoS attack. What’s more, the site implemented the protection to solve a scraping problem.
Let’s deep dive into a real-life attack to understand the key traits of a DDoS attack, how the threat landscape is evolving, and the implications when choosing a security solution.
The attack, as it happened
Beginning on a Friday and lasting through Saturday, the DDoS attack came in several waves spanning over 18 hours. In total, the site was under active attack for ~4 hours.
The attack can be split into two main waves:
- 1st wave: Friday night between ~18:00 and ~0:00 (CEST).
- 2nd wave: Saturday morning from ~10:00 to 12:00.
The first part of the attack represented the highest volume of traffic (29.375 million bot requests). During this first wave, the DDoS generated spikes of traffic that reached up to 1.5 million requests per minute.
The attack, like most DDoS attacks these days, was heavily distributed. The attacker leveraged a botnet of more than 11,000 distinct IP addresses from 1,500 different autonomous systems, spread over 138 countries.
The point: Simple IP rate limiting or geo-blocking would not have been effective.
The targeted website has customers all around the world. So, while blocking all requests from certain countries could have helped mitigate the attack, it would have also impacted the user experience for innocent customers based in the blocked countries.
If we look at the distinct number of IP addresses used by the botnet in the timeline, we see that during each spike, the botnet was making requests from more than 5,000 different IP addresses.
Requests came from all around the world, in particular from the US (24 million), Honduras (3.4 million), Germany (2 million), and Canada (1.7 million). The map below shows the locations of the IPs involved in the DDoS attack:
The requests mainly came from low-quality autonomous systems that were either data-center autonomous systems or are frequently linked to attacks. As such, they were a relatively easy catch for DataDome. Here is a graph showing the number of requests per autonomous system (AS):
Although the botnet leveraged hundreds of user agents and different HTTP headers to avoid detection, it had a unique TLS fingerprint during the two attack waves which also helped DataDome identify the requests as malicious. Our analysis shows that this TLS fingerprint can be linked to the NodeJS “got” library.
Although the targeted company had implemented a bot protection solution for the purpose of preventing scraping, the solution they chose (DataDome) automatically protected their website and app from a major DDoS attack as well. The company’s IT team received a notification about the ongoing attack, but there was nothing they needed to do: no manual IP blocking, no frantic tweaking of WAF rules, no preparation for angry customer calls. The company’s bot protection handled everything.
Because threats come in all shapes and sizes, it is important to choose a comprehensive solution that analyzes each request at every endpoint to catch malicious activity. An effective bot protection solution must leverage the full spectrum of bot signals:
- Server-side signatures, including HTTP headers and TLS fingerprints.
- Client-side signatures such as browser/JS fingerprints.
- Behavioral signals, such as mouse movements and touch events.
- Reputational signals per IP and session, including proxy detection.
The DataDome bot and online fraud protection solution makes extensive use of sophisticated machine learning technologies to distinguish humans from bots with a level of precision that rules-based security systems simply can’t match. Malicious requests are detected and blocked in less than 2 milliseconds. Meanwhile, legitimate user traffic is processed without delays or interruption. And when a new threat is detected on one of DataDome’s customers’ websites, the algorithm is automatically updated so that all customers are instantly protected against the attacker (aggregate global detection).
Are your security systems ready to withstand an 18-hour DDoS attack on all your endpoints?