DDoS Attack Detected? How To Prevent It?

Fig.1 DDoS Protection

I have been consulting a company and their marketing website (+20M unique monthly visitors). This level of exposure comes with a great risk of various attacks, the most common of which is DDoS.

To protect their marketing website, We have chosen “Cloudflare” as our CDN partner. Why?

Here are things that cloudflare provides:

1. Cloudflare is the internet company.
2. Cloudflare’s 172 Tbps network blocks an average of 70 billion threats per day, including some of the largest DDoS attacks ever recorded. check out the Cloudflare DDoS Report 2022
3. Cloudflare’s architecture gives you an integrated set of L3-L7 network services, all accessible from a single dashboard.
4. Cloudflare has data centers in over 275 cities that deliver sub-50-millisecond latency to 95% of the Internet users in the world.

Now, Lets move further and understands how Cloudflare protects against DDoS attacks and how to identify if your website is under attack.

Cloudflare’s network is built to automatically monitor and mitigate large DDoS attacks. Caching your content at Cloudflare also protects your website against small DDoS attacks, but uncached assets require additional manual response to DDoS attacks.

Additionally, Cloudflare helps mitigate smaller DDoS attacks:

• For zones on any plan, when the HTTP error rate is above the High (default) sensitivity level of 1,000 errors-per-second rate threshold. You can decrease the sensitivity level by configuring the HTTP DDoS Attack Protection Managed Ruleset.
• For zones on Pro, Business and Enterprise plans, Cloudflare performs an additional check for better detection accuracy: the errors-per-second rate must also be at least five times the normal origin traffic levels.

If you have a centralized security dashboard which your security team manages & operates, you can use “Cloudflare Logs” to get this events by integrating it with your system.

Please check this article on investigating DDoS traffic using Cloudflare Log.

Mitigations of HTTP DDoS attacks are shown in the Security Events dashboard as HTTP DDoS events.

Determine if you are under DDoS attack:

Common signs that you are under DDoS attack include:

• Your site is offline or slow to respond to requests.
• There are unexpected spikes in the graph of Requests Through Cloudflare or Bandwidth in your Cloudflare Analytics app.
• There are strange requests in your origin web server logs that don’t match normal visitor behavior.

Responding & protecting your website from DDoS attack:

NOTE: Make sure notifications are enabled in cloudflare. Configure notifications to receive real-time alerts (within ~1 minute) about L3/4 and L7 DDoS attacks on your Internet properties, depending on your plan and services. https://blog.cloudflare.com/advanced-ddos-alerts/

Fig.2 List of cloudflare notification

If you’re under attack, Learn basic countermeasures to stop an ongoing attack.

[1] Enable Under Attack Mode

To activate Under Attack Mode:

1. Log in to your Cloudflare account.

2. Select the domain currently under attack.

3. Toggle Under Attack Mode to On within the Quick Actions section of the Cloudflare Overview app.

4. (Optional) Adjust Challenge Passage within Security > Settings.

Legitimate traffic from mobile apps or from clients that do not support JavaScript and cookies cannot access your website while Under Attack Mode is enabled. For this reason, Under Attack Mode is not recommended for your API traffic. Instead, configure Rate Limiting or at least set the Security Level to High under Security > Settings.

NOTE: Under Attack Mode is also configurable for specific URLs via the Cloudflare Page Rules app by setting Security Level to I’m Under Attack.

[2] Enable WAF managed rules

• Refer to the Deploy a managed ruleset in the dashboard.

[3] Block malicious traffic via security

• You can use IP Access Rules ans Firewall rules to block traffic.
• IP Access Rules — Recommended for blocking multiple IP addresses, /16 or /24 IP ranges, or Autonomous System Numbers (ASNs).
• Firewall rules — Recommended for blocking a country, any valid IP range, or more complex attack patterns.
• Zone Lockdown — Recommended to allow only trusted IP addresses or ranges to a portion of your site.
• User Agent Blocking — Recommended for blocking suspicious User-Agent headers for your entire domain.

Firewall updates take effect within two minutes.

By default, Cloudflare evaluates firewall rules in list order, where rules are evaluated in the order they appear in the firewall rules list. List ordering is convenient when working with small numbers of rules because you can manage their order by dragging and dropping them into position. However, as the number of rules grows, managing rules in list order becomes difficult. This is where priority order comes into play.

When priority ordering is enabled, Cloudflare evaluates firewall rules in order of their priority number, starting with the lowest. If a request matches two rules with the same priority, action precedence is used to resolve the tie. In this case, only the action of the rule with the highest precedence is executed, unless that action is Log or Bypass (refer to Firewall rules actions for details). Priority ordering makes it a lot easier to manage large numbers of firewall rules, and once the number of rules passes 200, Cloudflare requires it.

Check the diagram below:

Fig.1 Cloudflare Firewall Order and priority

[4] Mitigate DDoS Ransom Campaigns

It is very common for ransom attempts to instill a sense of urgency. Any delay decreases the chance of success for the attacker as it gives the target time to consider mitigation options. The most important thing to keep in mind is that if you suspect your site is being targeted for a ransom, contact Cloudflare support first. Do not pay the ransom.

The following table lists mitigation options for DDoS ransom campaigns:

Fig.1

[5] Use Rate Limiting to prevent brute force and Layer 7 DDoS attacks

• To thwart attacks disguised as normal HTTP requests, Rate Limiting allows website administrators to specify fine-grained thresholds on the load they expect their web server to receive. With one simple click, setup basic rate limiting to protect your login pages from brute force attacks.
• Cloudflare Rate Limiting automatically identifies and mitigates excessive request rates for specific URLs or for an entire domain. Request rates are calculated locally for individual Cloudflare data centers. The most common uses for Rate Limiting are DDoS protection, Brute-force attack protection, and to limit access to forum searches, API calls, or resources that involve database-intensive operations at your origin.
• Once an individual IPv4 address or IPv6 /64 IP range exceeds a rule threshold, further requests to the origin web server are blocked with an HTTP 429 response that includes a Retry-After header to indicate when the client can resume sending requests.

[6] Restore original visitor IPs in your origin server logs

To see the real IPs behind an attack, restore the original visitor IPs in your origin server logs. Otherwise, all traffic lists Cloudflare’s IPs in your logs. Cloudflare always includes the original visitor IP address in the request, as an HTTP header. Inform your hosting provider that you use a reverse proxy and that all traffic will come from Cloudflare’s IPs when looking at current connections.

Very important to note that, The steps above won’t help if an attacker learned your origin IP address and is directly attacking your origin web server (bypassing Cloudflare).

To avoid direct attach from attacker & protect origin, make sure you also restrict your origin server to be reachable from cloudflare network IPs.

To give you an example, our client infrastructure is running on AWS cloud & behind the application load balancer. Cloudflare configured to proxy request to origin server so we have attached a security group to Load balancer to only accept traffic from Cloudflare network. That way, we lower the attack surface area and avoid exposing origin from the internet.

If you liked this story ~ clap, follow :)