Relevant topics: DDOS protection, DDOS prevention, DDOS Security
One of our clients recently reported heavy resource usage on their server. After some investigation it was established that the website was undergoing a DDOS attack. DDOS attacks are very easy to execute and there are several software available on the internet that allow you to emulate or launch this attack making this form of attack one of the easiest to initiate yet one of the hardest to stop.
I will broadly classify DDOS attacks into two categories:
The attacking party is well aware of the fact that they are launching an attack in order to consume the server resources. Multinational companies like Paypal, Sony and organisations like banks, political parties have all undergone such attacks. This attack requires a group to convince a certain amount of individuals to simultaneously launch a flood of requests using hyper text transfer protocol or any other protocol supported by the server.
The attacking party is not aware of the fact that their computational resources are being utilised by a bot/trojan. This form of attack comprises of mass distribution of a malicious software (often known as malware) that flood the website specified by the party that issued (or continues to issue) instructions to the malware.
In this case, it was most certainly an involuntary attack as we had a unique IP address for every new request. The website was being flooded with over 100 requests every minute which was overwhelming the server causing frequent CPU spikes. Each spike showing a 503 Service Unavailable message. As a result, the hosting company had temporarily suspended the account.
Further investigation showed that the website had been under attack for about two weeks without a break and it was the Cutwail botnet causing this issue. Cutwail botnet installs a trojan called Pushdo on the victim’s computer. Here’s a diagram that shows the installation flow of Pushdo.
You can find more details on the working of Cutwail botnet here.
The solution — DDOS attack protection
Despite an elaborate distribution of the IP addresses, all requests were coming from a single user agent. Blocking that user agent did the trick & stopped the flood of requests.
I can not provide you with the specific details of the code as a part of client confidentiality & given the intentions of attackers executing an attack like this, it is most likely to become obsolete after some time if made public but you are more than welcome to contact us if you believe you are under an attack of this form.