One of our clients was being attacked by a layer-7 DDoS attack for more than a week. The attack was generating around 5,000 HTTP requests per second, which took his site and server down. It also caused his hosting company to suspend his server for “ToS violation”. Yes, some hosting companies consider a ToS violation if you are suffering a DDoS. It is mostly an excuse to protect their networks, but very annoying for someone victim of an attack.
After a week of pain, he found our Website Firewall (WAF) product, the rest as they say is history. We were able to quickly block the attack and restore his site to normal operations. If that was all that there was to the story, then many would find this to be a very uninteresting story.
A Diamond in the Rough
As is customary in our lab, we began analyzing the attack to see if there was anything else we could learn. That is when we noticed something curious, the IP addresses hitting the server were always constant.
We did some operating system identification (using p0f) and the attack was coming mostly from web servers running on Windows and Linux: