The DDoS attack occurs in any field, whether it is E-Commerce or Securities Finance,… No matter where there are online services, there is a possibility of DDoS. Security service providers are no exception. Specifically, recently, VNETWORK - one of the leading units in website security solutions, anti-DDoS also encountered network attacks for many days in a row. So how is the process of VNETWORK anti-DDoS, please follow up.
Anonymous notices about DDoS attacks on VNETWORK
From January 4, 2022, VNETWORK Company has received a number of anonymous messages informing that the VNIS.vn website is being hacked.
Although VNIS.vn website has been equipped with a high-class security system with a Cloud WAF (Web Application Firewall) firewall, it still encounters downtime problems, leading to interruptions in access for users.
The main reason for this downtime is because VNETWORK’s Technical team is testing and testing HTTP/3 technology on the Company’s CDN (Content Delivery Network) system. Due to incomplete HTTP/3 configuration, WAF filter status is affected. The WAF system cannot take advantage of all the comprehensive security features. Therefore, when a DDoS attack occurs at this sensitive time, the website is immediately down (except for whitelisted IPs).
The system records the traffic going through the CDN reaching 800,000 requests/second.
The actual traffic poured into the WAF system was recorded to only about 110,000 requests/minute.
Thanks to the monitoring system SOC (Security Operation Center) 24/7 monitoring, timely warning, and early detection of signs of attack. The Technical team immediately suspended the HTTP/3 testing process and restored the Cloud WAF firewall system to promptly protect the website.
DDoS attacks continue to happen in the following days
On January 5, 2022, VNIS.vn website continued to be attacked and fell into a state of downtime, the 503 Service Unavailable error appeared. The question is why VNETWORK Engineering has restored the Cloud WAF firewall system to protect the website but the system is still affected by these attacks.
The cause of downtime is due to some errors 403 and 400 during the pentest process. The reason is that during the conversion of VNIS.vn website to www.VNIS.vn, there have been some problems with VNIS.vn. changing the host header. Details of errors and when they were recorded are as follows:
1.www.VNIS.vn modify the Host Header to www.VNIS.vn at 10:06 PM(UTC+8).
2.VNIS.vn modify the Host Header to VNIS.vn at 10:17 PM(UTC+8).
3.www.VNIS.vn modify the Host Header to VNIS.vn at 10:28 PM(UTC+8).
While VNETWORK Engineering configs the origin server (configuring the origin server) causes the Server system to temporarily interrupt service. DDoS attacks happen again at the most sensitive time leading to immediate website downtime.
In addition, there is a cookie error on the CDN service of VNCDN (VNETWORK Content Delivery Network) causing the website to fall into an endless loop.
Specifically, when converting the host header from VNIS.vn to www.VNIS.vn, some old visitors were sent to VNIS.vn with cookies previously. When it was redirected to www.VNIS.vn, it encountered a WAF filter that blocked it and asked to resend a new cookie. This continuous request and response process has created an endless loop, causing the system to generate countless requests.
The total request traffic (due to loop cookies and DDoS) to the VNIS.vn Website when going through the CDN system was recorded to more than 8 million requests/second.
The actual traffic going down to the WAF system was recorded to only 100,000 requests/minute.
The traffic going through the WAF system is quite high, but it hardly affects the performance of the server.
Although it does not affect the web server, requests that are receiving old cookies will not be able to access the VNIS.vn website at the time of the attack. VNETWORK technicians quickly fixed the problems so that the host header conversion process was completed quickly.
The system has also noted: in addition to illegal requests blocked by the Cloud WAF firewall, there are other types of attacks using the (Method) method that are also completely blocked.
Below are the top 10 attack methods recorded and reported by the WAF system.
Day 3: The problem of blocking access from the Client-side even though the Server is still working
On January 6, 2022, a DDoS attack happened again when the cookie loop error was still quite a lot. The main reason is that the cache configuration on the CDN has stored invalid cookies, leading to a continuous loop error on the CDN system.
Traffic going through the CDN hits the threshold of more than 800,000 requests/second.
Traffic going through the WAF layer reaches 180,000 requests/minute.
The total request due to DDoS is quite large but does not affect the original server, only the client (visitor). They cannot access VNIS.vn website at this time due to the cookie loop.
After confirming the exact problem, VNETWORK’s Engineering has updated the system, cleared the old caches and cookies to fix the cookie loop problem at the earliest.
Day 4: VNETWORK copes with a large amount of unusual traffic
On January 8, 2022, VNIS.vn website encountered larger DDoS attacks. However, the Origin Server system (origin server) still does not have downtime at any time.
Total requests through the CDN system recorded reached 8 million requests/second
Total requests to the WAF filter reached 160,000 requests/minute
Although the number of requests poured into WAF quite a lot and mostly due to DDoS (about 1.3 million requests/minute), they were all detected and prevented by the WAF system.
All bad requests are blocked and VNETWORK’s Engineering has completed the process of fixing (repairing) errors.
Day 5: DDoS attack in batches
On January 9, 2022, this time VNETWORK no longer receives anonymous notifications about the website being hacked, but the cookie loop status is still there because the old cookie has not expired.
DDoS attacks occurred again at this time, causing traffic through the CDN system to reach more than 4 million requests/second.
The traffic through the WAF filter is about 200,000 requests/minute.
Through the report from the WAF system, we can see that the hacker has divided the attack into several waves.
Most requests are redirected through browser authentication. The rest of the requests are blocked in WAF rules (customized rules in the WAF filter).
Hackers have enhanced attack power with many methods.
VNETWORK’s technique has a timely updated limit (updated limit) for hacker method attacks (preventing all types of attacks with new methods).
Day 6: Bad traffic reaches more than 9 million requests/minute
On January 10, 2022, when VNIS.vn website was attacked, thanks to the WAF system, VNETWORK could effectively fight DDoS and protect the webserver system from any 5xx errors.
In addition, the system also reported some more errors that cannot be accessed when via CF (Cloudflare). The cause is the configuration of jscoookie and query string.
Request traffic through CDN is recorded reaching nearly 10 million requests/second.
The number of requests to WAF is about 200,000 requests/minute
Although the number of bad requests reached an extremely large level (more than 9 million requests), thanks to the protective WAF cloud filter, VNETWORK’s anti-DDoS system is still capable of carrying the load and preventing unsafe requests.
This DDoS attack was unable to cause downtime for VNIS.vn website because of WAF & Multi CDN 404 404 advanced security capabilities. In addition, VNETWORK’s Engineering also thoroughly handled the loop redirect and made sure all requests were filtered before being sent to the Web Server.
Until now, although there are still some DDoS attacks happening, most of them are small and insignificant. To consult a comprehensive Anti-DDoS solution, please leave your contact information in the registration form, our experts will assist you.