Imperva Incapsula, profile picture
Uploaded byImperva Incapsula
PPTX, PDF760 views

An Inside Look at a Sophisticated Multi-Vector DDoS Attack

The document provides an in-depth examination of sophisticated Distributed Denial of Service (DDoS) attacks, highlighting their increasing prevalence and complexity. It discusses various types of DDoS attacks, their impacts, and phases of an attack, as well as mitigation strategies. Additionally, it emphasizes the importance of preparedness and user-friendly defense mechanisms to minimize disruption during such attacks.

Embed presentation

Downloaded 29 times
© 2015 Imperva, Inc. All rights reserved. An Inside Look at a Sophisticated Multi-Vector DDoS Attack Nabeel Saeed, Product Marketing Manager, Incapsula September 2015
© 2015 Imperva, Inc. All rights reserved. Agenda • What is Imperva Incapsula • Overview of a DDoS attacks • DDoS attack trends • Anatomy of a sophisticated DDoS attack • Lessons learned Confidential2
© 2015 Imperva, Inc. All rights reserved. Speaker Bio for Nabeel Saeed • Background – 5+ years experience with web application security and SaaS security solutions – Held product marketing roles at Imperva, Incapsula, Vertical Systems, etc. • Contact: • Email: Nabeel@incapsula.com 3
© 2015 Imperva, Inc. All rights reserved. Confidential4 Imperva products Products that cover both Protect and Comply Partners User Rights Management for File Data Loss Prevention SecureSphere File Firewall File Activity Monitor SecureSphere Database Assessment Server SecureSphere Database Firewall SecureSphere for Big Data SecureSphere Database Activity Monitor User Rights Management Data Masking Vulnerability Assessment Incapsula Back Door Detection Incapsula Website Security SecureSphere WAF ThreatRadar Skyfence Cloud Discovery Skyfence Cloud Analytics Skyfence Cloud Protection Skyfence Cloud Governance Incapsula Infrastructure Protection Incapsula Website Protection Incapsula Name Server Protection SecureSphere WAF
© 2015 Imperva, Inc. All rights reserved. Incapsula Overview Confidential5 PerformanceSecurity Availability Solving Top Operational Problems Delivered from the Cloud
© 2015 Imperva, Inc. All rights reserved. Incapsula Application Delivery Cloud Confidential6
© 2015 Imperva, Inc. All rights reserved. 1 Confidential7 An Overview of DDoS Attacks
© 2015 Imperva, Inc. All rights reserved. DDoS Attacks in the News Confidential8
© 2015 Imperva, Inc. All rights reserved. What is a DDoS Attack • DDoS attacks – Are performed by large groups of infected computers (botnets) – Usually require special tools or services to defend against 9 Legitimate Traffic Your Site Your Internet Connection Your ISP DDoS Bots An attack that makes your websites or online infrastructure completely inaccessible
© 2015 Imperva, Inc. All rights reserved. DDoS Attack Landscape Trends 10 The number of DDoS attacks in 2014 vs. 2013 2x Average DDoS attack size in 2014 15Gbps
© 2015 Imperva, Inc. All rights reserved. What Are the Main Types of DDoS Attacks? 11 • Network layer DDoS attacks • Consume all available upload and download bandwidth to prevent access to websites “Clogging the Pipe to a website” Your Site Your Internet Connection Your ISP
© 2015 Imperva, Inc. All rights reserved. What Are the Main Types of DDoS Attacks? 12 • Application layer DDoS attacks – Application requests overwhelm the Web server or database causing it to crash – The website then becomes unavailable “Overloading The Server” Your Site Your Internet Connection Your ISP Application layer requests
© 2015 Imperva, Inc. All rights reserved. Who Is Performing These DDoS Attacks? 13 Extortionists Looking for ransom money Vandals Looking to cause trouble Hacktivists Looking to make a point Competitors Looking to keep you out of a deal
© 2015 Imperva, Inc. All rights reserved. What Is the Impact of a DDoS Attack Cost? 14 45% of organizations are attacked 75% Are attacked more than once 91% Were attacked in the last 12 months 10% Are attacked on a weekly basis
© 2015 Imperva, Inc. All rights reserved. The Anatomy of a Sophisticated DDoS Attack 2 15
© 2015 Imperva, Inc. All rights reserved. The Target of the Attack • Successful SaaS platform • Very competitive industry – Online trading • Multi-tenant environment; Attacks on a single tenant impact all other tenants 16
© 2015 Imperva, Inc. All rights reserved. Attack Phase 1 – SYN Flood • 30Gbps SYN Flood (Volumetric / Network Layer attack) • Typical of any DDoS attack – Easy to perform (given the resources) • No DNS amplification was used 17
© 2015 Imperva, Inc. All rights reserved. SYN Flood DDoS Trends from Q2 DDoS Report • SYN floods and Large-SYN floods are two of the top three DDoS attack vectors by – Frequency – Size 18 Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
© 2015 Imperva, Inc. All rights reserved. Attack Phase 1 – Mitigation • Geo-distribution of attack traffic – Sharing the load • Dedicated networking capabilities to deal with volumetric attacks • Aggressive blacklisting of offending IP addresses 19
© 2015 Imperva, Inc. All rights reserved. Attack Phase 2 – HTTP Flood • HTTP Flood DDoS attack with 10M requests per second • Targeting “resource intensive” pages • “The smoke screen” for other application layer attacks – This type and level of attack persisted for weeks 20
© 2015 Imperva, Inc. All rights reserved. Application DDoS Trends from Q2 DDoS Report • In Q2 2015 we saw that application layer attacks were – Shorter in duration than the past – More frequently recurring 21 Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
© 2015 Imperva, Inc. All rights reserved. Attack Phase 2 – Mitigation • Employ anti-bot technology • Use non-intrusive progressive challenges to differentiate legit browsers vs. bots – IP Address and ASN Info – Cookie Support Variations – JavaScript Challenges – CAPTCHA Further notes • Be transparent, don’t punish humans • Be bot friendly (good bots like Google, Baidu, still need access) 22
© 2015 Imperva, Inc. All rights reserved. Attack Phase 3 – An AJAX Attack • Primary target – the database • AJAX requests can sometimes bypass JS Challenges • Requests were targeting separate sub services in a “registered users only” area of the application • Used hijacked cookies to make heavy AJAX requests 23
© 2015 Imperva, Inc. All rights reserved. Attack Phase 3 – Mitigation • Visitor reputation techniques • Detecting abnormal behavioral patterns – Order and frequency of requests – Interaction between clients and servers – JavaScript Injection to actively classify clients 24
© 2015 Imperva, Inc. All rights reserved. Attack Phase 4 – On Demand Browser Barrage • The symptoms: – Huge spike in browser based traffic – Browser windows popping up in people’s PCs – Innocent people contacting Incapsula “You’re hijacking my PC!” • Initial response – CAPTCHA Challenges • Post-mortem analysis conclusion – A PushDo botnet with 20k bots was opening real browsers on hijacked computers, pointing them at the target application 25
© 2015 Imperva, Inc. All rights reserved. Attack Phase 4 – Mitigation • Reverse engineering the trojan • Crafting a signature to identify and block the bots 26
© 2015 Imperva, Inc. All rights reserved. Attack Phase 5 – Headless Browsers • The symptoms: – 150 hours of spike in browser based traffic – 180,000 new IP sources – 861 variants • Headless browsers leveraging “Phantom JS” were being used to emulate real users – Generating 700 Million requests per day 27
© 2015 Imperva, Inc. All rights reserved. Application DDoS Attack Results from Q2 DDoS Report In Q2 2015 the largest application layer DDoS attack we saw had 179,712 RPS (that’s 15,527,116,800 requests per day) 28 Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
© 2015 Imperva, Inc. All rights reserved. Attack Phase 5 – Mitigation • Reverse engineering the Phantom JS kit • Crafting a signature to identify and block all bots using this kit 29
© 2015 Imperva, Inc. All rights reserved. Findings from Q2 2015 Global DDoS Threat Landscape Report • In Q2 botnet owners displayed more ability to assume identities to avoid detection • Roughly 74% of application DDoS attack bots are still primitive 30
© 2015 Imperva, Inc. All rights reserved. Attack Analysis Conclusions • DDoS attacks are becoming more like APTs • It is an ongoing cat-and-mouse game • Attacks can last for weeks and reappear repeatedly • Don’t expect to have a silver bullet 31
© 2015 Imperva, Inc. All rights reserved. Five Lessons Learned 3 32
© 2015 Imperva, Inc. All rights reserved. Attacks are Increasing in Size, So Should Your Defense Capability • Network layer DDoS attacks are getting bigger • You’re defenses need to be able to deal with multi- gigabit attacks • Select a provider with a large scrubbing network 33 Past Present
© 2015 Imperva, Inc. All rights reserved. Don’t Punish Your Users • Your users don’t need to know or care if you are under attack • People don’t like to hang out in dangerous places • DDoS attacks should be mitigated in a way that doesn’t – Cause delays (no hold screens) – Require extra steps (no CAPTCHAs or Splash screens) – Serve outdated content 34
© 2015 Imperva, Inc. All rights reserved. Fail-open for Humans • All human users should be able to bypass protection mechanisms • Legitimate users should be given an opportunity to – Express concern or complain if they are affected – Prove they are legitimate with a CAPTCHA 35
© 2015 Imperva, Inc. All rights reserved. Automation • Automated, always on solutions should be used whenever possible – Web assets should be monitored for attacks 24x7 – Identification is always on • Always on doesn’t mean always “locked down” – DDoS rules should be on call but not implemented until necessary – Mitigation is on when needed 36
© 2015 Imperva, Inc. All rights reserved. Conclusions • Ensure you have enough network capacity • Invest in technology: – Rapid analysis tools – Instant patching infrastructure – Trial and error methodology • Keep up with your research • Have people at the wheel! 37
© 2015 Imperva, Inc. All rights reserved. Want to Learn More? Download the Q2 2015 Global DDoS Threat Landscape Report or sign up for a free 14 day trial by visiting www.incapsula.com 38
© 2015 Imperva, Inc. All rights reserved.39 Questions?
An Inside Look at a Sophisticated Multi-Vector DDoS Attack

More Related Content

PPT
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
byImperva Incapsula
 
PDF
Migrating from Akamai to Incapsula: What You Need to Know
byImperva Incapsula
 
PPTX
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
byImperva Incapsula
 
PPTX
Protect Your Assets with Single IP DDoS Protection
byImperva Incapsula
 
PPTX
DNS and Infrastracture DDoS Protection
byImperva Incapsula
 
PPTX
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
byImperva Incapsula
 
PDF
Is the Cloud Going to Kill Traditional Application Delivery?
byImperva Incapsula
 
PPTX
A DevOps Guide to Web Application Security
byImperva Incapsula
 
[Webinar] DDoS Pentester Reveals: How Hackers Find Your Website’s Weak Points...
byImperva Incapsula
 
Migrating from Akamai to Incapsula: What You Need to Know
byImperva Incapsula
 
Incapsula: How to Increase SaaS Websites’ Uptime and Accelerate Performance
byImperva Incapsula
 
Protect Your Assets with Single IP DDoS Protection
byImperva Incapsula
 
DNS and Infrastracture DDoS Protection
byImperva Incapsula
 
E-commerce Optimization: Using Load Balancing and CDN to Improve Website Perf...
byImperva Incapsula
 
Is the Cloud Going to Kill Traditional Application Delivery?
byImperva Incapsula
 
A DevOps Guide to Web Application Security
byImperva Incapsula
 

What's hot

PDF
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
byImperva
 
PPTX
DDos Attacks and Web Threats: How to Protect Your Site & Information
byjenkoon
 
PPTX
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
byImperva
 
PDF
DDoS Protection System DPS
byAlexander Velikiy
 
PPTX
Using a secured, cloud-delivered SD-WAN to transform your business network
byNetpluz Asia Pte Ltd
 
PPTX
Latest Trends in Web Application Security
byCloudflare
 
PDF
Azure F5 Solutions
byMarketingArrowECS_CZ
 
PPTX
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
PPTX
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
bySWITCHPOINT NV/SA
 
PPTX
How to Reduce Latency with Cloudflare Argo Smart Routing
byCloudflare
 
PDF
F5 Web Application Security
byMarketingArrowECS_CZ
 
PDF
Extend Enterprise Application-level Security to Your AWS Environment
byImperva
 
PDF
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
PDF
Symantec Endpoint Suite
byMarketingArrowECS_CZ
 
PDF
Protect Your Data and Apps in the Public Cloud
byImperva
 
PDF
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 - Technical Key...
byAPNIC
 
PPTX
Protection and Visibitlity of Encrypted Traffic by F5
byBangladesh Network Operators Group
 
PDF
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
byMedia Perspectives
 
PPTX
Why Every Engineer Needs WLAN Packet Analysis
bySavvius, Inc
 
PDF
New Products Overview: Use Cases and Demos
byCaitlin Magat
 
An Inside Look at a Sophisticated, Multi-vector DDoS Attack
byImperva
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
byjenkoon
 
Hacking HTTP/2 : New attacks on the Internet’s Next Generation Foundation
byImperva
 
DDoS Protection System DPS
byAlexander Velikiy
 
Using a secured, cloud-delivered SD-WAN to transform your business network
byNetpluz Asia Pte Ltd
 
Latest Trends in Web Application Security
byCloudflare
 
Azure F5 Solutions
byMarketingArrowECS_CZ
 
Shanghai Breakout: Access Management with Aruba ClearPass
byAruba, a Hewlett Packard Enterprise company
 
EfficientIP presentation used during the SWITCHPOINT NV/SA Quarterly Experien...
bySWITCHPOINT NV/SA
 
How to Reduce Latency with Cloudflare Argo Smart Routing
byCloudflare
 
F5 Web Application Security
byMarketingArrowECS_CZ
 
Extend Enterprise Application-level Security to Your AWS Environment
byImperva
 
Why Many Websites are still Insecure (and How to Fix Them)
byCloudflare
 
Symantec Endpoint Suite
byMarketingArrowECS_CZ
 
Protect Your Data and Apps in the Public Cloud
byImperva
 
Source Address Validation Everywhere, by Paul Vixie [APNIC 38 - Technical Key...
byAPNIC
 
Protection and Visibitlity of Encrypted Traffic by F5
byBangladesh Network Operators Group
 
Jeroen Wijdogen (Akamai) | TU - Hacks & Attacks
byMedia Perspectives
 
Why Every Engineer Needs WLAN Packet Analysis
bySavvius, Inc
 
New Products Overview: Use Cases and Demos
byCaitlin Magat
 

Similar to An Inside Look at a Sophisticated Multi-Vector DDoS Attack

PDF
Preparing for the Imminent Terabit DDoS Attack
byImperva
 
PDF
A Blueprint for Web Attack Survival
byImperva
 
PDF
Protecting What Matters Most – Data
byFujitsu Middle East
 
PPTX
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
byCloudflare
 
PDF
Russian and Worldwide Internet Security Trends 2015
byQrator Labs
 
PDF
Under DDoS: Instant Access to Live Information
byImperva Incapsula
 
PPTX
D3TLV17- Advanced DDoS Mitigation Techniques
byImperva Incapsula
 
PDF
A new way to prevent Botnet Attack
byyennhi2812
 
PDF
TECHNICAL WHITE PAPER: The Continued rise of DDoS Attacks
bySymantec
 
PDF
The role of DDoS Providers
byNeil Hinton
 
PPTX
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
byImperva Incapsula
 
PDF
Nexusguard d do_s_threat_report_q1_2017_en
byAndrey Apuhtin
 
PPTX
DSS ITSEC 2013 Conference 07.11.2013 -Radware - Protection against DDoS
byAndris Soroka
 
PPT
10 Myths about DDoS attacks
byIntruGuard
 
PDF
Atelier Technique ARBOR NETWORKS ACSS 2018
byAfrican Cyber Security Summit
 
PDF
DDoS threat landscape report
byBee_Ware
 
PDF
2015-cloud-security-report-q2
byGaurav Ahluwalia
 
PPTX
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
byCloudflare
 
PDF
Worldwide Infrastructure Security Report Highlights
byAPNIC
 
PPTX
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
byHostway|HOSTING
 
Preparing for the Imminent Terabit DDoS Attack
byImperva
 
A Blueprint for Web Attack Survival
byImperva
 
Protecting What Matters Most – Data
byFujitsu Middle East
 
Defending Threats Beyond DDoS Attacks: Featuring Guest Speaker from IDC
byCloudflare
 
Russian and Worldwide Internet Security Trends 2015
byQrator Labs
 
Under DDoS: Instant Access to Live Information
byImperva Incapsula
 
D3TLV17- Advanced DDoS Mitigation Techniques
byImperva Incapsula
 
A new way to prevent Botnet Attack
byyennhi2812
 
TECHNICAL WHITE PAPER: The Continued rise of DDoS Attacks
bySymantec
 
The role of DDoS Providers
byNeil Hinton
 
D3LDN17 - A Pragmatists Guide to DDoS Mitigation
byImperva Incapsula
 
Nexusguard d do_s_threat_report_q1_2017_en
byAndrey Apuhtin
 
DSS ITSEC 2013 Conference 07.11.2013 -Radware - Protection against DDoS
byAndris Soroka
 
10 Myths about DDoS attacks
byIntruGuard
 
Atelier Technique ARBOR NETWORKS ACSS 2018
byAfrican Cyber Security Summit
 
DDoS threat landscape report
byBee_Ware
 
2015-cloud-security-report-q2
byGaurav Ahluwalia
 
The Morphing DDoS and Bot Landscape: Featuring Guest Speaker from IDC
byCloudflare
 
Worldwide Infrastructure Security Report Highlights
byAPNIC
 
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
byHostway|HOSTING
 

More from Imperva Incapsula

PPTX
D3TLV17- You have Incapsula...now what?
byImperva Incapsula
 
PPTX
D3TLV17- Keeping it Safe
byImperva Incapsula
 
PPTX
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
byImperva Incapsula
 
PPTX
D3LDN17 - Recruiting the Browser
byImperva Incapsula
 
PPTX
D3LDN17 - Keynote
byImperva Incapsula
 
PPTX
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
byImperva Incapsula
 
PPTX
D3NY17 - Migrating to the Cloud
byImperva Incapsula
 
PPTX
D3NY17- Using IncapRules to Customize Security
byImperva Incapsula
 
PPTX
D3SF17- Using Incap Rules to Customize Your Security and Access Control
byImperva Incapsula
 
PPTX
D3SF17- Boost Your Website Performance with Application Delivery Rules
byImperva Incapsula
 
PPTX
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
byImperva Incapsula
 
PPTX
D3SF17- Improving Our China Clients Performance
byImperva Incapsula
 
PPTX
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
byImperva Incapsula
 
PPTX
D3SF17 -Keynote - Staying Ahead of the Curve
byImperva Incapsula
 
PPTX
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
PPTX
Understanding Web Bots and How They Hurt Your Business
byImperva Incapsula
 
PPTX
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
byImperva Incapsula
 
PPTX
Load Balancing from the Cloud - Layer 7 Aware Solution
byImperva Incapsula
 
PDF
Humans Are Now A Minority On The Internet
byImperva Incapsula
 
D3TLV17- You have Incapsula...now what?
byImperva Incapsula
 
D3TLV17- Keeping it Safe
byImperva Incapsula
 
D3TLV17- The Incapsula WAF: Your Best Line of Denfense Against Application La...
byImperva Incapsula
 
D3LDN17 - Recruiting the Browser
byImperva Incapsula
 
D3LDN17 - Keynote
byImperva Incapsula
 
D3NY17- Customizing Incapsula to Accommodate Single Sign-On
byImperva Incapsula
 
D3NY17 - Migrating to the Cloud
byImperva Incapsula
 
D3NY17- Using IncapRules to Customize Security
byImperva Incapsula
 
D3SF17- Using Incap Rules to Customize Your Security and Access Control
byImperva Incapsula
 
D3SF17- Boost Your Website Performance with Application Delivery Rules
byImperva Incapsula
 
D3SF17- A Single Source of Truth for Security Issues- Pushing Siem Logs to Cl...
byImperva Incapsula
 
D3SF17- Improving Our China Clients Performance
byImperva Incapsula
 
D3SF17- Migrating to the Cloud 5- Years' Worth of Lessons Learned
byImperva Incapsula
 
D3SF17 -Keynote - Staying Ahead of the Curve
byImperva Incapsula
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
byImperva Incapsula
 
Understanding Web Bots and How They Hurt Your Business
byImperva Incapsula
 
From 1000/day to 1000/sec: The Evolution of Incapsula's BIG DATA System [Surg...
byImperva Incapsula
 
Load Balancing from the Cloud - Layer 7 Aware Solution
byImperva Incapsula
 
Humans Are Now A Minority On The Internet
byImperva Incapsula
 

Recently uploaded

PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PPTX
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Critique Prompting: The Secret to High-Quality AI Outputs
bySemantic SEO BD
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 

An Inside Look at a Sophisticated Multi-Vector DDoS Attack

  • 1.
    © 2015 Imperva,Inc. All rights reserved. An Inside Look at a Sophisticated Multi-Vector DDoS Attack Nabeel Saeed, Product Marketing Manager, Incapsula September 2015
  • 2.
    © 2015 Imperva,Inc. All rights reserved. Agenda • What is Imperva Incapsula • Overview of a DDoS attacks • DDoS attack trends • Anatomy of a sophisticated DDoS attack • Lessons learned Confidential2
  • 3.
    © 2015 Imperva,Inc. All rights reserved. Speaker Bio for Nabeel Saeed • Background – 5+ years experience with web application security and SaaS security solutions – Held product marketing roles at Imperva, Incapsula, Vertical Systems, etc. • Contact: • Email: Nabeel@incapsula.com 3
  • 4.
    © 2015 Imperva,Inc. All rights reserved. Confidential4 Imperva products Products that cover both Protect and Comply Partners User Rights Management for File Data Loss Prevention SecureSphere File Firewall File Activity Monitor SecureSphere Database Assessment Server SecureSphere Database Firewall SecureSphere for Big Data SecureSphere Database Activity Monitor User Rights Management Data Masking Vulnerability Assessment Incapsula Back Door Detection Incapsula Website Security SecureSphere WAF ThreatRadar Skyfence Cloud Discovery Skyfence Cloud Analytics Skyfence Cloud Protection Skyfence Cloud Governance Incapsula Infrastructure Protection Incapsula Website Protection Incapsula Name Server Protection SecureSphere WAF
  • 5.
    © 2015 Imperva,Inc. All rights reserved. Incapsula Overview Confidential5 PerformanceSecurity Availability Solving Top Operational Problems Delivered from the Cloud
  • 6.
    © 2015 Imperva,Inc. All rights reserved. Incapsula Application Delivery Cloud Confidential6
  • 7.
    © 2015 Imperva,Inc. All rights reserved. 1 Confidential7 An Overview of DDoS Attacks
  • 8.
    © 2015 Imperva,Inc. All rights reserved. DDoS Attacks in the News Confidential8
  • 9.
    © 2015 Imperva,Inc. All rights reserved. What is a DDoS Attack • DDoS attacks – Are performed by large groups of infected computers (botnets) – Usually require special tools or services to defend against 9 Legitimate Traffic Your Site Your Internet Connection Your ISP DDoS Bots An attack that makes your websites or online infrastructure completely inaccessible
  • 10.
    © 2015 Imperva,Inc. All rights reserved. DDoS Attack Landscape Trends 10 The number of DDoS attacks in 2014 vs. 2013 2x Average DDoS attack size in 2014 15Gbps
  • 11.
    © 2015 Imperva,Inc. All rights reserved. What Are the Main Types of DDoS Attacks? 11 • Network layer DDoS attacks • Consume all available upload and download bandwidth to prevent access to websites “Clogging the Pipe to a website” Your Site Your Internet Connection Your ISP
  • 12.
    © 2015 Imperva,Inc. All rights reserved. What Are the Main Types of DDoS Attacks? 12 • Application layer DDoS attacks – Application requests overwhelm the Web server or database causing it to crash – The website then becomes unavailable “Overloading The Server” Your Site Your Internet Connection Your ISP Application layer requests
  • 13.
    © 2015 Imperva,Inc. All rights reserved. Who Is Performing These DDoS Attacks? 13 Extortionists Looking for ransom money Vandals Looking to cause trouble Hacktivists Looking to make a point Competitors Looking to keep you out of a deal
  • 14.
    © 2015 Imperva,Inc. All rights reserved. What Is the Impact of a DDoS Attack Cost? 14 45% of organizations are attacked 75% Are attacked more than once 91% Were attacked in the last 12 months 10% Are attacked on a weekly basis
  • 15.
    © 2015 Imperva,Inc. All rights reserved. The Anatomy of a Sophisticated DDoS Attack 2 15
  • 16.
    © 2015 Imperva,Inc. All rights reserved. The Target of the Attack • Successful SaaS platform • Very competitive industry – Online trading • Multi-tenant environment; Attacks on a single tenant impact all other tenants 16
  • 17.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 1 – SYN Flood • 30Gbps SYN Flood (Volumetric / Network Layer attack) • Typical of any DDoS attack – Easy to perform (given the resources) • No DNS amplification was used 17
  • 18.
    © 2015 Imperva,Inc. All rights reserved. SYN Flood DDoS Trends from Q2 DDoS Report • SYN floods and Large-SYN floods are two of the top three DDoS attack vectors by – Frequency – Size 18 Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
  • 19.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 1 – Mitigation • Geo-distribution of attack traffic – Sharing the load • Dedicated networking capabilities to deal with volumetric attacks • Aggressive blacklisting of offending IP addresses 19
  • 20.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 2 – HTTP Flood • HTTP Flood DDoS attack with 10M requests per second • Targeting “resource intensive” pages • “The smoke screen” for other application layer attacks – This type and level of attack persisted for weeks 20
  • 21.
    © 2015 Imperva,Inc. All rights reserved. Application DDoS Trends from Q2 DDoS Report • In Q2 2015 we saw that application layer attacks were – Shorter in duration than the past – More frequently recurring 21 Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
  • 22.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 2 – Mitigation • Employ anti-bot technology • Use non-intrusive progressive challenges to differentiate legit browsers vs. bots – IP Address and ASN Info – Cookie Support Variations – JavaScript Challenges – CAPTCHA Further notes • Be transparent, don’t punish humans • Be bot friendly (good bots like Google, Baidu, still need access) 22
  • 23.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 3 – An AJAX Attack • Primary target – the database • AJAX requests can sometimes bypass JS Challenges • Requests were targeting separate sub services in a “registered users only” area of the application • Used hijacked cookies to make heavy AJAX requests 23
  • 24.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 3 – Mitigation • Visitor reputation techniques • Detecting abnormal behavioral patterns – Order and frequency of requests – Interaction between clients and servers – JavaScript Injection to actively classify clients 24
  • 25.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 4 – On Demand Browser Barrage • The symptoms: – Huge spike in browser based traffic – Browser windows popping up in people’s PCs – Innocent people contacting Incapsula “You’re hijacking my PC!” • Initial response – CAPTCHA Challenges • Post-mortem analysis conclusion – A PushDo botnet with 20k bots was opening real browsers on hijacked computers, pointing them at the target application 25
  • 26.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 4 – Mitigation • Reverse engineering the trojan • Crafting a signature to identify and block the bots 26
  • 27.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 5 – Headless Browsers • The symptoms: – 150 hours of spike in browser based traffic – 180,000 new IP sources – 861 variants • Headless browsers leveraging “Phantom JS” were being used to emulate real users – Generating 700 Million requests per day 27
  • 28.
    © 2015 Imperva,Inc. All rights reserved. Application DDoS Attack Results from Q2 DDoS Report In Q2 2015 the largest application layer DDoS attack we saw had 179,712 RPS (that’s 15,527,116,800 requests per day) 28 Source: Imperva Incapsula - Q2 Global DDoS threat Landscape Report
  • 29.
    © 2015 Imperva,Inc. All rights reserved. Attack Phase 5 – Mitigation • Reverse engineering the Phantom JS kit • Crafting a signature to identify and block all bots using this kit 29
  • 30.
    © 2015 Imperva,Inc. All rights reserved. Findings from Q2 2015 Global DDoS Threat Landscape Report • In Q2 botnet owners displayed more ability to assume identities to avoid detection • Roughly 74% of application DDoS attack bots are still primitive 30
  • 31.
    © 2015 Imperva,Inc. All rights reserved. Attack Analysis Conclusions • DDoS attacks are becoming more like APTs • It is an ongoing cat-and-mouse game • Attacks can last for weeks and reappear repeatedly • Don’t expect to have a silver bullet 31
  • 32.
    © 2015 Imperva,Inc. All rights reserved. Five Lessons Learned 3 32
  • 33.
    © 2015 Imperva,Inc. All rights reserved. Attacks are Increasing in Size, So Should Your Defense Capability • Network layer DDoS attacks are getting bigger • You’re defenses need to be able to deal with multi- gigabit attacks • Select a provider with a large scrubbing network 33 Past Present
  • 34.
    © 2015 Imperva,Inc. All rights reserved. Don’t Punish Your Users • Your users don’t need to know or care if you are under attack • People don’t like to hang out in dangerous places • DDoS attacks should be mitigated in a way that doesn’t – Cause delays (no hold screens) – Require extra steps (no CAPTCHAs or Splash screens) – Serve outdated content 34
  • 35.
    © 2015 Imperva,Inc. All rights reserved. Fail-open for Humans • All human users should be able to bypass protection mechanisms • Legitimate users should be given an opportunity to – Express concern or complain if they are affected – Prove they are legitimate with a CAPTCHA 35
  • 36.
    © 2015 Imperva,Inc. All rights reserved. Automation • Automated, always on solutions should be used whenever possible – Web assets should be monitored for attacks 24x7 – Identification is always on • Always on doesn’t mean always “locked down” – DDoS rules should be on call but not implemented until necessary – Mitigation is on when needed 36
  • 37.
    © 2015 Imperva,Inc. All rights reserved. Conclusions • Ensure you have enough network capacity • Invest in technology: – Rapid analysis tools – Instant patching infrastructure – Trial and error methodology • Keep up with your research • Have people at the wheel! 37
  • 38.
    © 2015 Imperva,Inc. All rights reserved. Want to Learn More? Download the Q2 2015 Global DDoS Threat Landscape Report or sign up for a free 14 day trial by visiting www.incapsula.com 38
  • 39.
    © 2015 Imperva,Inc. All rights reserved.39 Questions?

Editor's Notes

  • #10 So, what exactly is a DDoS attack? At it’s most simple form, it is an attack that tries to keep internet users from accessing an internet connected resource, typically a website. The most common way to do this is to take a large group of infected computers called a botnet and use them to send lots of traffic at a single target. As the sheer bulk of this traffic makes its way across the internet to the target, it usually creates a bottleneck preventing any other traffic (the legitimate traffic) from reaching that website. These bottlenecks usually happen at the internet connection a website operator has purchased from their ISP. Once this link is saturated, the website will become unavailable and appear offline.
  • #11 Let’s look at some trends in the DDoS attack landscape. According to the verizon data breach report, there were twice as many attacks in 2014 as the year prior, with the average attack size in 2014 being 15Gbps compared with 10 Gbps in 2013.
  • #12 There are really two main types of DDoS attacks . Network layer attacks, and application layer attacks. Network layer attacks are typically volumetric in nature and try to consume all of the bandwidth available to a website or other internet connected resource. You can think about this type of attack like “Clogging the pipe to a website”. Once the pipe is totally saturated, it can no longer be used for communication and the website will appear offline to website visitors.
  • #13 Application layer attacks on the other hand are typically more targeted and more intelligent. They tend to be smaller in size and aim to overload a web server, or database causing it to crash, thus taking the website down with it. The concept to remember here is “Overloading the server”.
  • #14 Now that we know what a DDoS attack is, and how they work, who are launching these attacks? There are four main groups: Hacktivists –looking to make a point. It could be your company’s industry, political stance, a blog post, a quote in the media by an exec, etc. Whatever it is, Hacktivists are using hacking for activism and your site my somehow be involved. Competitors – looking to take your site down at an opportune time to gain an advantage. Think about taking an ecommerce site offline during cyber Monday. That would drive consumers elsewhere to fulfill their needs. Extortionists - This group is looking to get ransom money and will take your website offline until you pay them to stop the attack. Vandals – unfortunately there are also sometimes the attacker is just looking for notoriety or to just cause general malice.
  • #15 Lastly, before we look at the actual attack, let’s talk about how often attacks happen and how much they cost. This data is from Incapsula’s DDoS impact survey. We found that 45% of all organizations are hit with DDoS attacks. Of that number, 75% are attacked more than once, 91% were attacked within the last 12 months, and 10% are attacked on a weekly basis. In terms of financial impact, We found that the average DDoS attack lasts 12 hours and costs $40K per hour, leading to a total of roughly a half million dollars of impact. This of course includes things like loss of revenue from website downtime, brand damage, collateral damage to other equipment, support costs, etc.
  • #16 Now that we’ve got the basics out of the way, we’ll spend some time to talk about a very sophisticated multi-vector DDoS attack that was launched at one of our customers. Throughout this section, we’ll talk about what happened in each of the five stages of the attack, compare it to trends in the DDoS attack landscape, and tell you how we mitigated that portion of the attack.
  • #17 First off, we won’t be discussing who the target was. What I can tell you is a little bit about the nature of the business. The target company is a very successful software as a service platform in the online trading industry. This is important for several reasons. SaaS products online availability directly equates to their revenue. If the site goes down, so does the product, and their revenues source. SaaS products generally are built in a robust way to serve the transactions of millions of customers. The final thing to note about this customer is they were in a multi-tenant environment which meant that when they were hit with the attack, it impacted other people using the same hosting datacenter. This is what is known as being a “noisy neighbor” and can quickly get you kicked off your hosting provider when large DDoS attacks come.
  • #18 The first phase of the attack was a simple SYN Flood. This volumetric DDoS attack is a typical, run of the mill attack. It’s a blunt weapon that is easy to create, if you have the resources, and easy to defend against. It peaked at 30Gpbs and the only really interesting thing about the attack was that it didn’t use any form of amplification, which means that the attacker had access to significant resources.
  • #19 Taking a quick look at Syn flood stats from our Q2 DDoS trend report we can see that they are one of the top DDoS attacks, both in terms of frequency and size. We’ve split SYN Floods into two types, Large and normal SYN floods and the only difference between the two is packet size. Interestingly, Synfloods make up the two of the top three most common attacks and two of the top three Largest attack types.
  • #20 Now lets look at how to defeat this type of DDoS attack. As I said before, SYN floods and other types of volumetric DDoS attacks are essentially blunt weapons which use a huge amount of traffic to bludgeon targets. The first step to defeating these attacks should be to spread the load across many scrubbing centers. This creates a “many-to-many” defense strategy instead of a “many to one” strategy. Within each scrubbing center we use dedicated scrubbing hardware to deal with the attack. We use a customized hardware solution called the “Behemoth” for scrubbing. It’s a propietary platform capable of handling 170Gbps of capacity per appliance which is used to aggressively blacklist of the attack sources and attack traffic.
  • #21 As the SYN flood subsided, the site was hit by Phase 2 of the attack, another volumetric attack, this time an HTTP flood that was 10M requests/second, which targeted several specifically chosen resource-heavy pages. This type of attack is frequently used as a smoke screen or diversionary tactic while hackers try other hacking attempts. The interesting thing about this phase of the attack is that it didn’t end. In fact, it persisted for weeks even as the other phases of the attack were in progress.
  • #22 Throughout Q2, we saw shorter durations of app layer attacks than previous quarters, but with a high likelihood and frequency of return. More than half of DDoS targets are hit again within a 60 day timeframe.
  • #23 Phase two was certainly more advanced than the SYN flood that the attacker used in phase 1, however this attack was easily mitigated with our client classification engine, which is essentially an anti-bot module that analyzes traffic in real time to differentiate humans vs bots and to classify them by purpose, identifying and blocking DDoS bots. Good anti-bot tools make wonderful additions to DDoS protection products for this reason. The use of non-intrusive, or transparent challenges will help minimize false positives. Humans shouldn’t be seeing these challenges and its important to create an environment where helper bots are welcome while bad bots are blocked. i.e. don’t be iron fisted with bots.
  • #24 Next on the target's list were the website's AJAX objects. This was a smart choice, as some bot filtering methods like i just described (e.g., JavaScript challenges) will not be completely effective in protecting AJAX resources from App layer attacks. Moreover, attacking AJAX objects ensures direct impact on the database - typically one of the most sensitive chokepoints. The fact that the targeted objects were located in a "registered users only" area also says a lot about the attacker's familiarity with site's architecture, and also hints at the level of reconnaissance that preceded the attack. In a tactic more usually seen in an APT the hacker has scoped out the applixation, discovered a heavy ajax resource within the authenticated part of the site. Then he needed to get in, authenticate, and use that ajaz resousrce as the attack And to do that, he actually used hijacked cookies to make the heavy ajax requests
  • #25 We used the targeted nature of this attack to our advantage during its mitigation. By limiting the number of “suspects” to a small sub-group of registered-only users, we were able to filter out malicious bots by Visitor Reputation while identifying Abnormal Behavior Patterns. In this case the abnormal behavior was fairly easy to spot because it all involved unusual usage of these AKAX objects.
  • #26 Phase 4 of this multi-vector attack, is where things got really interesting. The incoming attack was almost totally transparent it was only noticeable by its impact on the site's performance. It looked like an abnormally high spike in human traffic. To prevent damage to our client we selectively deployed CAPTCHA challenges - a relatively low-tech and somewhat disruptive mitigation tool which we only use as a last resort. Even in this case, the CAPTCHA’s were only presented to a very narrow group of visitors (~1%), who sported a specific configuration that matched that of the attacker. It worked but it wasn't the solution we wanted. While looking for a more transparent approach to mitigation, we became aware of people who were trying to reach us via our Social Media channels and support ticket, complaining about how Incapsula had "invaded" their desktop browsers. --- Real Browsers attacking – Seems like real traffic Trojan – spread across a computers opeing real browsers There was a bug in the trojan that caused web pages to open up with our Error/Captcha page caused – great fun for our support environment
  • #27 Once we were able to identify the trojan powering the attack our security team was able to reverse engineer it and create a new signature to block the botnet and attack vector for all of our customers.
  • #28 Phase 5 was the last phase of the attack. Basically in phase 3, the attacker used stolen cookies to gain access to an authorized part of the website and launched the attack from there. In Phase 4, the attacker used a network of infected computers spawn browsers and point them at the target, in Phase 5, the attacker took it a step further and used infected browsers. This infection was happening completely within the browser and thus had access to the sessions, cookies, and capabilities of the browser. This attack lasted for 150 hours, using 180,000 IP addresses and 861 variants to general 700M requests per day.
  • #29 Before discussing its mitigation for a minute I’ll comment that even though Phase 5 of this multivector attack was able to generate a devastating 700 million requests per day, some of the large attacks of this nature we saw during Q2 of this year generated as much as 15.5 billion requests per day.
  • #30 Similarly to how we handled the PushDo bot example from phase 4, the key to defeating the Phantom JS kit was to first identify the bot, then reverse engineer the software, and create a signature to block it.
  • #31 The common theme of the last several phases of the attack we’ve explored throughout this webinar was bots. The attacker tried increasingly more sophisticated methods of evasion before eventually being thwarted. The trends we saw throughout Q2 in part mimic this as we saw botnet owners using a wider variety of assumed identities to avoid detection. One pitfall is that unlike Phantom JS, these identities tended to still be largely “primitive” meaning they would be low hanging fruit for anti-bot tools because they don’t even posses the ability to support cookies or handle JavaScript. The take away from this is that any DDoS protection solution you use, should include the ability to accurately identify bots as this will increase it’s accuracy.
  • #32 The attack we just reviewed was atypical in many ways however there are still many lessons that we can learn. First off, DDoS attacks are becoming more like APTs or advanced persistent threats. Attackers are doing more research to target the soft spots in your environment and you need to be prepared to deal with an attack that may include multiple changing vectors. DDoS attacks can last for weeks and they may also start and stop seemingly at random. Your defense tactics need to be able to handle that gracefully. Lastly, Don’t expect a silver bullet, even the best vendors may need to implement custom rules to help protect your application from highly customized attacks.
  • #34 DDoS attacks are growing constantly. Largely in part to cheap rentable DDoS-as-a-service platforms which require no expertise and can be rented by the hour. That means you need to be prepared to deal with very large attacks, in the range of tens to hundreds of gigabits per second. The most cost effective way to do this is typically to work with a DDoS Protection provider that has a large scrubbing network.
  • #35 Let’s be clear, DDoS attacks are your problem. Not that of your website visitors or customers. In a perfect world, they shouldn’t know that the attack is even happening. Many DDoS solutions on the market are quick to resort to the use of CAPTCHAs or holding screens which is less than ideal because it impacts website usage for real, legitimate humans. Instead try to find solutions with transparent challenges that can identify DDoS bots without the need to interfere with human visitors.
  • #36 This piece of advice might seem counter intuitive when compared with my last suggestion, which was to use transparent challenges instead of CAPTCHAs or hold screens, to identify DDoS bots. Good DDoS protection solutions should be able to detect and mitigate the vast majority of attacks with no problems, but for some unique circumstances it might be possible to have a false positive and misinterpret a human for a DDoS attacker. If this should arise, the solution needs to fail open with something like a CAPTCHA which allows a human to prove it’s humanity. This screen should also provide the customer information on how to contact the vendor’s support and complain if they are affected. Humans are human after all, and if they are inconvenienced, they should know why and be able to express their displeasure with it.
  • #37 A few words on automation. Automated, always on solutions should be used whenever possible especially for web assets running HTTP/S because they are by far the most commonly targeted assets. You’re DDoS mitigation solution should always be monitoring for attacks and be able to instantly mitigate them should they be detected. That doesn’t mean that websites should be in constant lock down. Monitoring doesn’t equal enforcement. DDoS rules should only be used when needed, the rest of the time websites should be protected by other solutions like a web app firewall, but otherwise unhindered.
  • #38 Whether you decide to try to tackle the DDoS problem yourself, or work with a provider to deal with it for you, here are some things to keep in mind. Ensure you have enough network capacity. Today’s DDoS attacks are larger than ever and most people don’t have hundreds of gigabits per second of idle bandwidth at their disposal. Be prepared for bigger attacks. Invest in technology, Rapid analysis tools, the ability to quickly patch and implement custom rules and persistence will be key to defeating complex attacks. Make sure you have the help of researchers who are up to speed on the latest attacks and can bring that knowledge to your defense when needed. Picking a solution with a 24x7 SOC that helps you monitor your environment is crucial incase things go sideways.
  • #39 What to learn more about Incapsula, or the latest in DDoS trends? Feel free to visit us at www.incapsula.com to download a free copy of our report, or to start a free 14 day trial of the product.