A recent research study conducted by Indusface on over 1400 websites reveals a significant surge in Distributed Denial of Service (DDoS) attacks and bot attacks during the second quarter of 2023 compared to the previous quarter. The study recorded a staggering 75% increase in DDoS attacks and a 48% rise in bot attacks. These statistics indicate a growing threat to online businesses and the need for more robust security measures.
One of the notable trends observed in DDoS attacks is the evolution beyond the Mirai botnet, which has been a common method used by hackers. The emergence of next-generation botnets poses an even greater risk. One such type of attack is the low-rate-per-bot HTTP DDoS attack.
In a low-rate-per-bot HTTP DDoS attack, multiple compromised or controlled devices, known as bots, send a relatively small number of HTTP requests to a target web server or application over an extended period. Unlike traditional botnet attacks that flood the target with a massive number of requests, low-rate-per-bot attacks focus on being stealthy and persistent.
The attackers deliberately keep the request rate per bot low to avoid triggering rate-limiting or detection mechanisms. However, the cumulative effect of these requests from numerous bots can overwhelm the target server or application, leading to service disruption.
The primary objective of a low-rate-per-bot HTTP DDoS attack is to mimic legitimate user traffic, making it challenging for security solutions to differentiate between malicious and legitimate requests. The reduced request rate per bot makes the attack traffic appear less notable, flying under the radar of security measures.
To demonstrate the severity of these attacks, Indusface shared a case study involving a Fortune 500 company. The company’s application was targeted by an HTTP DDoS attack executed by a botnet consisting of thousands of individual bots. The magnitude of the attack was between 3000X to 14000X greater than the typical request rate per minute experienced by the website. The attackers used approximately 8 million unique IP addresses during the two-week attack.
In this scenario, traditional rate-limiting measures proved inadequate as some IPs were sending as little as one request per minute. Adjusting the rate limit to such a low level was not a feasible solution. The attackers also targeted base URLs that were either non-existent or not publicly accessible, such as /404, /admin, and /config.
Indusface’s AppTrana platform detected these anomalies and their managed service team deployed a customized solution to reduce the attacks to zero. This case study emphasizes the importance of implementing behavior-based DDoS protection, such as AppTrana, as an alternative to static rate limiting.
Based on their observations, Indusface provides recommendations for enhancing DDoS attack mitigation strategies. They suggest avoiding rate limits at the domain level and instead establishing rate limits at the URL level to manage access to specific URLs or sets of URLs. Customizing request rates based on session duration and monitoring rate limits at the IP address level are also crucial steps to prevent overload and block malicious traffic. Additionally, implementing geographical-based rate limiting and adjusting tolerance levels for bot modules can further enhance security.
To protect businesses from the growing threat of bot attacks, it is essential to analyze attack request trends over time and implement appropriate bot mitigation rules. By following these recommendations and staying vigilant against evolving attack methods, businesses can better safeguard their online assets and ensure uninterrupted service for their users.