Case Study: DDoS Attack Against CDN Incapsula

DDoS attacks are a common occurrence for CDNs. Some are small in nature, and others are 400Gbps in size, as in the case of CloudFlare. The CloudFlare attack was a simple network attack. All CDNs provide protection against simple network DDoS attacks. All that is needed is ample bandwidth, which all CDNs have. However, there is another DDoS attack that very few talk about or hear about, that was orders of magnitude more sophisticated and ranks up there with the attacks on Target in terms of creativity, and sophistication,  that could have been extremely disruptive, but was mitigated.

DDoS attacks at the application layer target the elements of the application or website. Many times the attacker will launch a dozen application attacks one after the other, or at the same time, at the intended target, in order to confound and confuse the response team. In many cases, one type of attack is to mask another kind of attack or attacks. In the case below, the attack mimic a chess game, with the target and hacker countering each others move.

Sophisticated DDoS Attack Against Incapsula

Late last year, Incapsula encountered a sophisticated DDoS attack that started off as a network attack, then grew into application level attack. The attack took several forms, and used a variety of techniques aimed at bringing down Incapsula and their client.The attack was creative, sophisticated, highly targeted, and attacked the weak points of the application.

To make matters worse, the party responsible for the attack might have been a former employee. For CDNs planning on building up a portfolio of services that protect against DDoS attacks at the application layer, have their work cut out for them if they haven’t already started. Below is summary of DDoS attack on Incapsula.

 Summary of DDoS Attack on Incapsula
  • Hacker attacked an Incapsula client with a 30Gbps SYN Flood lasting an hour
  • After it stopped, another attack started, at the application layer, via an HTTP Flood clocked at 10M request/second, that continued for several weeks
  • Incapsula contained HTTP floods with an algorithm, that looks at signatures, IP info, ASN, HTTP headers, cookies, javascript, and few other items to mitigate
  • Hacker changed attack from client to Incapsula, trying to bring them down
  • Several more attack occurred taking different forms, that targeted AJAX objects and session cookies
  • Incapsula fought attacks vigorously, finally getting to the core of the problem, and mitigating the attack via a custom rule
  • Conclusion: the hacker compromised 20,000 PC’s, and use those to launch the attack on Incapsula and their client

Ultimately, Incapsula defeated the DDoS attack by creating a custom rule that checked mate the DDoS attack, and made it irrelevant